analyzing-campaign-attribution-evidence

攻击活动溯源归因分析涉及系统性地评估证据,以确定哪个威胁行为者或组织对某次网络行动负责。本技能涵盖使用 Diamond Model 和 ACH(竞争假设分析)收集并加权溯源归因指标、分析基础设施重叠、TTP 一致性、恶意软件代码相似性、操作时序模式和语言痕迹,以构建置信度加权的溯源归因评估。

9 stars

Best use case

analyzing-campaign-attribution-evidence is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

攻击活动溯源归因分析涉及系统性地评估证据,以确定哪个威胁行为者或组织对某次网络行动负责。本技能涵盖使用 Diamond Model 和 ACH(竞争假设分析)收集并加权溯源归因指标、分析基础设施重叠、TTP 一致性、恶意软件代码相似性、操作时序模式和语言痕迹,以构建置信度加权的溯源归因评估。

Teams using analyzing-campaign-attribution-evidence should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

  • You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

  • You only need a quick one-off answer and do not need a reusable workflow.
  • You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/analyzing-campaign-attribution-evidence/SKILL.md --create-dirs "https://raw.githubusercontent.com/killvxk/cybersecurity-skills-zh/main/skills/analyzing-campaign-attribution-evidence/SKILL.md"

Manual Installation

  1. Download SKILL.md from GitHub
  2. Place it in .claude/skills/analyzing-campaign-attribution-evidence/SKILL.md inside your project
  3. Restart your AI agent — it will auto-discover the skill

How analyzing-campaign-attribution-evidence Compares

Feature / Agentanalyzing-campaign-attribution-evidenceStandard Approach
Platform SupportNot specifiedLimited / Varies
Context Awareness High Baseline
Installation ComplexityUnknownN/A

Frequently Asked Questions

What does this skill do?

攻击活动溯源归因分析涉及系统性地评估证据,以确定哪个威胁行为者或组织对某次网络行动负责。本技能涵盖使用 Diamond Model 和 ACH(竞争假设分析)收集并加权溯源归因指标、分析基础设施重叠、TTP 一致性、恶意软件代码相似性、操作时序模式和语言痕迹,以构建置信度加权的溯源归因评估。

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

SKILL.md Source

# 分析攻击活动溯源归因证据

## 概述

攻击活动溯源归因(Attribution)分析涉及系统性地评估证据,以确定哪个威胁行为者(Threat Actor)或组织对某次网络行动负责。本技能涵盖使用 Diamond Model 和 ACH(竞争假设分析)收集并加权溯源指标、分析基础设施重叠、TTP 一致性、恶意软件代码相似性、操作时序模式和语言痕迹,以构建置信度加权的归因评估报告。

## 前置条件

- Python 3.9+,安装 `attackcti`、`stix2`、`networkx` 库
- 访问威胁情报平台(MISP、OpenCTI)
- 了解 Diamond Model 入侵分析框架
- 熟悉 MITRE ATT&CK 威胁组织画像
- 掌握恶意软件分析和基础设施追踪技术

## 核心概念

### 溯源证据类别
1. **基础设施重叠**:共享 C2 服务器、域名、IP 范围、托管服务商
2. **TTP 一致性**:跨攻击活动中匹配的 ATT&CK 技术和子技术
3. **恶意软件代码相似性**:共享代码库、编译器、PDB 路径、加密例程
4. **操作模式**:时序(工作时间、时区)、目标模式、操作节奏
5. **语言痕迹**:特定语言的嵌入字符串、变量名、错误消息
6. **受害者学**:目标行业、地理位置和组织画像一致性

### 置信度级别
- **高置信度**:多个独立证据类别聚焦于同一行为者
- **中置信度**:若干证据类别匹配,但存在一定模糊性
- **低置信度**:证据有限,可能存在伪旗或共享工具

### 竞争假设分析(ACH)
一种结构化分析方法,针对多个竞争假设评估证据。每条证据针对每个假设被评分为一致、不一致或中性。不一致证据最少的假设为优先假设。

## 实践步骤

### 步骤 1:收集溯源证据

```python
from stix2 import MemoryStore, Filter
from collections import defaultdict

class AttributionAnalyzer:
    def __init__(self):
        self.evidence = []
        self.hypotheses = {}

    def add_evidence(self, category, description, value, confidence):
        self.evidence.append({
            "category": category,
            "description": description,
            "value": value,
            "confidence": confidence,
            "timestamp": None,
        })

    def add_hypothesis(self, actor_name, actor_id=""):
        self.hypotheses[actor_name] = {
            "actor_id": actor_id,
            "consistent_evidence": [],
            "inconsistent_evidence": [],
            "neutral_evidence": [],
            "score": 0,
        }

    def evaluate_evidence(self, evidence_idx, actor_name, assessment):
        """评估证据与假设的关系:一致/不一致/中性。"""
        if assessment == "consistent":
            self.hypotheses[actor_name]["consistent_evidence"].append(evidence_idx)
            self.hypotheses[actor_name]["score"] += self.evidence[evidence_idx]["confidence"]
        elif assessment == "inconsistent":
            self.hypotheses[actor_name]["inconsistent_evidence"].append(evidence_idx)
            self.hypotheses[actor_name]["score"] -= self.evidence[evidence_idx]["confidence"] * 2
        else:
            self.hypotheses[actor_name]["neutral_evidence"].append(evidence_idx)

    def rank_hypotheses(self):
        """按溯源分数对假设进行排序。"""
        ranked = sorted(
            self.hypotheses.items(),
            key=lambda x: x[1]["score"],
            reverse=True,
        )
        return [
            {
                "actor": name,
                "score": data["score"],
                "consistent": len(data["consistent_evidence"]),
                "inconsistent": len(data["inconsistent_evidence"]),
                "confidence": self._score_to_confidence(data["score"]),
            }
            for name, data in ranked
        ]

    def _score_to_confidence(self, score):
        if score >= 80:
            return "HIGH"
        elif score >= 40:
            return "MODERATE"
        else:
            return "LOW"
```

### 步骤 2:基础设施重叠分析

```python
def analyze_infrastructure_overlap(campaign_a_infra, campaign_b_infra):
    """比较两个攻击活动的基础设施以进行溯源。"""
    overlap = {
        "shared_ips": set(campaign_a_infra.get("ips", [])).intersection(
            campaign_b_infra.get("ips", [])
        ),
        "shared_domains": set(campaign_a_infra.get("domains", [])).intersection(
            campaign_b_infra.get("domains", [])
        ),
        "shared_asns": set(campaign_a_infra.get("asns", [])).intersection(
            campaign_b_infra.get("asns", [])
        ),
        "shared_registrars": set(campaign_a_infra.get("registrars", [])).intersection(
            campaign_b_infra.get("registrars", [])
        ),
    }

    overlap_score = 0
    if overlap["shared_ips"]:
        overlap_score += 30
    if overlap["shared_domains"]:
        overlap_score += 25
    if overlap["shared_asns"]:
        overlap_score += 15
    if overlap["shared_registrars"]:
        overlap_score += 10

    return {
        "overlap": {k: list(v) for k, v in overlap.items()},
        "overlap_score": overlap_score,
        "assessment": "STRONG" if overlap_score >= 40 else "MODERATE" if overlap_score >= 20 else "WEAK",
    }
```

### 步骤 3:跨攻击活动的 TTP 对比

```python
from attackcti import attack_client

def compare_campaign_ttps(campaign_techniques, known_actor_techniques):
    """将攻击活动 TTP 与已知威胁行为者画像进行对比。"""
    campaign_set = set(campaign_techniques)
    actor_set = set(known_actor_techniques)

    common = campaign_set.intersection(actor_set)
    unique_campaign = campaign_set - actor_set
    unique_actor = actor_set - campaign_set

    jaccard = len(common) / len(campaign_set.union(actor_set)) if campaign_set.union(actor_set) else 0

    return {
        "common_techniques": sorted(common),
        "common_count": len(common),
        "unique_to_campaign": sorted(unique_campaign),
        "unique_to_actor": sorted(unique_actor),
        "jaccard_similarity": round(jaccard, 3),
        "overlap_percentage": round(len(common) / len(campaign_set) * 100, 1) if campaign_set else 0,
    }
```

### 步骤 4:生成溯源归因报告

```python
def generate_attribution_report(analyzer):
    """生成结构化溯源归因评估报告。"""
    rankings = analyzer.rank_hypotheses()

    report = {
        "assessment_date": "2026-02-23",
        "total_evidence_items": len(analyzer.evidence),
        "hypotheses_evaluated": len(analyzer.hypotheses),
        "rankings": rankings,
        "primary_attribution": rankings[0] if rankings else None,
        "evidence_summary": [
            {
                "index": i,
                "category": e["category"],
                "description": e["description"],
                "confidence": e["confidence"],
            }
            for i, e in enumerate(analyzer.evidence)
        ],
    }

    return report
```

## 验收标准

- 证据收集涵盖全部六个溯源类别
- ACH 矩阵正确地针对竞争假设评估证据
- 基础设施重叠分析识别共享指标
- TTP 对比使用 ATT&CK 技术 ID 确保精准性
- 溯源置信度级别有充分依据
- 报告包含替代假设和伪旗考量

## 参考资料

- [Diamond Model of Intrusion Analysis](https://www.activeresponse.org/wp-content/uploads/2013/07/diamond.pdf)
- [MITRE ATT&CK Groups](https://attack.mitre.org/groups/)
- [Analysis of Competing Hypotheses](https://www.cia.gov/static/9a5f1162fd0932c29e985f0159f56c07/Tradecraft-Primer-apr09.pdf)
- [Threat Attribution Framework](https://www.mandiant.com/resources/reports)

Related Skills

executing-phishing-simulation-campaign

9
from killvxk/cybersecurity-skills-zh

执行授权的钓鱼模拟活动,评估组织对基于电子邮件的社会工程攻击的脆弱性。测试人员设计真实的钓鱼场景,构建凭据收集基础设施,发送定向钓鱼邮件,并追踪打开率、点击率和凭据提交率,以衡量人员安全意识水平。适用于钓鱼模拟、社会工程评估、电子邮件安全测试或安全意识测量等请求场景。

correlating-threat-campaigns

9
from killvxk/cybersecurity-skills-zh

关联不同时间和组织的安全事件、IOC 和对手行为,识别统一的威胁活动,将其归因于共同的威胁行为者,并提取共享指标以改善检测效果。适用于多起事件出现重叠指标、需要跨组织分析行业范围内攻击活动,或构建活动级别情报产品时。适用于涉及活动分析、事件聚类、跨组织 IOC 关联或 MISP 关联引擎的请求。

conducting-spearphishing-simulation-campaign

9
from killvxk/cybersecurity-skills-zh

鱼叉式钓鱼(Spearphishing)模拟是红队用于获取初始访问权限的定向社会工程学攻击向量。与广泛的钓鱼活动不同,鱼叉式钓鱼使用 OSINT 情报精心制作高度个性化的消息,针对特定个人。

collecting-volatile-evidence-from-compromised-host

9
from killvxk/cybersecurity-skills-zh

按照易失性顺序从受攻陷系统收集易失性取证证据,在数据丢失前保全内存、网络连接、进程和系统状态。

analyzing-windows-shellbag-artifacts

9
from killvxk/cybersecurity-skills-zh

分析 Windows ShellBag 注册表取证痕迹,使用 SBECmd 和 ShellBags Explorer 重建文件夹浏览活动,检测对可移动介质和网络共享的访问,并在删除后仍能确认用户与目录的交互行为。

analyzing-windows-registry-for-artifacts

9
from killvxk/cybersecurity-skills-zh

提取并分析 Windows 注册表配置单元,以发现用户活动、已安装软件、自启动条目及系统入侵证据。

analyzing-windows-prefetch-with-python

9
from killvxk/cybersecurity-skills-zh

使用 windowsprefetch Python 库解析 Windows Prefetch 文件,重建应用程序执行历史,检测重命名或伪装的二进制文件,并识别可疑的程序执行模式。

analyzing-windows-lnk-files-for-artifacts

9
from killvxk/cybersecurity-skills-zh

解析 Windows LNK 快捷方式文件,提取目标路径、时间戳、卷信息和机器标识符,用于取证时间线重建。

analyzing-windows-event-logs-in-splunk

9
from killvxk/cybersecurity-skills-zh

在 Splunk 中分析 Windows Security、System 和 Sysmon 事件日志,使用映射到 MITRE ATT&CK 技术的 SPL 查询检测身份验证攻击、权限提升(Privilege Escalation)、持久化(Persistence)机制和横向移动 (Lateral Movement)。适用于 SOC 分析师调查基于 Windows 的威胁、构建检测查询,或对 Windows 终端和域控制器执行取证时间线分析。

analyzing-windows-amcache-artifacts

9
from killvxk/cybersecurity-skills-zh

解析并分析 Windows Amcache.hve 注册表配置单元(Registry Hive),提取程序执行证据、文件元数据、 SHA-1 哈希及设备连接历史,用于数字取证(Digital Forensics)和事件响应(Incident Response)调查。

analyzing-web-server-logs-for-intrusion

9
from killvxk/cybersecurity-skills-zh

解析 Apache 和 Nginx 访问日志,检测 SQL 注入(SQL Injection)尝试、本地文件包含(Local File Inclusion)、 目录遍历(Directory Traversal)、Web 扫描器指纹及暴力破解(Brute Force)模式。 使用基于正则表达式的模式匹配对照 OWASP 攻击签名、GeoIP 富化进行来源溯源, 以及针对请求频率和响应大小异常值的统计异常检测。

analyzing-usb-device-connection-history

9
from killvxk/cybersecurity-skills-zh

从 Windows 注册表、事件日志和 setupapi 日志调查 USB 设备连接历史,以追踪可移动存储设备的使用情况和潜在的数据外泄行为。