Deploys deception technologies including honeypots, honeytokens, and decoy systems to detect post-breach lateral movement, credential abuse, and reconnaissance for SOC teams.
npx claudepluginhub killvxk/cybersecurity-skills-zhThis skill uses the workspace's default tool permissions.
以下情况使用本技能:
Deploys honeypots, honeytokens, and decoy systems like Thinkst Canary to detect lateral movement and credential abuse post-perimeter breach. For SOC teams seeking high-fidelity alerts.
Deploys honeypots, honeytokens, and decoy systems like Thinkst Canary to detect post-breach lateral movement, credential abuse, and reconnaissance for SOC teams with high-fidelity alerts.
Deploys and manages network honeypots using OpenCanary, T-Pot, or Cowrie to detect unauthorized access, lateral movement, and attacker reconnaissance in cybersecurity setups.
Share bugs, ideas, or general feedback.
以下情况使用本技能:
请勿将本技能用作替代基础安全控制(补丁管理、EDR、网络分段)的手段——欺骗技术是检测层,而非防御机制。
识别攻击者可能穿越的高价值网络分段:
欺骗部署地图
━━━━━━━━━━━━━━━━━━━━━━━━
网络分段 诱饵类型 理由
服务器 VLAN 虚假文件服务器 攻击者在侦察阶段枚举 SMB 共享
数据库 VLAN 虚假数据库服务器 历史事件中发现 SQL 扫描行为
AD/DC 分段 诱饵令牌账户 凭据窃取检测
管理层子网 虚假工作站 定向攻击通常通过高管系统横向移动
DMZ 蜜罐 Web 应用 外部攻击者检测
OT 网络 虚假 PLC/HMI 工业威胁检测
云(AWS VPC) 诱饵 EC2 + S3 云横向移动检测
配置模拟真实基础设施的 Canary 设备:
Windows 文件服务器诱饵:
{
"device_name": "FILESERVER-BK04",
"personality": "windows-server-2019",
"services": {
"smb": {
"enabled": true,
"shares": ["Finance_Backup", "HR_Archive", "IT_Docs"],
"files": [
{"name": "Q4_Revenue_2024.xlsx", "alert_on": "read"},
{"name": "employee_ssn_export.csv", "alert_on": "read"},
{"name": "admin_passwords.kdbx", "alert_on": "read"}
]
},
"rdp": {"enabled": true},
"http": {"enabled": false}
},
"network": {
"ip": "10.0.5.200",
"hostname": "FILESERVER-BK04",
"domain": "company.local"
},
"alert_webhook": "https://soar.company.com/api/webhook/canary"
}
数据库服务器诱饵:
{
"device_name": "DB-ARCHIVE-02",
"personality": "linux-mysql",
"services": {
"mysql": {
"enabled": true,
"port": 3306,
"databases": ["customer_pii", "payment_archive"],
"alert_on_login_attempt": true
},
"ssh": {
"enabled": true,
"port": 22,
"alert_on_login_attempt": true
}
},
"network": {
"ip": "10.0.10.50",
"hostname": "db-archive-02"
}
}
创建不应被使用的虚假特权账户:
# 创建诱饵令牌服务账户
New-ADUser -Name "svc_sql_backup" `
-SamAccountName "svc_sql_backup" `
-UserPrincipalName "svc_sql_backup@company.local" `
-Description "SQL Backup Service Account - DO NOT DELETE" `
-AccountPassword (ConvertTo-SecureString "FakeP@ssw0rd2024!" -AsPlainText -Force) `
-Enabled $true `
-PasswordNeverExpires $true `
-CannotChangePassword $true
# 添加到看起来有吸引力的组(但监控任何使用行为)
Add-ADGroupMember -Identity "Domain Admins" -Members "svc_sql_backup"
# 在诱饵工作站上放置缓存凭据
# (Mimikatz/凭据转储工具将发现这些凭据)
cmdkey /add:fileserver-bk04.company.local /user:company\svc_sql_backup /pass:FakeP@ssw0rd2024!
在 Splunk 中监控诱饵令牌使用情况:
index=wineventlog sourcetype="WinEventLog:Security"
(EventCode=4624 OR EventCode=4625 OR EventCode=4648 OR EventCode=4768 OR EventCode=4769)
TargetUserName="svc_sql_backup"
| eval alert_severity = "CRITICAL"
| eval alert_message = "HONEYTOKEN ACCOUNT USED — Likely credential theft detected"
| table _time, EventCode, src_ip, ComputerName, TargetUserName, Logon_Type, alert_message
植入被访问时会发出信标的追踪文档:
诱饵文档(带追踪功能的 Word 文档):
# 使用 Thinkst Canary API 创建诱饵令牌文档
import requests
response = requests.post(
"https://YOURCOMPANY.canary.tools/api/v1/canarytoken/create",
data={
"auth_token": "YOUR_API_TOKEN",
"kind": "doc-msword",
"memo": "Finance backup folder canary document",
"flock_id": "flock:default"
}
)
token = response.json()
download_url = token["canarytoken"]["canarytoken_url"]
print(f"Download canary doc: {download_url}")
# 将此文档放置在蜜罐 SMB 共享和敏感目录中
AWS 诱饵令牌(S3 访问密钥):
# 创建 AWS 诱饵令牌——当访问密钥被使用时触发告警
response = requests.post(
"https://YOURCOMPANY.canary.tools/api/v1/canarytoken/create",
data={
"auth_token": "YOUR_API_TOKEN",
"kind": "aws-id",
"memo": "Canary AWS key in developer laptop .aws/credentials"
}
)
aws_keys = response.json()
print(f"Access Key: {aws_keys['canarytoken']['access_key_id']}")
print(f"Secret Key: {aws_keys['canarytoken']['secret_access_key']}")
# 植入开发者工作站的 .aws/credentials 文件中
所有欺骗告警均为高置信度——任何交互行为都属可疑:
Splunk Canary 触发告警:
index=canary sourcetype="canary:alerts"
| eval severity = "CRITICAL"
| eval confidence = "HIGH — Deception asset triggered, zero false positive expected"
| table _time, canary_name, alert_type, source_ip, service, details
| sendalert create_notable param.rule_title="Deception Alert — Canary Triggered"
param.severity="critical" param.drilldown_search="index=canary source_ip=$source_ip$"
SOAR 自动化响应:
def canary_triggered(container):
"""欺骗告警自动响应——高置信度,无需人工审批"""
source_ip = container["artifacts"][0]["cef"]["sourceAddress"]
# 立即隔离来源主机
phantom.act("quarantine device",
parameters=[{"ip_hostname": source_ip}],
assets=["crowdstrike_prod"],
name="isolate_attacker_host")
# 在防火墙层阻断
phantom.act("block ip",
parameters=[{"ip": source_ip, "direction": "both"}],
assets=["palo_alto_prod"],
name="block_attacker_ip")
# 创建高优先级事件工单
phantom.act("create ticket",
parameters=[{
"short_description": f"DECEPTION ALERT: Canary triggered from {source_ip}",
"urgency": "1",
"impact": "1"
}],
assets=["servicenow_prod"])
phantom.set_severity(container, "critical")
定期更新诱饵以保持可信度:
| 术语 | 定义 |
|---|---|
| 蜜罐(Honeypot) | 模拟真实基础设施的诱饵系统,用于吸引和检测网络中的攻击者 |
| 诱饵令牌(Honeytoken) | 虚假凭据、文件或数据记录,被访问或使用时触发告警 |
| 金丝雀(Canary) | 轻量级欺骗设备或令牌,任何交互均会触发告警(Thinkst Canary 平台) |
| 面包屑(Breadcrumb) | 植入的痕迹(缓存凭据、书签、配置文件),引导攻击者进入欺骗资产 |
| 高置信度告警(High-Fidelity Alert) | 极低误报率的检测信号,因为任何合法用户都不应与欺骗资产交互 |
| 诱饵网络(Decoy Network) | 由相互连接的蜜罐组成的集合,模拟真实网络分段以观察攻击者的 TTP |
欺骗告警——严重(CRITICAL)
━━━━━━━━━━━━━━━━━━━━━━━━━━
时间: 2024-03-15 14:23:07 UTC
Canary: FILESERVER-BK04 (10.0.5.200)
服务: SMB——文件共享"Finance_Backup"被访问
来源: 192.168.1.105 (WORKSTATION-042, 财务部)
用户: company\jsmith
访问文件: Q4_Revenue_2024.xlsx(诱饵文档)
告警置信度: 高——无合法理由访问欺骗资产
误报可能性: <1%
自动化响应:
[已完成] WORKSTATION-042 通过 CrowdStrike 隔离
[已完成] 192.168.1.105 在防火墙处双向阻断
[已完成] 事件 INC0012567 已创建(P1——严重)
[待处理] 二级调查——确定工作站是否已被攻陷或属内部威胁