hnytkn-breach-dtctn

star 4

Deploys canary tokens and honeytokens (fake AWS credentials, DNS canaries, document beacons, database records) that trigger alerts when accessed by attackers. Uses the Canarytokens API and custom webhook integrations for breach detection. Use when building deception-based early warning systems for intrusion detection.

Undermybelt By Undermybelt schedule Updated 6/7/2026
play_arrow Run Skill in Manus View GitHub

name: hnytkn-breach-dtctn description: 'Deploys canary tokens and honeytokens (fake AWS credentials, DNS canaries, document beacons, database records) that trigger alerts when accessed by attackers. Uses the Canarytokens API and custom webhook integrations for breach detection. Use when building deception-based early warning systems for intrusion detection.

' domain: cybersecurity subdomain: security-operations tags:

  • implementing
  • honeytokens
  • for
  • breach version: '1.0' author: mahipal license: Apache-2.0 nist_csf:
  • DE.CM-01
  • RS.MA-01
  • GV.OV-01
  • DE.AE-02

Implementing Honeytokens for Breach Detection

When to Use

  • When deploying or configuring implementing honeytokens for breach detection capabilities in your environment
  • When establishing security controls aligned to compliance requirements
  • When building or improving security architecture for this domain
  • When conducting security assessments that require this implementation

Prerequisites

  • Familiarity with security operations concepts and tools
  • Access to a test or lab environment for safe execution
  • Python 3.8+ with required dependencies installed
  • Appropriate authorization for any testing activities

Instructions

Deploy honeytokens across critical systems to detect unauthorized access. Each token type alerts via webhook when triggered by an attacker.

import requests

# Create a DNS canary token via Canarytokens
resp = requests.post("https://canarytokens.org/generate", data={
    "type": "dns",
    "email": "soc@company.com",
    "memo": "Production DB server honeytoken",
})
token = resp.json()
print(f"DNS token: {token['hostname']}")

Token types to deploy:

  1. AWS credential files (~/.aws/credentials) with canary keys
  2. DNS tokens embedded in configuration files
  3. Document beacons (Word/PDF) in sensitive file shares
  4. Database honeytoken records in user tables
  5. Web bugs in internal wiki/documentation pages

Examples

# Generate a fake AWS credentials file with canary token
aws_creds = f"[default]\naws_access_key_id = {canary_key_id}\naws_secret_access_key = {canary_secret}\n"
with open("/opt/backup/.aws/credentials", "w") as f:
    f.write(aws_creds)
Install via CLI
npx skills add https://github.com/Undermybelt/hermes-skills --skill hnytkn-breach-dtctn
Repository Details
star Stars 4
call_split Forks 1
navigation Branch main
article Path SKILL.md
More from Creator
Undermybelt
Undermybelt Explore all skills →