OpenSkillIndex← back to search
claude-code

Anthropic-Cybersecurity-Skills implementing-honeytokens-for-breach-detection

'Deploys canary tokens and honeytokens (fake AWS credentials, DNS canaries, document beacons, database records)

install
source · Clone the upstream repo
git clone https://github.com/mukul975/Anthropic-Cybersecurity-Skills
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/mukul975/Anthropic-Cybersecurity-Skills "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/implementing-honeytokens-for-breach-detection" ~/.claude/skills/mukul975-anthropic-cybersecurity-skills-implementing-honeytokens-for-breach-dete && rm -rf "$T"
manifest: skills/implementing-honeytokens-for-breach-detection/SKILL.md
source content

Implementing Honeytokens for Breach Detection

When to Use

  • When deploying or configuring implementing honeytokens for breach detection capabilities in your environment
  • When establishing security controls aligned to compliance requirements
  • When building or improving security architecture for this domain
  • When conducting security assessments that require this implementation

Prerequisites

  • Familiarity with security operations concepts and tools
  • Access to a test or lab environment for safe execution
  • Python 3.8+ with required dependencies installed
  • Appropriate authorization for any testing activities

Instructions

Deploy honeytokens across critical systems to detect unauthorized access. Each token type alerts via webhook when triggered by an attacker.

import requests

# Create a DNS canary token via Canarytokens
resp = requests.post("https://canarytokens.org/generate", data={
    "type": "dns",
    "email": "soc@company.com",
    "memo": "Production DB server honeytoken",
})
token = resp.json()
print(f"DNS token: {token['hostname']}")

Token types to deploy:

  1. AWS credential files (~/.aws/credentials) with canary keys
  2. DNS tokens embedded in configuration files
  3. Document beacons (Word/PDF) in sensitive file shares
  4. Database honeytoken records in user tables
  5. Web bugs in internal wiki/documentation pages

Examples

# Generate a fake AWS credentials file with canary token
aws_creds = f"[default]\naws_access_key_id = {canary_key_id}\naws_secret_access_key = {canary_secret}\n"
with open("/opt/backup/.aws/credentials", "w") as f:
    f.write(aws_creds)