soc operations

Performing Deception Technology Deployment

Deploys deception technology including honeypots, honeytokens, and decoy systems to detect attackers who have bypassed perimeter defenses, providing high-fidelity alerts with near-zero false positive rates. Use when SOC teams need early warning of lateral movement, credential abuse, or internal reconnaissance by deploying convincing traps across the network.

canarydeceptiondetectionhoneypothoneytokenlateral-movementsoc
Install this skill
npx skills add mukul975/Anthropic-Cybersecurity-Skills
Framework mappings

When to Use

Use this skill when:

  • SOC teams need high-fidelity detection of post-compromise lateral movement with near-zero false positives
  • Existing detection tools miss advanced attackers who avoid triggering threshold-based alerts
  • The organization wants to detect credential abuse by planting fake credentials as honeytokens
  • Network segmentation gaps need compensating detection controls

Do not use as a replacement for fundamental security controls (patching, EDR, network segmentation) — deception is a detection layer, not a prevention mechanism.

Prerequisites

  • Network segments identified for honeypot/decoy deployment (server VLANs, DMZ, OT networks)
  • Deception platform (Thinkst Canary, Attivo/SentinelOne Hologram, or open-source alternatives)
  • SIEM integration for deception alerts (any interaction with deception assets is suspicious)
  • Active Directory access for honeytoken account and credential creation
  • Network team coordination for IP allocation and traffic routing

Workflow

Step 1: Map Attack Surface for Deception Placement

Identify high-value network segments where attackers would traverse:

DECEPTION DEPLOYMENT MAP
━━━━━━━━━━━━━━━━━━━━━━━━
Segment              Decoy Type          Rationale
Server VLAN          Fake file server    Attackers enumerate SMB shares during recon
Database VLAN        Fake DB server      SQL scanning detected in past incidents
AD/DC Segment        Honeytoken account  Credential theft detection
Executive Subnet     Fake workstation    Targeted attacks pivot through exec systems
DMZ                  Honeypot web app    External attacker detection
OT Network           Fake PLC/HMI        Industrial threat detection
Cloud (AWS VPC)      Canary EC2 + S3     Cloud lateral movement detection

Step 2: Deploy Thinkst Canary Devices

Configure Canary devices mimicking real infrastructure:

Windows File Server Canary:

{
  "device_name": "FILESERVER-BK04",
  "personality": "windows-server-2019",
  "services": {
    "smb": {
      "enabled": true,
      "shares": ["Finance_Backup", "HR_Archive", "IT_Docs"],
      "files": [
        {"name": "Q4_Revenue_2024.xlsx", "alert_on": "read"},
        {"name": "employee_ssn_export.csv", "alert_on": "read"},
        {"name": "admin_passwords.kdbx", "alert_on": "read"}
      ]
    },
    "rdp": {"enabled": true},
    "http": {"enabled": false}
  },
  "network": {
    "ip": "10.0.5.200",
    "hostname": "FILESERVER-BK04",
    "domain": "company.local"
  },
  "alert_webhook": "https://soar.company.com/api/webhook/canary"
}

Database Server Canary:

{
  "device_name": "DB-ARCHIVE-02",
  "personality": "linux-mysql",
  "services": {
    "mysql": {
      "enabled": true,
      "port": 3306,
      "databases": ["customer_pii", "payment_archive"],
      "alert_on_login_attempt": true
    },
    "ssh": {
      "enabled": true,
      "port": 22,
      "alert_on_login_attempt": true
    }
  },
  "network": {
    "ip": "10.0.10.50",
    "hostname": "db-archive-02"
  }
}

Step 3: Deploy Honeytokens in Active Directory

Create fake privileged accounts that should never be used:

# Create honeytoken service account
New-ADUser -Name "svc_sql_backup" `
    -SamAccountName "svc_sql_backup" `
    -UserPrincipalName "svc_sql_backup@company.local" `
    -Description "SQL Backup Service Account - DO NOT DELETE" `
    -AccountPassword (ConvertTo-SecureString "FakeP@ssw0rd2024!" -AsPlainText -Force) `
    -Enabled $true `
    -PasswordNeverExpires $true `
    -CannotChangePassword $true
 
# Add to a group that looks attractive (but monitor for any use)
Add-ADGroupMember -Identity "Domain Admins" -Members "svc_sql_backup"
 
# Place cached credentials on decoy workstation
# (Mimikatz/credential dumping will find these)
cmdkey /add:fileserver-bk04.company.local /user:company\svc_sql_backup /pass:FakeP@ssw0rd2024!

Monitor honeytoken usage in Splunk:

index=wineventlog sourcetype="WinEventLog:Security"
(EventCode=4624 OR EventCode=4625 OR EventCode=4648 OR EventCode=4768 OR EventCode=4769)
TargetUserName="svc_sql_backup"
| eval alert_severity = "CRITICAL"
| eval alert_message = "HONEYTOKEN ACCOUNT USED — Likely credential theft detected"
| table _time, EventCode, src_ip, ComputerName, TargetUserName, Logon_Type, alert_message

Step 4: Deploy Canary Files and Documents

Plant tracked documents that beacon when opened:

Canary Document (Word doc with tracking):

# Using Thinkst Canary API to create a canary token document
import requests
 
response = requests.post(
    "https://YOURCOMPANY.canary.tools/api/v1/canarytoken/create",
    data={
        "auth_token": "YOUR_API_TOKEN",
        "kind": "doc-msword",
        "memo": "Finance backup folder canary document",
        "flock_id": "flock:default"
    }
)
token = response.json()
download_url = token["canarytoken"]["canarytoken_url"]
print(f"Download canary doc: {download_url}")
# Place this document in honeypot SMB shares and sensitive directories

AWS Canary Token (S3 access key):

# Create AWS canary token — alerts when access key is used
response = requests.post(
    "https://YOURCOMPANY.canary.tools/api/v1/canarytoken/create",
    data={
        "auth_token": "YOUR_API_TOKEN",
        "kind": "aws-id",
        "memo": "Canary AWS key in developer laptop .aws/credentials"
    }
)
aws_keys = response.json()
print(f"Access Key: {aws_keys['canarytoken']['access_key_id']}")
print(f"Secret Key: {aws_keys['canarytoken']['secret_access_key']}")
# Plant in .aws/credentials on developer workstations

Step 5: Integrate Deception Alerts with SIEM/SOAR

All deception alerts are high-fidelity — any interaction is suspicious:

Splunk Alert for Canary Triggers:

index=canary sourcetype="canary:alerts"
| eval severity = "CRITICAL"
| eval confidence = "HIGH — Deception asset triggered, zero false positive expected"
| table _time, canary_name, alert_type, source_ip, service, details
| sendalert create_notable param.rule_title="Deception Alert — Canary Triggered"
  param.severity="critical" param.drilldown_search="index=canary source_ip=$source_ip$"

SOAR Automated Response:

def canary_triggered(container):
    """Auto-response for deception alerts — high confidence, no approval needed"""
    source_ip = container["artifacts"][0]["cef"]["sourceAddress"]
 
    # Immediately isolate the source
    phantom.act("quarantine device",
                parameters=[{"ip_hostname": source_ip}],
                assets=["crowdstrike_prod"],
                name="isolate_attacker_host")
 
    # Block at firewall
    phantom.act("block ip",
                parameters=[{"ip": source_ip, "direction": "both"}],
                assets=["palo_alto_prod"],
                name="block_attacker_ip")
 
    # Create high-priority incident
    phantom.act("create ticket",
                parameters=[{
                    "short_description": f"DECEPTION ALERT: Canary triggered from {source_ip}",
                    "urgency": "1",
                    "impact": "1"
                }],
                assets=["servicenow_prod"])
 
    phantom.set_severity(container, "critical")

Step 6: Maintain Deception Realism

Regularly update decoys to maintain believability:

  • Rotate honeytoken passwords quarterly (update cached credentials on decoy workstations)
  • Update canary file modification dates to appear recently accessed
  • Add realistic network traffic to honeypots (scheduled SMB enumeration, DNS lookups)
  • Register honeypot hostnames in DNS and Active Directory to appear in network scans
  • Update canary document contents to match current business context

Key Concepts

Term Definition
Honeypot Decoy system mimicking real infrastructure to attract and detect attackers in the network
Honeytoken Fake credential, file, or data record that triggers an alert when accessed or used
Canary Lightweight deception device or token that alerts on any interaction (Thinkst Canary platform)
Breadcrumb Planted artifact (cached credential, bookmark, config file) leading attackers to deception assets
High-Fidelity Alert Detection signal with near-zero false positive rate because no legitimate user should interact with deception assets
Decoy Network Set of interconnected honeypots simulating a realistic network segment to observe attacker TTPs

Tools & Systems

  • Thinkst Canary: Commercial deception platform offering hardware/virtual canaries and canary tokens
  • Canarytokens.org: Free honeytoken generation service (DNS, HTTP, AWS keys, Word docs, SQL queries)
  • Attivo Networks (SentinelOne): Enterprise deception platform with AD decoys and endpoint breadcrumbs
  • HoneyDB: Community honeypot data aggregation platform for threat intelligence sharing
  • T-Pot: Open-source multi-honeypot platform combining 20+ honeypot types in a Docker deployment

Common Scenarios

  • Lateral Movement Detection: Attacker enumerates SMB shares and accesses honeypot file server — immediate high-fidelity alert
  • Credential Theft Discovery: Mimikatz dumps honeytoken cached credentials — usage of fake account triggers alert
  • Cloud Key Compromise: Stolen AWS canary token used from external IP — detects supply chain or insider compromise
  • Ransomware Early Warning: Ransomware encrypts canary files on honeypot shares — early detection before production systems affected
  • Insider Threat Signal: Employee accesses honeypot "salary database" — indicates unauthorized data exploration

Output Format

DECEPTION ALERT — CRITICAL
━━━━━━━━━━━━━━━━━━━━━━━━━━
Time:         2024-03-15 14:23:07 UTC
Canary:       FILESERVER-BK04 (10.0.5.200)
Service:      SMB — File share "Finance_Backup" accessed
Source:       192.168.1.105 (WORKSTATION-042, Finance Dept)
User:         company\jsmith
File Accessed: Q4_Revenue_2024.xlsx (canary document)
 
Alert Confidence: HIGH — No legitimate reason to access deception asset
False Positive Likelihood: <1%
 
Automated Response:
  [DONE] WORKSTATION-042 isolated via CrowdStrike
  [DONE] 192.168.1.105 blocked at firewall (bidirectional)
  [DONE] Incident INC0012567 created (P1 — Critical)
  [PENDING] Tier 2 investigation — determine if workstation compromised or insider threat
Source materials

References and resources

Everything below is rendered for inspection. Script files are read-only and never run.

References 1

api-reference.md2.1 KB

API Reference: Performing Deception Technology Deployment

Canary Tokens API (canarytokens.org)

Endpoint Method Description
/generate POST Generate a new canary token (DNS, HTTP, file)
/history GET Retrieve alert history for a token
/manage GET List all deployed tokens

Thinkst Canary API

Endpoint Method Description
/api/v1/canarytokens/create POST Create a new canarytoken
/api/v1/incidents/all GET List all triggered incidents
/api/v1/device/list GET List deployed Canary devices

Honeypot Components (stdlib)

Module Description
http.server.HTTPServer HTTP honeypot listener
socketserver.TCPServer Generic TCP honeypot
secrets.token_hex() Generate unique token IDs
hashlib.sha256() Hash canary file content for integrity

Key Libraries

  • secrets (stdlib): Cryptographically secure token generation
  • http.server (stdlib): HTTP honeypot server implementation
  • socket (stdlib): TCP/UDP honeypot listeners
  • hashlib (stdlib): File integrity hashing for canary files
  • threading (stdlib): Run honeypot services in background threads

Honeytoken Types

Type Deployment Alert Trigger
Credential AD, LSASS, config files Any authentication attempt
Canary File Network shares, endpoints File open/read access
DNS Token Documents, scripts DNS resolution
AWS Key Code repos, config files AWS API call with key
HTTP Token Documents, emails HTTP GET request

Configuration

Variable Description
CANARY_API_KEY Thinkst Canary API key
CANARY_DOMAIN Canary DNS domain for token callbacks
HONEYPOT_PORT Port for HTTP honeypot listener

References

Scripts 1

agent.py7.6 KB
Display-only source. This catalog never executes bundled scripts.
#!/usr/bin/env python3
"""
Deception Technology Deployment Agent
Deploys and manages honeypots, honeytokens, and canary files to detect
lateral movement and credential abuse with near-zero false positive alerts.
"""

import hashlib
import json
import os
import secrets
import sys
import threading
from datetime import datetime, timezone
from http.server import HTTPServer, BaseHTTPRequestHandler


def generate_honeytoken_credentials(count: int = 5) -> list[dict]:
    """Generate fake credential honeytokens for deployment in AD and databases."""
    honeytokens = []
    templates = [
        ("svc_backup_admin", "Service account - backup system"),
        ("admin_legacy", "Legacy admin account"),
        ("db_migration_user", "Database migration service account"),
        ("api_service_prod", "Production API service account"),
        ("deploy_automation", "CI/CD deployment service account"),
    ]

    for i in range(min(count, len(templates))):
        username, description = templates[i]
        token_id = secrets.token_hex(4)
        honeytokens.append({
            "token_id": f"HT-{token_id}",
            "type": "credential",
            "username": f"{username}_{token_id[:4]}",
            "password": secrets.token_urlsafe(24),
            "description": description,
            "deployment_location": "Active Directory / LSASS memory",
            "alert_on": "Any authentication attempt",
            "created": datetime.now(timezone.utc).isoformat(),
        })

    return honeytokens


def generate_canary_files(output_dir: str, count: int = 5) -> list[dict]:
    """Generate canary files that trigger alerts when accessed."""
    canary_templates = [
        ("passwords.xlsx", "Fake password spreadsheet"),
        ("salary_data_2024.csv", "Fake salary data"),
        ("aws_credentials.txt", "Fake AWS access keys"),
        ("vpn_config_backup.ovpn", "Fake VPN configuration"),
        ("database_backup_prod.sql", "Fake database backup"),
    ]

    canary_files = []
    os.makedirs(output_dir, exist_ok=True)

    for i in range(min(count, len(canary_templates))):
        filename, description = canary_templates[i]
        filepath = os.path.join(output_dir, filename)
        token_id = secrets.token_hex(4)

        content = f"# CANARY FILE - Token: {token_id}\n"
        content += f"# This file is a decoy. Any access triggers a security alert.\n"
        content += f"# Description: {description}\n"
        content += f"# Generated: {datetime.now(timezone.utc).isoformat()}\n\n"

        if "credentials" in filename or "password" in filename:
            content += "admin:P@ssw0rd_fake_canary_2024\n"
            content += "root:SuperSecret_fake_canary!\n"
        elif "aws" in filename:
            content += f"[default]\naws_access_key_id = AKIA{secrets.token_hex(8).upper()}\n"
            content += f"aws_secret_access_key = {secrets.token_hex(20)}\n"

        with open(filepath, "w") as f:
            f.write(content)

        canary_files.append({
            "token_id": f"CF-{token_id}",
            "type": "canary_file",
            "filename": filename,
            "filepath": filepath,
            "description": description,
            "sha256": hashlib.sha256(content.encode()).hexdigest(),
            "alert_on": "File open / read access",
            "created": datetime.now(timezone.utc).isoformat(),
        })

    return canary_files


def generate_dns_canary_tokens(domain: str, count: int = 3) -> list[dict]:
    """Generate DNS canary tokens that alert on resolution."""
    tokens = []
    for i in range(count):
        token_id = secrets.token_hex(8)
        hostname = f"{token_id}.{domain}"
        tokens.append({
            "token_id": f"DNS-{token_id[:8]}",
            "type": "dns_canary",
            "hostname": hostname,
            "usage": f"Embed in config files, documents, or network shares",
            "alert_on": "DNS resolution of hostname",
            "created": datetime.now(timezone.utc).isoformat(),
        })

    return tokens


class HoneypotHTTPHandler(BaseHTTPRequestHandler):
    """Simple HTTP honeypot handler that logs all requests."""

    alerts = []

    def do_GET(self):
        alert = {
            "timestamp": datetime.now(timezone.utc).isoformat(),
            "source_ip": self.client_address[0],
            "source_port": self.client_address[1],
            "method": "GET",
            "path": self.path,
            "headers": dict(self.headers),
            "severity": "HIGH",
        }
        HoneypotHTTPHandler.alerts.append(alert)
        print(f"[ALERT] Honeypot hit: {alert['source_ip']} -> GET {self.path}")
        self.send_response(401)
        self.send_header("WWW-Authenticate", 'Basic realm="Restricted Area"')
        self.end_headers()
        self.wfile.write(b"Authentication Required")

    def do_POST(self):
        content_length = int(self.headers.get("Content-Length", 0))
        body = self.rfile.read(content_length).decode("utf-8", errors="ignore")

        alert = {
            "timestamp": datetime.now(timezone.utc).isoformat(),
            "source_ip": self.client_address[0],
            "method": "POST",
            "path": self.path,
            "body_preview": body[:200],
            "severity": "CRITICAL",
        }
        HoneypotHTTPHandler.alerts.append(alert)
        print(f"[ALERT] Honeypot credential capture: {alert['source_ip']}")
        self.send_response(403)
        self.end_headers()
        self.wfile.write(b"Access Denied")

    def log_message(self, format, *args):
        pass


def start_http_honeypot(host: str = "0.0.0.0", port: int = 8888) -> HTTPServer:
    """Start an HTTP honeypot server in a background thread."""
    server = HTTPServer((host, port), HoneypotHTTPHandler)
    thread = threading.Thread(target=server.serve_forever, daemon=True)
    thread.start()
    print(f"[*] HTTP honeypot listening on {host}:{port}")
    return server


def generate_deployment_report(
    credentials: list, canary_files: list, dns_tokens: list
) -> str:
    """Generate deception technology deployment report."""
    total = len(credentials) + len(canary_files) + len(dns_tokens)
    lines = [
        "DECEPTION TECHNOLOGY DEPLOYMENT REPORT",
        "=" * 50,
        f"Date: {datetime.now(timezone.utc).strftime('%Y-%m-%d %H:%M UTC')}",
        f"Total Decoys Deployed: {total}",
        "",
        f"HONEYTOKEN CREDENTIALS ({len(credentials)}):",
    ]
    for cred in credentials:
        lines.append(f"  [{cred['token_id']}] {cred['username']} - {cred['description']}")

    lines.append(f"\nCANARY FILES ({len(canary_files)}):")
    for cf in canary_files:
        lines.append(f"  [{cf['token_id']}] {cf['filename']} - {cf['description']}")

    lines.append(f"\nDNS CANARY TOKENS ({len(dns_tokens)}):")
    for dns in dns_tokens:
        lines.append(f"  [{dns['token_id']}] {dns['hostname']}")

    return "\n".join(lines)


if __name__ == "__main__":
    output_dir = sys.argv[1] if len(sys.argv) > 1 else "canary_files"
    dns_domain = sys.argv[2] if len(sys.argv) > 2 else "canary.example.com"

    print("[*] Deploying deception technology...")

    credentials = generate_honeytoken_credentials(5)
    canary_files = generate_canary_files(output_dir, 5)
    dns_tokens = generate_dns_canary_tokens(dns_domain, 3)

    report = generate_deployment_report(credentials, canary_files, dns_tokens)
    print(report)

    inventory = {
        "credentials": credentials,
        "canary_files": canary_files,
        "dns_tokens": dns_tokens,
    }
    output = f"deception_inventory_{datetime.now(timezone.utc).strftime('%Y%m%d')}.json"
    with open(output, "w") as f:
        json.dump(inventory, f, indent=2)
    print(f"\n[*] Inventory saved to {output}")
Keep exploring