Certified Canarytokens: Alerts from signed Windows binaries and Office documents

As part of a talk at the ITWeb Security Summit last week, we discussed how to trigger email alerts when file signatures are validated with our Canarytokens project. Building on that alerting primitive, we can make signed executables that alert when run or signed Office documents that alert when opened. 

Canarytokens is our exploration of light-weight ways to detect when something bad has happened on the inside a network. (It’s not at all concerned with leaks in that dubious non-existing line referred to as “the perimeter” of a network.) We built an extensible server for receiving alerts from passive tokens that are left lying around. Tokens are our units of alerts. When a token URL link is fetched or a token DNS name is queried this triggers an alert via the Canarytokens server. With these (and other tokens) we set out to build alerts for more significant incidents.

Office Document Signatures

A security researcher, Alexey Tyurin, drew our attention to how opening signed Office documents can trigger token alerts. On opening a signed Word document, Office verifies the signature automatically with the certificate embedded in the document. A notable exception to this is when a document is opened with Protected View enabled (typically after the document is downloaded from the web or opened as an email attachment.) The signature verification in that case, happens only after the user clicks to disable protected view. During the verification, a URL from the certificate is fetched. We can set the retrieved URL to a token URL (which integrates with Canarytokens to fire an alert to set us off). The URL we set is in a field called Authority Information Access (AIA). This field tells the signature verifier where to fetch more information about the CA (such as intermediate CAs needed to verify the signing certificate).

Signed document that has already triggered an alert

Signing Word documents gives us  another way to alert when the document is opened. The previous technique, which is implemented on Canarytokens, uses a remote tracking image embedded in the document. While the document signing is not currently integrated in Canarytokens, it can easily be automated. This requires creating a throwaway CA with token URLs to generate a tokened signing certificate and then signing a document. Thanks to Tyurin, creating the CA is a short script. Signing the document programmatically can be tricky to get right. We've automated this by offloading the signing to the Apache POI library in a Java program.

It’s worth noting more closely how the token URL is hit: Office offloads the signature verification to the Microsoft CryptoAPI which is what hits the URL. (In our tests the User-Agent that hits the URL is Microsoft-CryptoAPI/6.1). We should be able to re-use this trick with other applications that offload the signature verification in this way.

Windows Executables Signatures

A signed copy of Wireshark
If signed documents could be used to trigger Canarytokens we wondered where else this could work. Microsoft’s Authenticode allows signing Windows PE files, such as executables and dlls. The executables signatures are verified on launch if the setting for it is enabled in the security policy. The name of the setting is a mouthful: System settings: Use Certificate Rules on Windows Executables for Software Restriction Policies". Our initial tests of signed .NET DLLs were able to trigger alerts when loaded by custom executables even without the setting enabled. However, if Authenticode can alert us when Windows executables have been launched, we have a uniquely useful way of knowing when binaries had been executed, without any endpoint solutions installed.

To deploy signed executables, all that is needed is to token executables that attackers routinely run such as ipconfig.exe, whoami.exe and net.exe to alert us to an attacker rummaging around where they shouldn’t be. Zane Lackey's highly recommended talk (and slides) on building defenses in reaction to real world attack patterns makes the case for how alerts like these can build solid attacker detection.

The verification, just like in the Office document case, is offloaded for Microsoft CryptoApi to handle. Signing certificates for the executables are produced in the same way. However, the signing certificate must also have the Code Signing key usage attribute set. Creating signed binaries is made simple by Didier Stevens’ extensive work on Authenticode. This is integrated into Canarytokens to make signing a binary as simple as uploading a copy to sign, but is also available as a standalone tool from the source.

AIA fields of a signing certificate
To sign an executable on Canarytokens, you upload an executable to the site. The site will sign the binary with a tokened signing certificate. Simply replace the original executable with the tokened one and verify that signature verification for executables is enabled. An attacker who lands on the machine and runs the tokened executable, will trigger the signature verification which gets an alert email sent (via Canarytokens) to let you know that something bad has happened.

Many of our other canary tokens are built on top of application-specific quirks. Adobe Reader, for example, has the peculiar behaviour of pre-flighting certain DNS requests on opening a PDF file. What the Office document and executable signings point to, is a more generic technique for alerting on signature (and certificate) validation. This a more notable alerting primitive and is likely more stable than application quirks given that URL-fetching extensions are enshrined in certificate standards. Although in this post we’ve used the technique in only two places, more may be lying in wait.

Edited 2016-06-14: Thanks to Leandro in the comments and over email, this post has been updated with his observation that Office document signature verification won't happen automatically when the document opens Protected View.


  1. This comment has been removed by the author.

  2. Very great post. I just stumbled upon your weblog and wished to mention that I have truly loved surfing around your weblog posts. In any case I will be subscribing in your feed and I hope you write again very soon!
    shareit for pc
    xender for pc
    shareit pc
    xender apk
    shareit apk
    xender web
    shareit for laptop
    xender for windows
    shareit downloading
    xender download
    xender for ios
    shareit for ios


  3. Weight gain is a disease that is not easy to work, for this, you have to reduce your body's calories
    significantly, for this, we have brought Myfitnesspal Premium APK today, which helps you in keeping
    information about your calorie and fitness. With this help, you can reduce your weight quickly.
    Today we all want to be healthy, and want to change our habits, but for this, we are not able to
    give proper time, due to which our body is weak today, and obesity starts increasing in some.

    aptoide ios
    Myfitnesspal Premium Apk

  4. Aptoide is a great app for ios, through which any app or application can be downloaded to free on ios device. We will download you for Aptoide iOS on our site. From here you can easily download it.

    aptoide ios

  5. Thanks for writing such a good article, I stumbled onto your blog and read a few post. I like your style of writing
    happy new year 2020 images
    new year wishes
    happy new year quotes
    Happy new year wishes

  6. I really relate with the content and i love this one. check my page dailyimagefunda.

  7. very nice <a href="http://www.motivation456.com/happy-new-year/happy-new-year.html>happy-new-year</a>

  8. It was an nice and amazing article Thanks for sharing this with us,
    Keep the good work going.
    Do visit my website HappyNewYearImages.

  9. Happy New Year 2020

    In this detailed article, the readers will be showered with everything related to the New Year’s Event of 2020 such As New Year Wishes and Greeting to wish their friend and family, New Year Resolution Ideas, New Year Quotes, Pictures, Status, New Year Countdown moment information, and much more.
    Happy New Year Wishes
    Happy New Year Quotes

  10. Therefore, you should use happy new year 2020 for friends and family
    to wish their dears and lovers on upcoming New Year.

  11. 10 Best iEXplorer Registration Codes and Keys 2020 [Tested]

    We like you and me really like to employ iPhone. It has a different attraction as soon as you hold it in the hand but with this particular, it is always a little complex to implement. It is best to have a very suitable being familiar with of the iOS functioning system to experience it at optimal. iExplorer 4 Registration Code is one of the very best App to be used in iPhone as well as in this post we are sharing tested and working registration codes for IEXplorer. It truly is 100 % an iOS App and isn't supported by Android or any other Working system. As IEXplorer shouldn't be present on App save, permit me let you know how you can obtain by yourself registered to it. During the brief article underneath I am going to tell you with regard to the most current IEXplorer Registration codes and Keys 2020. All of them are reputable and tested.

  12. nice blog and i want to share one more good blog on happy new year 2020.

  13. The new year is a festival that helps to share happiness and wishes to your loved ones, friends and relatives. It is time to say goodbye to the old year and welcome the new year with brightness and joy. In Happy New Year Gif 2020 you can find images to share your wishes to say your wishes in advance. In the busy world, people don’t have time to spend, visit friends share their wishes with people.

  14. Hi, constantly i used to check weblog posts here in the early hours in the morning, because i like to find out more and more. Beyhadh 2 Full Episode

  15. SamsungMobileSpecs
    Samsung is one of the leading brands in the smartphones industry, Samsung mobile specs are providing a complete specification of Samsung phones & Samsung mobile prices with updated specs. Samsung mobile specs generally gets updated on a daily basis.
    Samusng Galaxy S11

  16. Latest Fashion Tips For Men
    Latest Fashion Tips For Men, It can appear as though there’s a ton to think about great style, and there is, at any rate in the event that you need to be taken a crack at its lord class. In any case, looking keener than 99% of different folks is quite basic and simply requires knowing and doing little stuff right.

  17. Thanks for providing good information. You can explore happy valentines day wishing material.

    Happy Valentines Day 2020