npx skills add mukul975/Anthropic-Cybersecurity-SkillsMITRE ATT&CK
When to Use
Use this skill when:
- SOC teams need high-fidelity detection of post-compromise lateral movement with near-zero false positives
- Existing detection tools miss advanced attackers who avoid triggering threshold-based alerts
- The organization wants to detect credential abuse by planting fake credentials as honeytokens
- Network segmentation gaps need compensating detection controls
Do not use as a replacement for fundamental security controls (patching, EDR, network segmentation) — deception is a detection layer, not a prevention mechanism.
Prerequisites
- Network segments identified for honeypot/decoy deployment (server VLANs, DMZ, OT networks)
- Deception platform (Thinkst Canary, Attivo/SentinelOne Hologram, or open-source alternatives)
- SIEM integration for deception alerts (any interaction with deception assets is suspicious)
- Active Directory access for honeytoken account and credential creation
- Network team coordination for IP allocation and traffic routing
Workflow
Step 1: Map Attack Surface for Deception Placement
Identify high-value network segments where attackers would traverse:
DECEPTION DEPLOYMENT MAP
━━━━━━━━━━━━━━━━━━━━━━━━
Segment Decoy Type Rationale
Server VLAN Fake file server Attackers enumerate SMB shares during recon
Database VLAN Fake DB server SQL scanning detected in past incidents
AD/DC Segment Honeytoken account Credential theft detection
Executive Subnet Fake workstation Targeted attacks pivot through exec systems
DMZ Honeypot web app External attacker detection
OT Network Fake PLC/HMI Industrial threat detection
Cloud (AWS VPC) Canary EC2 + S3 Cloud lateral movement detectionStep 2: Deploy Thinkst Canary Devices
Configure Canary devices mimicking real infrastructure:
Windows File Server Canary:
{
"device_name": "FILESERVER-BK04",
"personality": "windows-server-2019",
"services": {
"smb": {
"enabled": true,
"shares": ["Finance_Backup", "HR_Archive", "IT_Docs"],
"files": [
{"name": "Q4_Revenue_2024.xlsx", "alert_on": "read"},
{"name": "employee_ssn_export.csv", "alert_on": "read"},
{"name": "admin_passwords.kdbx", "alert_on": "read"}
]
},
"rdp": {"enabled": true},
"http": {"enabled": false}
},
"network": {
"ip": "10.0.5.200",
"hostname": "FILESERVER-BK04",
"domain": "company.local"
},
"alert_webhook": "https://soar.company.com/api/webhook/canary"
}Database Server Canary:
{
"device_name": "DB-ARCHIVE-02",
"personality": "linux-mysql",
"services": {
"mysql": {
"enabled": true,
"port": 3306,
"databases": ["customer_pii", "payment_archive"],
"alert_on_login_attempt": true
},
"ssh": {
"enabled": true,
"port": 22,
"alert_on_login_attempt": true
}
},
"network": {
"ip": "10.0.10.50",
"hostname": "db-archive-02"
}
}Step 3: Deploy Honeytokens in Active Directory
Create fake privileged accounts that should never be used:
# Create honeytoken service account
New-ADUser -Name "svc_sql_backup" `
-SamAccountName "svc_sql_backup" `
-UserPrincipalName "svc_sql_backup@company.local" `
-Description "SQL Backup Service Account - DO NOT DELETE" `
-AccountPassword (ConvertTo-SecureString "FakeP@ssw0rd2024!" -AsPlainText -Force) `
-Enabled $true `
-PasswordNeverExpires $true `
-CannotChangePassword $true
# Add to a group that looks attractive (but monitor for any use)
Add-ADGroupMember -Identity "Domain Admins" -Members "svc_sql_backup"
# Place cached credentials on decoy workstation
# (Mimikatz/credential dumping will find these)
cmdkey /add:fileserver-bk04.company.local /user:company\svc_sql_backup /pass:FakeP@ssw0rd2024!Monitor honeytoken usage in Splunk:
index=wineventlog sourcetype="WinEventLog:Security"
(EventCode=4624 OR EventCode=4625 OR EventCode=4648 OR EventCode=4768 OR EventCode=4769)
TargetUserName="svc_sql_backup"
| eval alert_severity = "CRITICAL"
| eval alert_message = "HONEYTOKEN ACCOUNT USED — Likely credential theft detected"
| table _time, EventCode, src_ip, ComputerName, TargetUserName, Logon_Type, alert_messageStep 4: Deploy Canary Files and Documents
Plant tracked documents that beacon when opened:
Canary Document (Word doc with tracking):
# Using Thinkst Canary API to create a canary token document
import requests
response = requests.post(
"https://YOURCOMPANY.canary.tools/api/v1/canarytoken/create",
data={
"auth_token": "YOUR_API_TOKEN",
"kind": "doc-msword",
"memo": "Finance backup folder canary document",
"flock_id": "flock:default"
}
)
token = response.json()
download_url = token["canarytoken"]["canarytoken_url"]
print(f"Download canary doc: {download_url}")
# Place this document in honeypot SMB shares and sensitive directoriesAWS Canary Token (S3 access key):
# Create AWS canary token — alerts when access key is used
response = requests.post(
"https://YOURCOMPANY.canary.tools/api/v1/canarytoken/create",
data={
"auth_token": "YOUR_API_TOKEN",
"kind": "aws-id",
"memo": "Canary AWS key in developer laptop .aws/credentials"
}
)
aws_keys = response.json()
print(f"Access Key: {aws_keys['canarytoken']['access_key_id']}")
print(f"Secret Key: {aws_keys['canarytoken']['secret_access_key']}")
# Plant in .aws/credentials on developer workstationsStep 5: Integrate Deception Alerts with SIEM/SOAR
All deception alerts are high-fidelity — any interaction is suspicious:
Splunk Alert for Canary Triggers:
index=canary sourcetype="canary:alerts"
| eval severity = "CRITICAL"
| eval confidence = "HIGH — Deception asset triggered, zero false positive expected"
| table _time, canary_name, alert_type, source_ip, service, details
| sendalert create_notable param.rule_title="Deception Alert — Canary Triggered"
param.severity="critical" param.drilldown_search="index=canary source_ip=$source_ip$"SOAR Automated Response:
def canary_triggered(container):
"""Auto-response for deception alerts — high confidence, no approval needed"""
source_ip = container["artifacts"][0]["cef"]["sourceAddress"]
# Immediately isolate the source
phantom.act("quarantine device",
parameters=[{"ip_hostname": source_ip}],
assets=["crowdstrike_prod"],
name="isolate_attacker_host")
# Block at firewall
phantom.act("block ip",
parameters=[{"ip": source_ip, "direction": "both"}],
assets=["palo_alto_prod"],
name="block_attacker_ip")
# Create high-priority incident
phantom.act("create ticket",
parameters=[{
"short_description": f"DECEPTION ALERT: Canary triggered from {source_ip}",
"urgency": "1",
"impact": "1"
}],
assets=["servicenow_prod"])
phantom.set_severity(container, "critical")Step 6: Maintain Deception Realism
Regularly update decoys to maintain believability:
- Rotate honeytoken passwords quarterly (update cached credentials on decoy workstations)
- Update canary file modification dates to appear recently accessed
- Add realistic network traffic to honeypots (scheduled SMB enumeration, DNS lookups)
- Register honeypot hostnames in DNS and Active Directory to appear in network scans
- Update canary document contents to match current business context
Key Concepts
| Term | Definition |
|---|---|
| Honeypot | Decoy system mimicking real infrastructure to attract and detect attackers in the network |
| Honeytoken | Fake credential, file, or data record that triggers an alert when accessed or used |
| Canary | Lightweight deception device or token that alerts on any interaction (Thinkst Canary platform) |
| Breadcrumb | Planted artifact (cached credential, bookmark, config file) leading attackers to deception assets |
| High-Fidelity Alert | Detection signal with near-zero false positive rate because no legitimate user should interact with deception assets |
| Decoy Network | Set of interconnected honeypots simulating a realistic network segment to observe attacker TTPs |
Tools & Systems
- Thinkst Canary: Commercial deception platform offering hardware/virtual canaries and canary tokens
- Canarytokens.org: Free honeytoken generation service (DNS, HTTP, AWS keys, Word docs, SQL queries)
- Attivo Networks (SentinelOne): Enterprise deception platform with AD decoys and endpoint breadcrumbs
- HoneyDB: Community honeypot data aggregation platform for threat intelligence sharing
- T-Pot: Open-source multi-honeypot platform combining 20+ honeypot types in a Docker deployment
Common Scenarios
- Lateral Movement Detection: Attacker enumerates SMB shares and accesses honeypot file server — immediate high-fidelity alert
- Credential Theft Discovery: Mimikatz dumps honeytoken cached credentials — usage of fake account triggers alert
- Cloud Key Compromise: Stolen AWS canary token used from external IP — detects supply chain or insider compromise
- Ransomware Early Warning: Ransomware encrypts canary files on honeypot shares — early detection before production systems affected
- Insider Threat Signal: Employee accesses honeypot "salary database" — indicates unauthorized data exploration
Output Format
DECEPTION ALERT — CRITICAL
━━━━━━━━━━━━━━━━━━━━━━━━━━
Time: 2024-03-15 14:23:07 UTC
Canary: FILESERVER-BK04 (10.0.5.200)
Service: SMB — File share "Finance_Backup" accessed
Source: 192.168.1.105 (WORKSTATION-042, Finance Dept)
User: company\jsmith
File Accessed: Q4_Revenue_2024.xlsx (canary document)
Alert Confidence: HIGH — No legitimate reason to access deception asset
False Positive Likelihood: <1%
Automated Response:
[DONE] WORKSTATION-042 isolated via CrowdStrike
[DONE] 192.168.1.105 blocked at firewall (bidirectional)
[DONE] Incident INC0012567 created (P1 — Critical)
[PENDING] Tier 2 investigation — determine if workstation compromised or insider threatReferences and resources
Everything below is rendered for inspection. Script files are read-only and never run.
References 1
api-reference.md2.1 KB
API Reference: Performing Deception Technology Deployment
Canary Tokens API (canarytokens.org)
| Endpoint | Method | Description |
|---|---|---|
/generate |
POST | Generate a new canary token (DNS, HTTP, file) |
/history |
GET | Retrieve alert history for a token |
/manage |
GET | List all deployed tokens |
Thinkst Canary API
| Endpoint | Method | Description |
|---|---|---|
/api/v1/canarytokens/create |
POST | Create a new canarytoken |
/api/v1/incidents/all |
GET | List all triggered incidents |
/api/v1/device/list |
GET | List deployed Canary devices |
Honeypot Components (stdlib)
| Module | Description |
|---|---|
http.server.HTTPServer |
HTTP honeypot listener |
socketserver.TCPServer |
Generic TCP honeypot |
secrets.token_hex() |
Generate unique token IDs |
hashlib.sha256() |
Hash canary file content for integrity |
Key Libraries
- secrets (stdlib): Cryptographically secure token generation
- http.server (stdlib): HTTP honeypot server implementation
- socket (stdlib): TCP/UDP honeypot listeners
- hashlib (stdlib): File integrity hashing for canary files
- threading (stdlib): Run honeypot services in background threads
Honeytoken Types
| Type | Deployment | Alert Trigger |
|---|---|---|
| Credential | AD, LSASS, config files | Any authentication attempt |
| Canary File | Network shares, endpoints | File open/read access |
| DNS Token | Documents, scripts | DNS resolution |
| AWS Key | Code repos, config files | AWS API call with key |
| HTTP Token | Documents, emails | HTTP GET request |
Configuration
| Variable | Description |
|---|---|
CANARY_API_KEY |
Thinkst Canary API key |
CANARY_DOMAIN |
Canary DNS domain for token callbacks |
HONEYPOT_PORT |
Port for HTTP honeypot listener |
References
Scripts 1
agent.py7.6 KB
#!/usr/bin/env python3
"""
Deception Technology Deployment Agent
Deploys and manages honeypots, honeytokens, and canary files to detect
lateral movement and credential abuse with near-zero false positive alerts.
"""
import hashlib
import json
import os
import secrets
import sys
import threading
from datetime import datetime, timezone
from http.server import HTTPServer, BaseHTTPRequestHandler
def generate_honeytoken_credentials(count: int = 5) -> list[dict]:
"""Generate fake credential honeytokens for deployment in AD and databases."""
honeytokens = []
templates = [
("svc_backup_admin", "Service account - backup system"),
("admin_legacy", "Legacy admin account"),
("db_migration_user", "Database migration service account"),
("api_service_prod", "Production API service account"),
("deploy_automation", "CI/CD deployment service account"),
]
for i in range(min(count, len(templates))):
username, description = templates[i]
token_id = secrets.token_hex(4)
honeytokens.append({
"token_id": f"HT-{token_id}",
"type": "credential",
"username": f"{username}_{token_id[:4]}",
"password": secrets.token_urlsafe(24),
"description": description,
"deployment_location": "Active Directory / LSASS memory",
"alert_on": "Any authentication attempt",
"created": datetime.now(timezone.utc).isoformat(),
})
return honeytokens
def generate_canary_files(output_dir: str, count: int = 5) -> list[dict]:
"""Generate canary files that trigger alerts when accessed."""
canary_templates = [
("passwords.xlsx", "Fake password spreadsheet"),
("salary_data_2024.csv", "Fake salary data"),
("aws_credentials.txt", "Fake AWS access keys"),
("vpn_config_backup.ovpn", "Fake VPN configuration"),
("database_backup_prod.sql", "Fake database backup"),
]
canary_files = []
os.makedirs(output_dir, exist_ok=True)
for i in range(min(count, len(canary_templates))):
filename, description = canary_templates[i]
filepath = os.path.join(output_dir, filename)
token_id = secrets.token_hex(4)
content = f"# CANARY FILE - Token: {token_id}\n"
content += f"# This file is a decoy. Any access triggers a security alert.\n"
content += f"# Description: {description}\n"
content += f"# Generated: {datetime.now(timezone.utc).isoformat()}\n\n"
if "credentials" in filename or "password" in filename:
content += "admin:P@ssw0rd_fake_canary_2024\n"
content += "root:SuperSecret_fake_canary!\n"
elif "aws" in filename:
content += f"[default]\naws_access_key_id = AKIA{secrets.token_hex(8).upper()}\n"
content += f"aws_secret_access_key = {secrets.token_hex(20)}\n"
with open(filepath, "w") as f:
f.write(content)
canary_files.append({
"token_id": f"CF-{token_id}",
"type": "canary_file",
"filename": filename,
"filepath": filepath,
"description": description,
"sha256": hashlib.sha256(content.encode()).hexdigest(),
"alert_on": "File open / read access",
"created": datetime.now(timezone.utc).isoformat(),
})
return canary_files
def generate_dns_canary_tokens(domain: str, count: int = 3) -> list[dict]:
"""Generate DNS canary tokens that alert on resolution."""
tokens = []
for i in range(count):
token_id = secrets.token_hex(8)
hostname = f"{token_id}.{domain}"
tokens.append({
"token_id": f"DNS-{token_id[:8]}",
"type": "dns_canary",
"hostname": hostname,
"usage": f"Embed in config files, documents, or network shares",
"alert_on": "DNS resolution of hostname",
"created": datetime.now(timezone.utc).isoformat(),
})
return tokens
class HoneypotHTTPHandler(BaseHTTPRequestHandler):
"""Simple HTTP honeypot handler that logs all requests."""
alerts = []
def do_GET(self):
alert = {
"timestamp": datetime.now(timezone.utc).isoformat(),
"source_ip": self.client_address[0],
"source_port": self.client_address[1],
"method": "GET",
"path": self.path,
"headers": dict(self.headers),
"severity": "HIGH",
}
HoneypotHTTPHandler.alerts.append(alert)
print(f"[ALERT] Honeypot hit: {alert['source_ip']} -> GET {self.path}")
self.send_response(401)
self.send_header("WWW-Authenticate", 'Basic realm="Restricted Area"')
self.end_headers()
self.wfile.write(b"Authentication Required")
def do_POST(self):
content_length = int(self.headers.get("Content-Length", 0))
body = self.rfile.read(content_length).decode("utf-8", errors="ignore")
alert = {
"timestamp": datetime.now(timezone.utc).isoformat(),
"source_ip": self.client_address[0],
"method": "POST",
"path": self.path,
"body_preview": body[:200],
"severity": "CRITICAL",
}
HoneypotHTTPHandler.alerts.append(alert)
print(f"[ALERT] Honeypot credential capture: {alert['source_ip']}")
self.send_response(403)
self.end_headers()
self.wfile.write(b"Access Denied")
def log_message(self, format, *args):
pass
def start_http_honeypot(host: str = "0.0.0.0", port: int = 8888) -> HTTPServer:
"""Start an HTTP honeypot server in a background thread."""
server = HTTPServer((host, port), HoneypotHTTPHandler)
thread = threading.Thread(target=server.serve_forever, daemon=True)
thread.start()
print(f"[*] HTTP honeypot listening on {host}:{port}")
return server
def generate_deployment_report(
credentials: list, canary_files: list, dns_tokens: list
) -> str:
"""Generate deception technology deployment report."""
total = len(credentials) + len(canary_files) + len(dns_tokens)
lines = [
"DECEPTION TECHNOLOGY DEPLOYMENT REPORT",
"=" * 50,
f"Date: {datetime.now(timezone.utc).strftime('%Y-%m-%d %H:%M UTC')}",
f"Total Decoys Deployed: {total}",
"",
f"HONEYTOKEN CREDENTIALS ({len(credentials)}):",
]
for cred in credentials:
lines.append(f" [{cred['token_id']}] {cred['username']} - {cred['description']}")
lines.append(f"\nCANARY FILES ({len(canary_files)}):")
for cf in canary_files:
lines.append(f" [{cf['token_id']}] {cf['filename']} - {cf['description']}")
lines.append(f"\nDNS CANARY TOKENS ({len(dns_tokens)}):")
for dns in dns_tokens:
lines.append(f" [{dns['token_id']}] {dns['hostname']}")
return "\n".join(lines)
if __name__ == "__main__":
output_dir = sys.argv[1] if len(sys.argv) > 1 else "canary_files"
dns_domain = sys.argv[2] if len(sys.argv) > 2 else "canary.example.com"
print("[*] Deploying deception technology...")
credentials = generate_honeytoken_credentials(5)
canary_files = generate_canary_files(output_dir, 5)
dns_tokens = generate_dns_canary_tokens(dns_domain, 3)
report = generate_deployment_report(credentials, canary_files, dns_tokens)
print(report)
inventory = {
"credentials": credentials,
"canary_files": canary_files,
"dns_tokens": dns_tokens,
}
output = f"deception_inventory_{datetime.now(timezone.utc).strftime('%Y%m%d')}.json"
with open(output, "w") as f:
json.dump(inventory, f, indent=2)
print(f"\n[*] Inventory saved to {output}")