creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-13 22:54:53 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
d5f3fa32486ea335db802d68fe2147fa2da69583
Anthropic-Cybersecurity-Skills/skills/deploying-ransomware-canary-files/references/api-reference.md
T

77 lines
2.9 KiB
Markdown
Raw Blame History

# API Reference: Deploying Ransomware Canary Files
## Canary File Deployment
| Function | Parameters | Returns |
|----------|-----------|---------|
| `deploy_canary_files(target_dirs, custom_files)` | List of directories, optional custom file dict | Manifest with deployed file paths and hashes |
| `compute_sha256(filepath)` | File path string | SHA-256 hex digest |
| `compute_entropy(filepath)` | File path string | Shannon entropy float (0-8) |
## Monitoring Functions
| Function | Parameters | Returns |
|----------|-----------|---------|
| `start_monitoring(manifest_path, config)` | Path to manifest JSON, alert config dict | Blocks until interrupted |
| `verify_canary_integrity(manifest_path)` | Path to manifest JSON | Dict with intact/modified/missing counts |
| `simulate_ransomware_test(manifest_path)` | Path to manifest JSON | List of test results |
## CanaryFileHandler Events
| Event | Handler Method | Trigger |
|-------|---------------|---------|
| File modified | `on_modified(event)` | Content change detected |
| File deleted | `on_deleted(event)` | Canary file removed |
| File renamed | `on_moved(event)` | Canary file renamed or moved |
| New file created | `on_created(event)` | Ransom note detection in monitored dirs |
## Alert Channels
| Channel | Function | Required Config |
|---------|----------|-----------------|
| Slack | `send_slack_alert(data, webhook_url)` | `slack_webhook` URL |
| Email | `send_email_alert(data, host, port, sender, recipients)` | SMTP server details |
| Syslog | `send_syslog_alert(data, server, port)` | Syslog server address |
| File | Automatic | Writes to `canary_alerts.jsonl` |
## Ransomware Extension Detection
| Extensions Monitored |
|---------------------|
| `.encrypted`, `.locked`, `.lockbit`, `.crypt`, `.enc` |
| `.ransom`, `.pay`, `.aes`, `.rsa`, `.cry` |
| `.ryk`, `.revil`, `.conti`, `.hive`, `.black`, `.basta` |
## CLI Usage
```bash
# Deploy canary files
python agent.py --action deploy --dirs /srv/shares /home/admin/Documents
# Monitor canary files with Slack alerts
python agent.py --action monitor --slack-webhook https://hooks.slack.com/...
# Verify canary file integrity
python agent.py --action verify
# Test detection pipeline
python agent.py --action test
```
## Python Libraries
| Library | Version | Purpose |
|---------|---------|---------|
| `watchdog` | >=3.0 | Filesystem event monitoring |
| `requests` | >=2.28 | Slack webhook integration |
| `psutil` | >=5.9 | Process information gathering |
| `hashlib` | stdlib | SHA-256 file hashing |
| `smtplib` | stdlib | SMTP email alerts |
## References
- Elastic Security Labs: Ransomware Canary Files: https://www.elastic.co/security-labs/ransomware-in-the-honeypot-how-we-capture-keys
- Huntress Ransomware Canaries: https://support.huntress.io/hc/en-us/articles/4404005167763
- Python Watchdog Documentation: https://python-watchdog.readthedocs.io/
- CISA #StopRansomware Guide: https://www.cisa.gov/stopransomware/ransomware-guide
Reference in New Issue View Git Blame Copy Permalink