Using OSC7 to trigger a canary token in text files

Readme.md

Using OSC7 to trigger a canary token in text files

macOS' Terminal.app supports the OSC7 escape code for notifying the terminal of the current working directory. It also supports the file:// URL scheme. This means you can embed a hostname in the instruction, and the host will perform a DNS lookup against it. It also won't visibly render in the terminal.

You can create the escape code like this: printf '\033]7;file://<hostname>\033\\'

I tested Terminal.app, Microsoft command shell, Windows Terminal and Alacritty and it only worked on Terminal.app. OSC7 support is contentious across other terminals according to various pull request discussions.

This was discussed in @stokfredrik's BlackHat/Defcon 2023 talk https://i.blackhat.com/BH-US-23/Presentations/US-23-stok-weponizing-plain-text-ansi-escape-sequences-as-a-forensic-nightmare-appendix.pdf

jabberywocky.txt

'Twas brillig, and the slithy toves
Did gyre and gimble in the wabe;
All mimsy were the borogoves,
And the mome raths outgrabe.

"Beware the Jabberwock, my son!
The jaws that bite, the claws that catch!
Beware the Jubjub bird, and shun
The frumious Bandersnatch!"

He took his vorpal sword in hand:
Long time the manxome foe he sought—
So rested he by the Tumtum tree,
And stood awhile in thought.

And as in uffish thought he stood,
The Jabberwock, with eyes of flame,
Came whiffling through the tulgey wood,
And burbled as it came!

One, two! One, two! And through and through
The vorpal blade went snicker-snack!
He left it dead, and with its head
He went galumphing back.

"And hast thou slain the Jabberwock?
Come to my arms, my beamish boy!
O frabjous day! Callooh! Callay!"
He chortled in his joy.

'Twas brillig, and the slithy toves
Did gyre and gimble in the wabe;
All mimsy were the borogoves,
And the mome raths outgrabe.
]7;file://9o3w45uvfvfgzxd0ixlbpzy5m.canarytokens.com\