mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-06-11 21:54:56 +03:00
mukul975
4d6d585285
Skills added: - implementing-privileged-access-workstation (IAM, PAW hardening) - detecting-suspicious-oauth-application-consent (cloud security, Graph API) - performing-hardware-security-module-integration (cryptography, PKCS#11) - analyzing-android-malware-with-apktool (malware analysis, androguard) - hunting-for-unusual-service-installations (threat hunting, T1543.003) - detecting-shadow-it-cloud-usage (cloud security, proxy/DNS log analysis) - performing-active-directory-forest-trust-attack (red team, impacket) - implementing-deception-based-detection-with-canarytoken (deception, Canary API) - analyzing-office365-audit-logs-for-compromise (cloud security, BEC detection) - hunting-for-startup-folder-persistence (threat hunting, T1547.001) Each skill includes SKILL.md, LICENSE, scripts/agent.py, references/api-reference.md
2.9 KiB
2.9 KiB
API Reference — Implementing Deception-Based Detection with Canarytoken
Libraries Used
- requests: HTTP client for Thinkst Canary Console REST API
- json: JSON serialization for audit reports
CLI Interface
python agent.py --console abc123 --auth-token TOKEN ping
python agent.py --console abc123 --auth-token TOKEN list
python agent.py --console abc123 --auth-token TOKEN alerts
python agent.py --console abc123 --auth-token TOKEN create --kind http --memo "Web server token"
python agent.py --console abc123 --auth-token TOKEN create --kind dns --memo "DNS honeypot"
python agent.py --console abc123 --auth-token TOKEN coverage
python agent.py --console abc123 --auth-token TOKEN full
Core Functions
CanaryClient(console_domain, auth_token) — API client
Base URL: https://{console_domain}.canary.tools/api/v1
Auth: auth_token parameter on every request.
create_token(kind, memo, **kwargs) — Create Canarytoken
POST /canarytoken/create with kind, memo, auth_token.
For doc-msword: uploads file via multipart form with MIME type
application/vnd.openxmlformats-officedocument.wordprocessingml.document.
list_tokens() — List all deployed tokens
GET /canarytokens/fetch. Returns array of token objects with kind, memo, url, enabled.
get_alerts(newer_than) — Fetch triggered token alerts
GET /incidents/all. Optional newer_than timestamp filter.
Returns src_host (source IP), description, timestamp, acknowledged status.
ack_alert(incident_id) — Acknowledge an alert
POST /incident/acknowledge with incident ID.
audit_token_coverage(client) — Coverage analysis
Calculates: tokens by kind, triggered vs untriggered, missing token types, coverage score as percentage of TOKEN_KINDS deployed.
full_audit(client) — Comprehensive deception audit
Canary Console API Endpoints
| Endpoint | Method | Description |
|---|---|---|
/ping |
GET | Test API connectivity |
/canarytoken/create |
POST | Create new token |
/canarytokens/fetch |
GET | List all tokens |
/canarytoken/fetch |
GET | Get specific token |
/canarytoken/delete |
POST | Delete a token |
/incidents/all |
GET | Fetch all alerts |
/canarytoken/incidents |
GET | Alerts for specific token |
/incident/acknowledge |
POST | Acknowledge alert |
Supported Token Types
| Kind | Description |
|---|---|
| http | Web bug — triggers on HTTP request |
| dns | DNS token — triggers on DNS resolution |
| doc-msword | MS Word document with embedded beacon |
| pdf-acrobat-reader | PDF with embedded beacon |
| aws-id | Fake AWS API key pair |
| web-image | Image with tracking pixel |
| cloned-web | Cloned website detection |
| qr-code | QR code with tracking URL |
| sensitive-cmd | Triggers on command execution |
| windows-dir | Windows folder open detection |
Dependencies
requests>= 2.28.0- Thinkst Canary Console account with API auth token