creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-26 11:44:37 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
768ca51c8d331ab0bdcea8ffb31c9b99bb2c1839
Anthropic-Cybersecurity-Skills/skills/implementing-deception-based-detection-with-canarytoken/SKILL.md
T
mukul975 cb8d79e068 Map all 754 skills to MITRE ATT&CK v19.1 
- Add validated mitre_attack frontmatter to all 754 skills (286 distinct
  techniques), verified against MITRE ATT&CK v19.1 via the official
  mitreattack-python library: 0 revoked, deprecated, or invalid IDs
- Curate precise per-skill technique IDs for forensics, malware-analysis,
  threat-intel, and red-team skills (e.g. DCSync -> T1003.006,
  Kerberoasting -> T1558.003, Pass-the-Ticket -> T1550.003)
- Reconcile v19.1 tactic restructuring: Defense Evasion split into
  Stealth (TA0005) and Defense Impairment (TA0112); revoked T1562.*
  family and T1070.001/.002 remapped to active equivalents (T1685.*)
- Normalize word-split tags across 35 skills (remove filename-derived
  stopword tags, add semantic cybersecurity tags)
- Add api-reference.md for 3 skills that were missing it
- Update README ATT&CK section with accurate v19.1 tactic distribution
2026-06-01 12:13:29 +02:00

2.1 KiB
Raw Blame History

name, description, domain, subdomain, tags, version, author, license, nist_csf, mitre_attack
name description domain subdomain tags version author license nist_csf mitre_attack
implementing-deception-based-detection-with-canarytoken Deploy and monitor Canary Tokens via the Thinkst Canary API for deception-based breach detection using web bug tokens, DNS tokens, document tokens, and AWS key tokens. cybersecurity deception-technology
canarytoken
deception
honeytokens
breach-detection
Thinkst-Canary
tripwire
early-warning
1.0 mahipal Apache-2.0
DE.CM-01
DE.AE-06
PR.IR-01
T1078
T1190
T1059
T1078.004
T1530

Implementing Deception-Based Detection with Canarytoken

Overview

Canary Tokens are lightweight tripwire mechanisms that alert when an attacker accesses a resource. This skill uses the Thinkst Canary REST API to programmatically create tokens (web bugs, DNS tokens, MS Word documents, AWS API keys), deploy them to strategic locations, monitor for triggered alerts, and generate deception coverage reports.

When to Use

  • When deploying or configuring implementing deception based detection with canarytoken capabilities in your environment
  • When establishing security controls aligned to compliance requirements
  • When building or improving security architecture for this domain
  • When conducting security assessments that require this implementation

Prerequisites

  • Thinkst Canary Console or canarytokens.org account
  • API auth token from Canary Console
  • Python 3.9+ with requests
  • File system access for deploying document and file tokens

Steps

  1. Authenticate to the Canary Console API using auth_token
  2. Create web bug (HTTP) tokens for embedding in documents and web pages
  3. Create DNS tokens for monitoring DNS resolution attempts
  4. Create MS Word document tokens for file share deployment
  5. List all active tokens and their trigger history
  6. Query recent alerts for triggered token events
  7. Generate deception coverage report with deployment recommendations

Expected Output

  • JSON report listing all deployed Canary Tokens, trigger history, alert details, and coverage analysis
  • Deployment map showing token types across network segments
Reference in New Issue View Git Blame Copy Permalink