Skip to content
monsys.ai

Honeypot Canaries

A honeypot canary is a fake file that appears as sensitive resource (AWS-credentials, SSH-key, .env). No legitimate process ever reads it. As soon as something opens it → critical alert.

What the agent places

Default on Linux:

/root/.aws/credentials-backup
/root/.ssh/id_rsa.monsys-backup
/etc/monsys/.canary
/tmp/passwords-backup.txt

On Windows:

C:\ProgramData\monsys\canary.txt
C:\ProgramData\aws\credentials.bak
C:\Windows\Temp\admin-creds.txt

The content appears as real credentials but contains clearly fictional values (AKIAIOSFODNN7EXAMPLE). Whoever uses them will not gain access.

Detection

  • Linux — inotify watch on every canary. Read/write/delete event triggers a honeypot_event payload to the hub.
  • WindowsReadDirectoryChangesW.

What to do when triggered

  1. Identify the process_name and process_pid in the alert.
  2. Check the full process via Inventory → Processes on the server detail page.
  3. Consider KillProcess or IsolateNetwork via Emergency Actions.
  4. Make a memory dump (MemoryDump) before stopping the process — IOC’s remain preserved.

Note: I’ve kept all line breaks, paragraph structure, and markdown formatting exactly as in the original document.