implementing-honeytokens-for-breach-detection

Solid

Deploys canary tokens and honeytokens (fake AWS credentials, DNS canaries, document beacons, database records) that trigger alerts when accessed by attackers. Uses the Canarytokens API and custom webhook integrations for breach detection. Use when building deception-based early warning systems for intrusion detection.

AI & Automation 12,642 stars 1468 forks Updated today Apache-2.0

Install

View on GitHub

Quality Score: 97/100

Stars 20%
100
Recency 20%
100
Frontmatter 20%
70
Documentation 15%
82
Issue Health 10%
50
License 10%
100
Description 5%
100

Skill Content

# Implementing Honeytokens for Breach Detection ## When to Use - When deploying or configuring implementing honeytokens for breach detection capabilities in your environment - When establishing security controls aligned to compliance requirements - When building or improving security architecture for this domain - When conducting security assessments that require this implementation ## Prerequisites - Familiarity with security operations concepts and tools - Access to a test or lab environment for safe execution - Python 3.8+ with required dependencies installed - Appropriate authorization for any testing activities ## Instructions Deploy honeytokens across critical systems to detect unauthorized access. Each token type alerts via webhook when triggered by an attacker. ```python import requests # Create a DNS canary token via Canarytokens resp = requests.post("https://canarytokens.org/generate", data={ "type": "dns", "email": "soc@company.com", "memo": "Production DB server honeytoken", }) token = resp.json() print(f"DNS token: {token['hostname']}") ``` Token types to deploy: 1. AWS credential files (~/.aws/credentials) with canary keys 2. DNS tokens embedded in configuration files 3. Document beacons (Word/PDF) in sensitive file shares 4. Database honeytoken records in user tables 5. Web bugs in internal wiki/documentation pages ## Examples ```python # Generate a fake AWS credentials file with canary token aws_creds = f"[default]\naws_access_key_id = ...

Details

Author
mukul975
Repository
mukul975/Anthropic-Cybersecurity-Skills
Created
3 months ago
Last Updated
today
Language
Python
License
Apache-2.0

Similar Skills

Semantically similar based on skill content — not just same category

AI & Automation Solid

implementing-deception-based-detection-with-canarytoken

Deploy and monitor Canary Tokens via the Thinkst Canary API for deception-based breach detection using web bug tokens, DNS tokens, document tokens, and AWS key tokens.

12,642 Updated today
mukul975
DevOps & Infrastructure Featured

implementing-canary-tokens-for-network-intrusion

Deploys DNS, HTTP, and AWS API key canary tokens across network infrastructure to detect unauthorized access and lateral movement. Integrates with webhook alerting (Slack, Teams, email, generic HTTP) for real-time intrusion notifications. Provides automated token generation, placement strategies, and monitoring for enterprise network environments. Use when building deception-based network intrusion detection with Canarytokens.org and Thinkst Canary platforms.

12,642 Updated today
mukul975
AI & Automation Featured

implementing-network-deception-with-honeypots

Deploy and manage network honeypots using OpenCanary, T-Pot, or Cowrie to detect unauthorized access, lateral movement, and attacker reconnaissance.

12,642 Updated today
mukul975
AI & Automation Featured

deploying-active-directory-honeytokens

Deploys deception-based honeytokens in Active Directory including fake privileged accounts with AdminCount=1, fake SPNs for Kerberoasting detection (honeyroasting), decoy GPOs with cpassword traps, and fake BloodHound paths. Monitors Windows Security Event IDs 4769, 4625, 4662, 5136 for honeytoken interaction. Use when implementing AD deception defenses for detecting lateral movement, credential theft, and reconnaissance.

12,642 Updated today
mukul975
AI & Automation Featured

implementing-honeypot-for-ransomware-detection

Deploys canary files, honeypot shares, and decoy systems to detect ransomware activity at the earliest possible stage. Configures canary tokens embedded in strategic file locations that trigger alerts when ransomware attempts encryption, uses honeypot network shares that mimic high-value targets, and deploys Thinkst Canary appliances for comprehensive deception-based detection. Activates for requests involving ransomware honeypots, canary files, deception technology for ransomware, or early ransomware alerting.

12,642 Updated today
mukul975