From 65da710044d8234f86c03563c8e0e64234a8bc1c Mon Sep 17 00:00:00 2001 From: Pieter Smit Date: Tue, 19 Nov 2024 21:50:35 +0200 Subject: [PATCH] Initial commit for the frontend of the windows fake file system token --- .../assets/token_icons/windows_fake_fs.png | Bin 0 -> 9358 bytes frontend_vue/src/components/constants.ts | 1 + frontend_vue/src/components/tokens/types.ts | 2 + .../tokens/windows_fake_fs/ActivatedToken.vue | 39 ++++++++++++++++++ .../windows_fake_fs/GenerateTokenForm.vue | 30 ++++++++++++++ .../tokens/windows_fake_fs/ManageToken.vue | 22 ++++++++++ .../tokens/windows_fake_fs/TokenDisplay.vue | 38 +++++++++++++++++ .../tokens/windows_fake_fs/howToUse.ts | 5 +++ frontend_vue/src/utils/formValidators.ts | 3 ++ frontend_vue/src/utils/tokenServices.ts | 15 +++++++ 10 files changed, 155 insertions(+) create mode 100644 frontend_vue/src/assets/token_icons/windows_fake_fs.png create mode 100644 frontend_vue/src/components/tokens/windows_fake_fs/ActivatedToken.vue create mode 100644 frontend_vue/src/components/tokens/windows_fake_fs/GenerateTokenForm.vue create mode 100644 frontend_vue/src/components/tokens/windows_fake_fs/ManageToken.vue create mode 100644 frontend_vue/src/components/tokens/windows_fake_fs/TokenDisplay.vue create mode 100644 frontend_vue/src/components/tokens/windows_fake_fs/howToUse.ts diff --git a/frontend_vue/src/assets/token_icons/windows_fake_fs.png b/frontend_vue/src/assets/token_icons/windows_fake_fs.png new file mode 100644 index 0000000000000000000000000000000000000000..ecd884ec121e3f2b02085860a5ecfe14af946e3d GIT binary patch literal 9358 zcmeHNXIoRx(+(<16%+xLCi(-UMnSrQfQWPq2^}KRBs6KEgGy1U3IwDZAV3Z!ROy6{ zQUrm3bZG*S-aOuv4eZdpSXQ+D>_h&{++pK-{auE)Z72PbH?3q zo0~~XAiyLbGKZ&bV|)&Qhkgw+;{lHEB&gg|NhB; zpV#w^)(&`&@hTKi!OE4!Ec(;rP!Z+*8PuHw%F$3MJXG|oA5_9Zz-)!gkHuyj|Lv{! ztBeuB-wDBuR(lrYPwp#X+t2H{g}(BSkzQA@E-V+BD#c03udjVdlH)gN^0!EyJ@e4G zGd?XYqoJH_NrNQlse9PMtJNQGRh+Dgvi&LZ=&Zan)gR!WiYp1t{-T%CYi8Bk^EX;K z2i{eLE7b&jWx#nCzb$@fXcfGIyQn3y)#rGrHgvCD9Ny%8b_iD%u%P>zV9pIFYb|rM zz?%-+rv{x68eg^Z$~U+i%>J0fvoe;KFWM)qOtDT2U#jJ(>t%a)a76X(DGPfs_$lMK zqle#HMOt?GbO4~+zf-J!u$&qu6{PFFFB2mI|B(`1>^s;+$aS5J^pJ0DkJ)IjrB^*7 z*(gy;`&XCHY}AGM_l55~^dra5ts0s{65md5&p>+71m>#L1n=(A+-f&7H95t)B-_Y^ z;U=@R<1(2Co;_f0n~){UbQ|s=M<8hEeF+mxt3hBtT09bBt2lmS_1hkTDW0*G?5&I9 ze96;et?a+N&eP5}DeScvL@nPYf~Qf+M+5;mWtLSDlSl-6?3TF1&t*BLp>m8mx{9cga%FFj zGk(C_EoF7%Q+K)gM*i28n66r?m<*+i4X&*8?SRDBbNprNRFYy!7no#?CKg}8Cv)>? zh9j;D+fKSKBNuz$L_~4!zn@yD@NnopoFV-pm z{!b6WIKA6uJr>FB_?~l@d!=)@pS1M7(~WwYO6&l$@dhspwhvz3S1DGPWk^y3zrwm- zXGU|t=Cw!MS1094hI||z^Y~h*kkh}jSfej?lOATNo*XM*az7sTh=8%J`qCiTR#si* z-s6EEk8EPn^b-qGqc|6C_E;-Wa=p9$9DT~*A$PBn_=8DhQ!U@Fg$jT5Gv@@}P8ZBj zKZQ@SPJ7j}h(AzvIF2sf^C0K+bIL#5E_2(ApJQz~_~BT1E)Zpn7F&K(XbJEzSQp-e z*pFDb2AQdSYtosA)Xxw4&6KOZ{+bHE%G{GZ7`t_vk#mR6*@g_dh8KZb4>(*`Cun6Sm7yeAl}!Uu ztGxRYf6&yp(GWxprF>5<% z8gpEGAZgJx*6c@xP*(GHk7dB*U9`p^YEq1){EaMHj2Y1?URK9*(O^V8Qr+T}+eP=P zk%IdrMk*5fKvB6;qzN|9WV36;BgIgqg;W-HGP~gyYJW@shdLhp!8P-SK5aD^i$MHf zY@i;iBReLjpBB@%jz%5-$SHc>>|m;hTTFqoL);@;tsj!3zQZ5hskJ`MK0h(<2L786 zyf&`+>$LW~pUO^PlFWIN3SlVU_zelJ)Jt-k6pv6Vr&LGj5~C35efaH{f4EWxV@ATr zCCUwZ)-TtI;cSZa>)g9Im0ca94IFnQNwq2F=f?_?il^K<^l@#KFcjl+QTO=lMez*v zr+eb~5;pXP34>%!jV*mhc4XRk=fXNqTH6le{icvDw~nd9huOZ;?#LK++M2Nxx$6|3 zO4K($JGg4UZT6AKXGPv6@K>JEV9(F)+y{rb9anxz-!h%M0<=6NGXjX-k%X)o?@I~c zx!^1<6L=nR5Kjr2!#x!7)oA`(vpYNpA#=0!BF93zcU_8CoP$FStXxd%FQ`7%w{{6V z+#Rg6VIvcX_;5Uhu~1C4F^`HIJt2+3Eh&^q7cxY&DAhD{{a7|3CYArR-8k3iYG9!k z*nj8za1IB=36Oay!v*a*TGD%#NdQvg1gK>`Cb+O&+(F0WCqVz*u{6?LnZfu`6b{l zpa@fR(eLUd-6}3F0+d@01I)<{Ck>N}2soZnV-dD?!c%ZK?SlL4JLj%o@F0203~3#L z=>4!O1Ea>l?92~VTK4_juEaI%A2{ILc7M#3IB}d*H|pa}EHrKpcYzdW41(k$#R$;2N@R_+Z6VOy2MaxZ z$9`hiX_pZq70JhkblvlsQZ|v(Pe=B--7ZkNvB`J&QrISAe3OX3;aQTg;nt~+=kjm6 zB({^{RDAU*O-M`X98gPk3CRV*G3w4N;+?YbQ@?uOYzmkZ;S7(M13hIjkOos2zkNd5 zeoR{1kA$qFlO=Lc=-=Nzwuc)MWYHF4B@LmzX2oialD+Yv$F4jkAAB7ilUT%|*{%@x z1b4@(oi?{DFE=mgW+i%Xy|(@GIDb(8@%HGbF#gE8H{D2*D@A@V=}W_Q^MexhaRv81 z6x|xDxGUw|Cojpl{=b!89og&oA}O72Gnlg>Cy&hF|NQs;{oNX3XtK?0W?v`j=;krc z{kll_-*^iIj#b>}Uh=iuWv!(TXRJGz+=3a-dJ{sO2DfIn>p7g-T}B_RGZNY%j#cue zQ>8I9xt?*0NQlT3jbUWg$oETz^uVm*)%W8wczA#EGf^mujxZt@&A~l=14fKkN8+rH z;=A|TdpFRw^m0`n3k0G#-z})zVu0=Gi1*bGWV=vpjAm-3Z^f~_b@U}-Y$HP_`wM8a zx5=yuG@5Y$HnzTBvlb^=txDlEE|hq;inXOb{9Y>Qx3`jB>h;Xup>@;oy)Q?QI_%go zUCPA$`G~xM)l9t<4OchbTI~rI@h7D;>b2&oLxsn&iO0$++L_X5BmD79;?nT~V!oh8 z`WDJI(j;Zj%0#Mz=@;=Dq|Bj%$!qT*png28Tq-ao!G(c{`Zu ze{H;cVc+=LTciEQ#jt6v+2{@Vk_-V}r2TI+9|0SZwGJB!t=}m%`Q86}=`?gUCkP+76jc^%HS+yA}p zwU&z1%(O^TeW6P8gVR%0naY17h5Fgu=|-%f0*wegSynkoHl7L3(l2$3TOU4)X9k zX_|G@x67E?eWqGS4D-w3Tx->zx+3F=m%bD*#i*y4$RPYl$nhJ&j%)i#^0Dh@qa`0J zOBrB2o=Y+CtXoiJc2fDf+F??H50*T-FEzT;1B_> z-5B^dH@Tndo#WJ$aBs9MG^UU`qBcGd{DkSawv4@l#H5vjJK$P55IA#XsnJM-GpX3dLuvvh`dA=BO0A`V7CBGn};h-xwWnYiMrW>fI30JB!}d?YIlT z_)gu!7piMIn6pLUXlZ^RQpRwO{Q_}BEqPXW|7s>m(c1jt6FML8njDF6X?wHf@M+Z^1d98?a)M}1({y(F=e-;4|)w` z`3!3}r0M`XOq!wk#Vq6&_xg2T0O=}}-K%*Dler3j@n^~t$|5};=qa{VrDa`c*0>(0 z(|=HpEZ!EWBk^L=ggu`asQ9~{jrNMZ@jsQg2q0%rB8IM_MMMx}*72k4f}7eM7pUwV z^a(jFGEMm~zWD16$%7OK=mqoIU!81`_{OMSnjF8GgZkX`Foezb^~=(nZ(#OMB_-hs zEd(Rai%wJmBAWK&M4AYn`vV_xzjx?%M7L271%t5XO1? z81gH2twqc;q6SY)N|J8b{?Vh_|;S9VeQl&$q9su(+a z&piJ}3Q=3D;Re>@?f?b=N!)TUxw}SbU1AFIZiF6VI21)J>zDfaGQ_w*3yY3Sy+0_e z_Mf}eeWg_Wc8Ta2R5K$Z48&z*;NG@3AbB<(8%fN51UK7R$+5a-fMg!0o-cpvQ>ohn z?$7!ihN+hxn9b9{ny=Y^yDrHAdU-ptsyvLU@w9R5sRoS6^WiJ(rV~8~q?;*Y{dFP* zm{sW;2>ql-|KhyRa?_f0ToeFVFdKqMUP$l~?xTOB@C^G`FV*=QMr>4jeu+s<17$@2 zg3f8o=VO#5up8my9ep1Lk~5N)v1`!FLlaMl`Ty)?B(Ud(Hu8NUu5D%%^vT`?bo*jN zy1&J;evzQ*GjHG2Zgd!=5fwx03CuI4_9tns)t&DJr%Bud^?Ox12~gww919Bixm^5n zbynXJ0@m#P#1o9@hq{tgm1Sief=MEKXt7bBZN_rT4-R{p=idlI{JTZ4)e7ndeDi-p zW3ghO8NGn)Ujx|U*!Mv4t}nKhYDW)x<6a=a2osu-kCZWD;rGIcfvo#T(IN|X$AgQQ zsQLX%DdAd+1$`Gm;RTC#NBxUVbh2M(w%z82(XDzRBM>dsfiD&Ez+@2^oewUU9Vpub0vk`o%X+P!ss*MvHZz#a7)pozc zm@`n3pec&EWwx=*Z5pmBzGiaUpUvT7&;H+)e{;jW!@jyOqn!SsFL&quolAjK#1K1%LFO-Jeg579A^kdDI)y&UanA@#d=> zYcvoMXsJ~H6{Ax$sY80OpEHU**$D8BYsj^^$#>sHbV?njvm(2;T0?F6SAuDrmYv!3 zArv6|MvJemH{m56O^d|RPCtKNYWjob(K`MB4>&)U&V^oFJIzB~70`rs*$PGxad)s| zx=dlEHdo|sMjP#NfUNJCM;(@yS!K>%HKuJxj9EkBnVQ|162cs24c8plje80J zH*9ozg^hWLrg1^oRcuEVskT(gCSVmC3!tMOQU=UTm8z>g8XyP-{IXeR`@%O35)Eb>anE$a7AzcZTBPTODG(0Hm@?P)- zr-O5m*nH+S={t3>no^<&kPJj1k~<&pHTjAIPxN(bJRKgt5_AkVWz;UP5N}zAS_Gqs zfPjuXPXyv*+&PamP8S%njC>yNMoApoEka`^%|wiEgQ2CN4W9sHi7k~0?c81_wLV%m5>p6W8Uu; zn<^n68E{W(ckP2yix3r&fG|p-=bUp4p|s0q%p!8&e3$<=@F@kcBz?O{*lSydi()BJ z1u2(@q82lkOP#QNa#(i^?A1Mg6yiFhH0_~`%BjG-?6P>nZ@sRUkvpfC7v3nqF8#5nxd#uYB62TQ*dwy{QT^AO8PH(k+{7JJKvxfnZckz6D5V4 z4OC%GfmT<4w~#Do=Np+ceBwk{OjqMmSWGP@-P3Syv&wXFEDYOE8CNxH%msEL858y@ z4G4}Y?*SQwfl@%SMh;m=S)N?%9FLIWGV#+yjkL%Az8Ic55f;=HJcH+QDT?m@^BnB~ z`d$i@LgyfHvt;?3P0McyCsSBgAN@CJI-0CD-^f*{%12P{i_`KKWzNR{$q6p1W}O(M zdeI4MIGJh^1^tJg_`76&?Rj{r8?^)zA@Gj?wJ1S1gq#jaNeKiws~q`=KqZZDG`g-L zTo@0j;0*>?qqgq=Yv9Og6mEc`bwlhi>ACvk421BmcGhZpyv8%<(qHRPO;~5sgPTnm z@aICB)uq%}EwCiaMe#mdAJfH8I|;3dRhW#1%r*>Yo0Vj;cq8O&4mVPmvPhi zjivE2Fw*O`OycXJvc`SNPP6*Z$Kp_-NM-5II&uDnQ(8i=Wl>yVMM@JKO=M8MzR+vh z?+Pk9DO38Xht29;Om((NG|xW5&E=Ky{JWt1{X$v6@Jlv=q~F=tbUoGAU)Epza(9T- z7ZhK;dj6vkYYS`kP;5EH7wPX}BqYD|;V9rZrd_uCwH&|DW7?4f^*(AJOYe2 zDW;#XV>_^fSS&*4Xrz)SRPk3s4QMY${AIx34=w6azeb$2{4SP`yiGsJH!G~EeT~dV z8xpZWQ-nobKH%n4@Z;d$`hc6w)qwH4zH3UxJ(mgrxKTXKIt zKIK_aO0s+sYz;i97K0FuwC_v-v{N@vO~aH?h^*eUn?h!o2?mL|HWUR9OKf-o({qjf%sI>^Gxx4b^4AazI~Y z85)Do5pOH*t+kd%BK}i5G%HGhsfaSbii^@y5Y->WM%paRTdK` zB0wVFWmDfUk4l4@hs*-#dmUSieZ+{e+CN7lQyfaBFY%(<8x9QK`H%w+*ymxDx`EW6LXY9=^ za>8yd;;q?#wZ{OVO^7(Cj!O8(l@X)zaSvCLCpCu-g$oa^d*VcP36N`i!5IAU(s98Ue^A!^1*CZlWj4@AwptQ?#;2 z6BK@0np->tCObK7wxR(3dzWWhFC{$`Q9{$!_6FPB`%x3r)zd~Ib?aT&`Rb<)&5EZu zl*g66_f3z^qO`FOECAFRRX;~(_~bQ%9bmGP8dP_>WoiMGKUs{>6SD(sO>+ybxL?^K zM3y~2D>co2By&))WbkF1QeXvhNa~iwuIWL2#|gTLr^XYGCLWK{ml%^+VPFQ>Cg@c{ zcO(VtOYO+kyIw^#c`o{3DKUrqUN(7`*ka(33j{%8QvhpwCd+tXUZCsGrGBA6oobxF zr;Ws5i!jg})4y#pzZ7*L+!A9Mjezsh!RJ z7*E_WB8;WLt^lByE8-KU=!U}|o*KI=^g|xWTO_rjlpX~$6Z%`B*|@;qL%8uv;gc~n z(2$(0Oyh$p<@qFG0U$9&?9G2gGJYYOU7h22Aps!!3)f{y7|2t1LstT`&`!st4+1IYKEV?@`y=|FGHu*`krQ3whf{0_9rjj$ar#8)MErx`QB zJd{wUd~~ba*qH`V%qG606rk(G;?)V@Aml5-#Q!y*ySuN7LmgBWfJ>->jLK)}S% zC+|qZYp2sB;;BGY71NvR`BmF+T_Gr&z+v-*)2zHmMCP-_Gf-g0?#KjMN7v~PzIQ+m zil)VWnc&kBjD<;k#QM+CpKM>96uVShv0~`|A}g3IK6*L{Mx0{g2_;Z7+AJ4iapSx#S@q3N z?C=C6%n<6V!?X!7wMKZK3Y^%gZ0O|k1CW3=5oQu_Zm43kkzzrl1>kDBC_VZitdyAn z21Dx?E2DMZf0Xkw^YJS(r5`rAZ<;9CuQm{-u)l35LRaZ literal 0 HcmV?d00001 diff --git a/frontend_vue/src/components/constants.ts b/frontend_vue/src/components/constants.ts index b9bf5a716..c7144df4a 100644 --- a/frontend_vue/src/components/constants.ts +++ b/frontend_vue/src/components/constants.ts @@ -20,6 +20,7 @@ export const TOKENS_TYPE = { FAST_REDIRECT: 'fast_redirect', SLOW_REDIRECT: 'slow_redirect', SENSITIVE_CMD: 'cmd', + WINDOWS_FAKE_FS: 'windows_fake_fs', AZURE_ID: 'azure_id', MICROSOFT_EXCEL: 'ms_excel', MICROSOFT_WORD: 'ms_word', diff --git a/frontend_vue/src/components/tokens/types.ts b/frontend_vue/src/components/tokens/types.ts index 96be7c4c8..5d87f5897 100644 --- a/frontend_vue/src/components/tokens/types.ts +++ b/frontend_vue/src/components/tokens/types.ts @@ -61,6 +61,8 @@ type CanaryDropType = { browser_scanner_enabled: boolean; wg_key: string; cmd_process: string; + windows_fake_fs_root: string; + windows_fake_fs_file_structure: string; slack_api_key: string; cc_id: string; cc_kind: string; diff --git a/frontend_vue/src/components/tokens/windows_fake_fs/ActivatedToken.vue b/frontend_vue/src/components/tokens/windows_fake_fs/ActivatedToken.vue new file mode 100644 index 000000000..f93ca4757 --- /dev/null +++ b/frontend_vue/src/components/tokens/windows_fake_fs/ActivatedToken.vue @@ -0,0 +1,39 @@ + + + diff --git a/frontend_vue/src/components/tokens/windows_fake_fs/GenerateTokenForm.vue b/frontend_vue/src/components/tokens/windows_fake_fs/GenerateTokenForm.vue new file mode 100644 index 000000000..9b2d1a469 --- /dev/null +++ b/frontend_vue/src/components/tokens/windows_fake_fs/GenerateTokenForm.vue @@ -0,0 +1,30 @@ + + + diff --git a/frontend_vue/src/components/tokens/windows_fake_fs/ManageToken.vue b/frontend_vue/src/components/tokens/windows_fake_fs/ManageToken.vue new file mode 100644 index 000000000..f40807ff4 --- /dev/null +++ b/frontend_vue/src/components/tokens/windows_fake_fs/ManageToken.vue @@ -0,0 +1,22 @@ + + + diff --git a/frontend_vue/src/components/tokens/windows_fake_fs/TokenDisplay.vue b/frontend_vue/src/components/tokens/windows_fake_fs/TokenDisplay.vue new file mode 100644 index 000000000..ef71b3bc1 --- /dev/null +++ b/frontend_vue/src/components/tokens/windows_fake_fs/TokenDisplay.vue @@ -0,0 +1,38 @@ + + + diff --git a/frontend_vue/src/components/tokens/windows_fake_fs/howToUse.ts b/frontend_vue/src/components/tokens/windows_fake_fs/howToUse.ts new file mode 100644 index 000000000..9e93f588a --- /dev/null +++ b/frontend_vue/src/components/tokens/windows_fake_fs/howToUse.ts @@ -0,0 +1,5 @@ +export const howToUse = [ + "Create a path to for us to create an empty folder, it can be C:\Secrets or C:\Users\thinkst\Documents\MySecretFiles", + "Then we'll create scheduled task that runs when you logon, and creates several files there", + "When an attacker opens or copies these files you will get an alert", +]; diff --git a/frontend_vue/src/utils/formValidators.ts b/frontend_vue/src/utils/formValidators.ts index 9d7980990..da785ab75 100644 --- a/frontend_vue/src/utils/formValidators.ts +++ b/frontend_vue/src/utils/formValidators.ts @@ -85,6 +85,9 @@ export const formValidators: ValidateSchemaType = { }), }), }, + [TOKENS_TYPE.WINDOWS_FAKE_FS]: { + schema: Yup.object().shape(validationNotificationSettings), + }, [TOKENS_TYPE.MICROSOFT_EXCEL]: { schema: Yup.object().shape(validationNotificationSettings), }, diff --git a/frontend_vue/src/utils/tokenServices.ts b/frontend_vue/src/utils/tokenServices.ts index 387c0a10e..e56e02080 100644 --- a/frontend_vue/src/utils/tokenServices.ts +++ b/frontend_vue/src/utils/tokenServices.ts @@ -180,6 +180,21 @@ export const tokenServices: TokenServicesType = { category: TOKEN_CATEGORY.MICROSOFT, keywords: ['windows', 'cmd'] }, + [TOKENS_TYPE.WINDOWS_FAKE_FS]: { + label: 'Windows Fake File System', + description: 'Get an alert when a attacker accesses a file in the fake file system.', + documentationLink: + 'https://docs.canarytokens.org/guide/TBD.html', + icon: `${TOKENS_TYPE.WINDOWS_FAKE_FS}.png`, + instruction: '', + howItWorksInstructions: [ + 'We give you a Powershell script.', + 'You run the script to configure the fake file system on your machine.', + 'We send you an alert if an attacker opens or copies a file.', + ], + category: TOKEN_CATEGORY.MICROSOFT, + keywords: ['windows', 'windows_fake_fs', 'fake', 'file'] + }, [TOKENS_TYPE.WEB_IMAGE]: { label: 'Web image', description: 'Get an alert when an image you upload to us is viewed.',