implementing-honeypot-for-ransomware-detection

Featured

Deploys canary files, honeypot shares, and decoy systems to detect ransomware activity at the earliest possible stage. Configures canary tokens embedded in strategic file locations that trigger alerts when ransomware attempts encryption, uses honeypot network shares that mimic high-value targets, and deploys Thinkst Canary appliances for comprehensive deception-based detection. Activates for requests involving ransomware honeypots, canary files, deception technology for ransomware, or early ransomware alerting.

AI & Automation 12,642 stars 1468 forks Updated today Apache-2.0

Install

View on GitHub

Quality Score: 99/100

Stars 20%
100
Recency 20%
100
Frontmatter 20%
70
Documentation 15%
100
Issue Health 10%
50
License 10%
100
Description 5%
100

Skill Content

# Implementing Honeypot for Ransomware Detection ## When to Use - Deploying early-warning detection for ransomware encryption attempts using canary files - Creating honeypot file shares that detect lateral movement and data staging before encryption - Supplementing EDR and SIEM-based detection with deception-layer alerts that have near-zero false positives - Detecting ransomware variants that evade signature-based detection by triggering on file modification behavior - Validating that ransomware detection capabilities work by testing with controlled encryption tools **Do not use** as the sole ransomware detection mechanism. Honeypots are a high-confidence supplementary layer, not a replacement for EDR, network monitoring, and backup protection. ## Prerequisites - File server or NAS infrastructure where canary files can be deployed - Windows File Server Resource Manager (FSRM) or equivalent file activity monitoring - Thinkst Canary or similar deception platform (optional, for advanced deployment) - SIEM platform for centralizing honeypot alerts - Administrative access to deploy canary files across file shares - Network segment for honeypot systems (if deploying full honeypot servers) ## Workflow ### Step 1: Deploy Canary Files on File Shares Place canary files in strategic locations that ransomware will encounter during encryption: ```powershell # Deploy canary files across all file shares # Files are named to appear early in alphabetical and directory order # Ransomw...

Details

Author
mukul975
Repository
mukul975/Anthropic-Cybersecurity-Skills
Created
3 months ago
Last Updated
today
Language
Python
License
Apache-2.0

Similar Skills

Semantically similar based on skill content — not just same category

DevOps & Infrastructure Featured

deploying-decoy-files-for-ransomware-detection

Deploys canary files (honeytokens) across file systems to detect ransomware encryption activity in real time. Uses strategically placed decoy documents monitored via file integrity monitoring or OS-level watchdogs to trigger alerts when ransomware modifies or encrypts them. Activates for requests involving ransomware canary deployment, honeyfile setup, deception-based ransomware detection, or file integrity monitoring for encryption.

12,642 Updated today
mukul975
AI & Automation Featured

deploying-ransomware-canary-files

Deploys and monitors ransomware canary files across critical directories using Python's watchdog library for real-time filesystem event detection. Places strategically named decoy files that mimic high-value targets (financial records, credentials, database exports) in locations ransomware typically enumerates first. Monitors for any read, modify, rename, or delete operations on canary files and triggers immediate alerts via email, Slack webhook, or syslog when interaction is detected, providing early warning before full encryption begins.

12,642 Updated today
mukul975
AI & Automation Featured

implementing-network-deception-with-honeypots

Deploy and manage network honeypots using OpenCanary, T-Pot, or Cowrie to detect unauthorized access, lateral movement, and attacker reconnaissance.

12,642 Updated today
mukul975
AI & Automation Featured

detecting-ransomware-precursors-in-network

Detects early-stage ransomware indicators in network traffic before encryption begins, including initial access broker activity, command-and-control beaconing, credential harvesting, reconnaissance scanning, and staging behavior. Uses network detection tools (Zeek, Suricata, Arkime), SIEM correlation rules, and threat intelligence feeds to identify ransomware precursor patterns such as Cobalt Strike beacons, Mimikatz network signatures, and RDP brute-force attempts. Activates for requests involving pre-ransomware detection, network-based ransomware indicators, or early warning ransomware monitoring.

12,642 Updated today
mukul975
DevOps & Infrastructure Featured

implementing-canary-tokens-for-network-intrusion

Deploys DNS, HTTP, and AWS API key canary tokens across network infrastructure to detect unauthorized access and lateral movement. Integrates with webhook alerting (Slack, Teams, email, generic HTTP) for real-time intrusion notifications. Provides automated token generation, placement strategies, and monitoring for enterprise network environments. Use when building deception-based network intrusion detection with Canarytokens.org and Thinkst Canary platforms.

12,642 Updated today
mukul975