creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-13 22:54:53 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
d5f3fa32486ea335db802d68fe2147fa2da69583
Anthropic-Cybersecurity-Skills/skills/implementing-honeypot-for-ransomware-detection/references/api-reference.md
T
mukul975 c21af3347e Complete folder anatomy for all 649 cybersecurity skills + update LICENSE to Mahipal 
- Add scripts/agent.py and references/api-reference.md to all remaining skills
- Update all 648 LICENSE files: copyright now reads 'Mahipal'
- Add implementing-security-monitoring-with-datadog (new skill with full anatomy)
- All 649 skills now have: SKILL.md, LICENSE, scripts/agent.py, references/api-reference.md
2026-03-11 00:22:12 +01:00

68 lines
1.7 KiB
Markdown
Raw Blame History

# API Reference: Implementing Honeypot for Ransomware Detection
## Canary File Strategy
| Name Pattern | Extension | Purpose |
|-------------|-----------|---------|
| `!Accounting_*` | .docx, .xlsx | Sorted first alphabetically |
| `~$Confidential_*` | .pdf, .csv | Mimics temp/open Office files |
| `!Payroll_*` | .xlsx, .bak | High-value bait |
## Integrity Monitoring
```python
import hashlib
from pathlib import Path
content = Path("canary.docx").read_bytes()
sha256 = hashlib.sha256(content).hexdigest()
```
## Ransomware Extension Indicators
| Extension | Ransomware Family |
|-----------|------------------|
| `.encrypted` | Generic |
| `.locked` | LockBit, GandCrab |
| `.crypto` | CryptoLocker variants |
| `.ransom` | Generic |
| `.enc` | Various |
## Samba Honeypot Share (full_audit VFS)
```ini
[FinanceArchive]
path = /srv/honeypot
vfs objects = full_audit
full_audit:success = open opendir write rename unlink
full_audit:failure = open
full_audit:facility = LOCAL7
full_audit:priority = NOTICE
```
## Thinkst Canary API
```bash
# List incidents
curl "https://DOMAIN.canary.tools/api/v1/incidents/all" \
-d auth_token=TOKEN
# Acknowledge incident
curl "https://DOMAIN.canary.tools/api/v1/incident/acknowledge" \
-d auth_token=TOKEN -d incident=INC_ID
```
## Detection Thresholds
| Metric | Threshold | Severity |
|--------|----------|----------|
| Files modified in 60s | > 50 | CRITICAL |
| Canary file deleted | Any | CRITICAL |
| Canary hash changed | Any | CRITICAL |
| Known ransom extensions | Any | CRITICAL |
### References
- Thinkst Canary: https://canary.tools/
- CISA Ransomware Guide: https://www.cisa.gov/stopransomware
- Canarytokens: https://canarytokens.org/
Reference in New Issue View Git Blame Copy Permalink