tracking-threat-actor-infrastructure

威胁行为者基础设施追踪涉及使用被动 DNS、证书透明度日志、Shodan/Censys 扫描、WHOIS 分析和网络指纹技术,对对手控制的 C2 服务器、钓鱼域名和暂存服务器等资产进行监控、映射和持续追踪

9 stars

Best use case

tracking-threat-actor-infrastructure is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

威胁行为者基础设施追踪涉及使用被动 DNS、证书透明度日志、Shodan/Censys 扫描、WHOIS 分析和网络指纹技术,对对手控制的 C2 服务器、钓鱼域名和暂存服务器等资产进行监控、映射和持续追踪

Teams using tracking-threat-actor-infrastructure should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

  • You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

  • You only need a quick one-off answer and do not need a reusable workflow.
  • You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/tracking-threat-actor-infrastructure/SKILL.md --create-dirs "https://raw.githubusercontent.com/killvxk/cybersecurity-skills-zh/main/skills/tracking-threat-actor-infrastructure/SKILL.md"

Manual Installation

  1. Download SKILL.md from GitHub
  2. Place it in .claude/skills/tracking-threat-actor-infrastructure/SKILL.md inside your project
  3. Restart your AI agent — it will auto-discover the skill

How tracking-threat-actor-infrastructure Compares

Feature / Agenttracking-threat-actor-infrastructureStandard Approach
Platform SupportNot specifiedLimited / Varies
Context Awareness High Baseline
Installation ComplexityUnknownN/A

Frequently Asked Questions

What does this skill do?

威胁行为者基础设施追踪涉及使用被动 DNS、证书透明度日志、Shodan/Censys 扫描、WHOIS 分析和网络指纹技术,对对手控制的 C2 服务器、钓鱼域名和暂存服务器等资产进行监控、映射和持续追踪

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

SKILL.md Source

# 追踪威胁行为者基础设施

## 概述

威胁行为者基础设施追踪涉及监控和映射对手控制的资产,包括命令与控制(C2)服务器、钓鱼(Phishing)域名、漏洞利用工具包宿主、防弹托管(Bulletproof Hosting)和暂存服务器。本技能涵盖使用被动 DNS(Passive DNS)、证书透明度(Certificate Transparency)日志、Shodan/Censys 扫描、WHOIS 分析和网络指纹技术,随时间推移发现、追踪和跨威胁行为者基础设施进行关联分析。

## 前置条件

- Python 3.9+,安装 `shodan`、`censys`、`requests`、`stix2` 库
- API 密钥:Shodan、Censys、VirusTotal、SecurityTrails、PassiveTotal
- 理解 DNS、TLS/SSL 证书、IP 分配、ASN 结构
- 熟悉被动 DNS 和证书透明度概念
- 可访问域名注册(WHOIS)查询服务

## 核心概念

### 基础设施关联分析(Infrastructure Pivoting)
关联分析是利用一个已知指标发现相关基础设施的技术。从已知的 C2 IP 地址出发,分析师可通过以下方式进行关联:被动 DNS(发现域名)、反向 WHOIS(发现相关注册信息)、SSL 证书(发现共享证书)、SSH 密钥指纹、HTTP 响应指纹、JARM/JA3S 哈希,以及 WHOIS 注册人数据。

### 被动 DNS
被动 DNS 数据库记录在递归解析器处观测到的 DNS 查询/响应数据。这允许分析师查找历史域名到 IP 的映射、发现托管在已知 C2 IP 上的域名,以及识别快速流量(Fast-Flux)或域名生成算法(DGA)行为。

### 证书透明度
证书透明度(CT)日志公开记录 CA 机构签发的所有 SSL/TLS 证书。监控 CT 日志可以发现为可疑域名注册的新证书,有助于在 C2 基础设施激活前识别钓鱼站点。

### 网络指纹
- **JARM**:主动 TLS 服务器指纹(TLS 握手响应的哈希)
- **JA3S**:被动 TLS 服务器指纹(Server Hello 的哈希)
- **HTTP 头部**:服务器标识、自定义头部、响应模式
- **Favicon 哈希**:用于服务器识别的 HTTP favicon 哈希

## 实操步骤

### 步骤 1:Shodan 基础设施发现

```python
import shodan

api = shodan.Shodan("YOUR_SHODAN_API_KEY")

def discover_infrastructure(ip_address):
    """发现目标 IP 的服务和元数据。"""
    try:
        host = api.host(ip_address)
        return {
            "ip": host["ip_str"],
            "org": host.get("org", ""),
            "asn": host.get("asn", ""),
            "isp": host.get("isp", ""),
            "country": host.get("country_name", ""),
            "city": host.get("city", ""),
            "os": host.get("os"),
            "ports": host.get("ports", []),
            "vulns": host.get("vulns", []),
            "hostnames": host.get("hostnames", []),
            "domains": host.get("domains", []),
            "tags": host.get("tags", []),
            "services": [
                {
                    "port": svc.get("port"),
                    "transport": svc.get("transport"),
                    "product": svc.get("product", ""),
                    "version": svc.get("version", ""),
                    "ssl_cert": svc.get("ssl", {}).get("cert", {}).get("subject", {}),
                    "jarm": svc.get("ssl", {}).get("jarm", ""),
                }
                for svc in host.get("data", [])
            ],
        }
    except shodan.APIError as e:
        print(f"[-] Shodan 错误: {e}")
        return None

def search_c2_framework(framework_name):
    """搜索 Shodan 中已知 C2 框架的特征。"""
    c2_queries = {
        "cobalt-strike": 'product:"Cobalt Strike Beacon"',
        "metasploit": 'product:"Metasploit"',
        "covenant": 'http.html:"Covenant" http.title:"Covenant"',
        "sliver": 'ssl.cert.subject.cn:"multiplayer" ssl.cert.issuer.cn:"operators"',
        "havoc": 'http.html_hash:-1472705893',
    }

    query = c2_queries.get(framework_name.lower(), framework_name)
    results = api.search(query, limit=100)

    hosts = []
    for match in results.get("matches", []):
        hosts.append({
            "ip": match["ip_str"],
            "port": match["port"],
            "org": match.get("org", ""),
            "country": match.get("location", {}).get("country_name", ""),
            "asn": match.get("asn", ""),
            "timestamp": match.get("timestamp", ""),
        })

    return hosts
```

### 步骤 2:被动 DNS 关联分析

```python
import requests

def passive_dns_lookup(indicator, api_key, indicator_type="ip"):
    """通过 SecurityTrails 查询被动 DNS 记录。"""
    base_url = "https://api.securitytrails.com/v1"
    headers = {"APIKEY": api_key, "Accept": "application/json"}

    if indicator_type == "ip":
        url = f"{base_url}/search/list"
        payload = {
            "filter": {"ipv4": indicator}
        }
        resp = requests.post(url, json=payload, headers=headers, timeout=30)
    else:
        url = f"{base_url}/domain/{indicator}/subdomains"
        resp = requests.get(url, headers=headers, timeout=30)

    if resp.status_code == 200:
        return resp.json()
    return None


def query_passive_total(indicator, user, api_key):
    """通过 PassiveTotal 查询被动 DNS 和 WHOIS 数据。"""
    base_url = "https://api.passivetotal.org/v2"
    auth = (user, api_key)

    # 被动 DNS 查询
    pdns_resp = requests.get(
        f"{base_url}/dns/passive",
        params={"query": indicator},
        auth=auth,
        timeout=30,
    )

    # WHOIS 查询
    whois_resp = requests.get(
        f"{base_url}/whois",
        params={"query": indicator},
        auth=auth,
        timeout=30,
    )

    results = {}
    if pdns_resp.status_code == 200:
        results["passive_dns"] = pdns_resp.json().get("results", [])
    if whois_resp.status_code == 200:
        results["whois"] = whois_resp.json()

    return results
```

### 步骤 3:证书透明度监控

```python
import requests

def search_ct_logs(domain):
    """通过 crt.sh 搜索证书透明度日志。"""
    resp = requests.get(
        f"https://crt.sh/?q=%.{domain}&output=json",
        timeout=30,
    )

    if resp.status_code == 200:
        certs = resp.json()
        unique_domains = set()
        cert_info = []

        for cert in certs:
            name_value = cert.get("name_value", "")
            for name in name_value.split("\n"):
                unique_domains.add(name.strip())

            cert_info.append({
                "id": cert.get("id"),
                "issuer": cert.get("issuer_name", ""),
                "common_name": cert.get("common_name", ""),
                "name_value": name_value,
                "not_before": cert.get("not_before", ""),
                "not_after": cert.get("not_after", ""),
                "serial_number": cert.get("serial_number", ""),
            })

        return {
            "domain": domain,
            "total_certificates": len(certs),
            "unique_domains": sorted(unique_domains),
            "certificates": cert_info[:50],
        }
    return None


def monitor_new_certs(domains, interval_hours=1):
    """监控一组域名新签发的证书。"""
    from datetime import datetime, timedelta

    cutoff = (datetime.utcnow() - timedelta(hours=interval_hours)).isoformat()
    new_certs = []

    for domain in domains:
        result = search_ct_logs(domain)
        if result:
            for cert in result.get("certificates", []):
                if cert.get("not_before", "") > cutoff:
                    new_certs.append({
                        "domain": domain,
                        "cert": cert,
                    })

    return new_certs
```

### 步骤 4:基础设施关联与时间线

```python
from datetime import datetime

def build_infrastructure_timeline(indicators):
    """构建基础设施变化时间线。"""
    timeline = []

    for ind in indicators:
        if "passive_dns" in ind:
            for record in ind["passive_dns"]:
                timeline.append({
                    "timestamp": record.get("firstSeen", ""),
                    "event": "dns_resolution",
                    "source": record.get("resolve", ""),
                    "target": record.get("value", ""),
                    "record_type": record.get("recordType", ""),
                })

        if "certificates" in ind:
            for cert in ind["certificates"]:
                timeline.append({
                    "timestamp": cert.get("not_before", ""),
                    "event": "certificate_issued",
                    "domain": cert.get("common_name", ""),
                    "issuer": cert.get("issuer", ""),
                })

    timeline.sort(key=lambda x: x.get("timestamp", ""))
    return timeline
```

## 验证标准

- Shodan/Censys 查询返回目标 IP 的基础设施详情
- 被动 DNS 揭示历史域名-IP 映射关系
- 证书透明度搜索找到关联域名
- 基础设施关联分析发现新的相关指标
- 时间线显示基础设施随时间的演变
- 结果可导出为 STIX 2.1 基础设施对象

## 参考资料

- [Shodan API Documentation](https://developer.shodan.io/api)
- [Censys Search API](https://search.censys.io/api)
- [SecurityTrails API](https://securitytrails.com/corp/api)
- [crt.sh Certificate Transparency](https://crt.sh/)
- [PassiveTotal API](https://api.passivetotal.org/api/docs/)
- [JARM Fingerprinting](https://github.com/salesforce/jarm)

Related Skills

scanning-infrastructure-with-nessus

9
from killvxk/cybersecurity-skills-zh

Tenable Nessus 是业界领先的漏洞扫描器,用于识别网络基础设施(包括服务器、工作站、网络设备和操作系统)中的安全弱点。

profiling-threat-actor-groups

9
from killvxk/cybersecurity-skills-zh

通过聚合 TTP 文档、历史活动数据、工具指纹和来自多个情报源的归因指标,为 APT 组织、犯罪组织和黑客活动组织开发全面的威胁行为者画像。适用于就行业特定威胁向管理层汇报、更新威胁模型假设,或针对特定对手优先部署防御控制措施。当涉及 MITRE ATT&CK 组织、Mandiant APT 画像、CrowdStrike 对手命名或行业特定威胁简报时激活。

performing-threat-modeling-with-owasp-threat-dragon

9
from killvxk/cybersecurity-skills-zh

使用 OWASP Threat Dragon 创建数据流图,运用 STRIDE 和 LINDDUN 方法论识别威胁,并生成威胁模型报告用于安全设计审查。

performing-threat-landscape-assessment-for-sector

9
from killvxk/cybersecurity-skills-zh

通过分析威胁行为者定向攻击模式、常见攻击向量和行业特定漏洞,开展行业特定威胁态势评估,为组织风险管理提供决策依据

performing-threat-intelligence-sharing-with-misp

9
from killvxk/cybersecurity-skills-zh

使用 PyMISP 在 MISP 平台上创建、丰富和共享威胁情报事件,包括 IOC 管理、情报源集成、STIX 导出及社区共享工作流

performing-threat-hunting-with-yara-rules

9
from killvxk/cybersecurity-skills-zh

使用 YARA 模式匹配规则在文件系统和内存转储中狩猎恶意软件、可疑文件和入侵指标。 涵盖规则编写、yara-python 扫描以及与威胁情报源的集成。

performing-threat-hunting-with-elastic-siem

9
from killvxk/cybersecurity-skills-zh

使用 KQL/EQL 查询、检测规则和 Timeline 调查在 Elastic Security SIEM 中执行主动威胁狩猎, 识别绕过自动检测的威胁。适用于 SOC 团队针对特定 ATT&CK 技术进行狩猎、调查异常行为, 或使用 Elasticsearch 和 Kibana Security 验证检测覆盖缺口。

performing-threat-emulation-with-atomic-red-team

9
from killvxk/cybersecurity-skills-zh

使用 atomic-operator Python 框架执行 Atomic Red Team 测试,进行 MITRE ATT&CK 技术验证。 从 YAML 原子测试加载测试定义、运行攻击模拟并验证检测覆盖率。适用于测试 SIEM 检测规则、 验证 EDR 覆盖率或开展紫队演练。

performing-insider-threat-investigation

9
from killvxk/cybersecurity-skills-zh

调查内部威胁事件,涉及滥用授权访问权限窃取数据、破坏系统或违反安全策略的员工、承包商或受信任合作伙伴。 结合数字取证、用户行为分析以及 HR/法务协调,构建基于证据的案例。适用于内部威胁调查、 员工数据盗窃、权限滥用、用户行为异常或内部威胁检测等请求场景。

performing-dark-web-monitoring-for-threats

9
from killvxk/cybersecurity-skills-zh

暗网威胁监控涉及系统性扫描 Tor 隐藏服务、地下论坛、粘贴站点和暗网市场,以识别针对组织的威胁,包括泄露凭据、数据泄露、威胁行为者讨论、漏洞利用工具和预谋攻击。

investigating-insider-threat-indicators

9
from killvxk/cybersecurity-skills-zh

调查内部威胁(Insider Threat)指标,包括数据渗漏(Data Exfiltration)尝试、未授权访问模式、 策略违规和离职前行为,结合 SIEM 分析、DLP 告警和 HR 数据关联进行调查。 适用于 SOC 团队收到 HR 内部威胁转介、检测到员工异常数据移动, 或需要为潜在内部威胁建立调查时间线时。

implementing-threat-modeling-with-mitre-attack

9
from killvxk/cybersecurity-skills-zh

使用 MITRE ATT&CK 框架实施威胁建模,将对手 TTP 映射到组织资产, 评估检测覆盖缺口,并优化防御投资。 适用于 SOC 团队需要将检测工程与威胁态势对齐、对新环境开展威胁评估, 或为安全工具采购提供决策依据时。