Adoption

Agent Skills are supported by leading AI development tools.

VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory

killvxk/analyzing-network-covert-channels-in-malware

Name: analyzing-network-covert-channels-in-malware
Author: killvxk

skills/analyzing-network-covert-channels-in-malware/SKILL.md

npx skillsauth add killvxk/cybersecurity-skills-zh analyzing-network-covert-channels-in-malware

Clean

TrivyContainer and dependency vulnerability scanner

Clean

SemgrepStatic code analysis for vulnerabilities

Clean

mcp-scan (Snyk)Model Context Protocol security validation

Skipped

Snyk (dep)Open source security scanning

Skipped

Socket.devSupply chain security analysis

Skipped

VirusTotalMulti-engine malware detection

Skipped

CrowdStrikeAdvanced threat intelligence

Skipped

OSV-ScannerOpen Source Vulnerability database check

Skipped

OWASP Dep-Check

分析恶意软件中的网络隐蔽信道

概述

恶意软件使用隐蔽信道将 C2 通信和数据泄露伪装成看似合法的网络流量。DNS 隧道将数据编码在 DNS 查询和响应中（iodine、dnscat2 等工具和 FrameworkPOS 等恶意软件家族均使用此技术）。ICMP 隧道将数据隐藏在回显请求/响应载荷中（icmpsh、ptunnel）。HTTP 隐蔽信道将 C2 数据嵌入头部、Cookie 或隐写图像中。协议滥用利用允许的协议绕过防火墙。现代基于机器学习的方法对 DNS 隧道检测可达 99% 以上的召回率，但低吞吐量泄露仍然具有挑战性。Palo Alto Unit42 在 2024 年跟踪了三个主要的 DNS 隧道活动（TrkCdn、SecShow、Savvy Seahorse），显示了该技术的持续普遍性。

前置条件

Python 3.9+，安装 scapy、dpkt、dnslib
Wireshark/tshark，用于 PCAP 分析
Zeek（原 Bro），用于网络监控
DNS 查询日志基础设施
对 DNS、ICMP、HTTP 协议的数据包级理解

操作步骤

步骤 1：DNS 隧道检测

#!/usr/bin/env python3
"""检测网络流量中的 DNS 隧道和隐蔽信道。"""
import sys
import json
import math
from collections import Counter, defaultdict

try:
    from scapy.all import rdpcap, DNS, DNSQR, DNSRR, IP, ICMP
except ImportError:
    print("pip install scapy")
    sys.exit(1)


def entropy(data):
    if not data:
        return 0
    freq = Counter(data)
    length = len(data)
    return -sum((c/length) * math.log2(c/length) for c in freq.values())


def analyze_dns_tunneling(pcap_path):
    """检测 PCAP 中的 DNS 隧道指标。"""
    packets = rdpcap(pcap_path)
    domain_stats = defaultdict(lambda: {
        "queries": 0, "total_qname_len": 0, "subdomain_lengths": [],
        "query_types": Counter(), "unique_subdomains": set(),
    })

    for pkt in packets:
        if pkt.haslayer(DNS) and pkt.haslayer(DNSQR):
            qname = pkt[DNSQR].qname.decode('utf-8', errors='replace').rstrip('.')
            qtype = pkt[DNSQR].qtype

            parts = qname.split('.')
            if len(parts) >= 3:
                base_domain = '.'.join(parts[-2:])
                subdomain = '.'.join(parts[:-2])

                stats = domain_stats[base_domain]
                stats["queries"] += 1
                stats["total_qname_len"] += len(qname)
                stats["subdomain_lengths"].append(len(subdomain))
                stats["query_types"][qtype] += 1
                stats["unique_subdomains"].add(subdomain)

    # 对域名进行隧道指标评分
    suspicious = []
    for domain, stats in domain_stats.items():
        if stats["queries"] < 5:
            continue

        avg_subdomain_len = (sum(stats["subdomain_lengths"]) /
                             len(stats["subdomain_lengths"]))
        unique_ratio = len(stats["unique_subdomains"]) / stats["queries"]

        # 计算子域名熵
        all_subdomains = ''.join(stats["unique_subdomains"])
        sub_entropy = entropy(all_subdomains)

        score = 0
        reasons = []

        if avg_subdomain_len > 30:
            score += 30
            reasons.append(f"子域名过长（平均 {avg_subdomain_len:.0f} 字符）")
        if unique_ratio > 0.9:
            score += 25
            reasons.append(f"唯一性高（{unique_ratio:.2%}）")
        if sub_entropy > 4.0:
            score += 25
            reasons.append(f"熵值高（{sub_entropy:.2f}）")
        if stats["query_types"].get(16, 0) > 10:  # TXT 记录
            score += 20
            reasons.append(f"大量 TXT 查询（{stats['query_types'][16]} 次）")

        if score >= 50:
            suspicious.append({
                "domain": domain,
                "score": score,
                "queries": stats["queries"],
                "avg_subdomain_length": round(avg_subdomain_len, 1),
                "unique_subdomains": len(stats["unique_subdomains"]),
                "subdomain_entropy": round(sub_entropy, 2),
                "reasons": reasons,
            })

    return sorted(suspicious, key=lambda x: -x["score"])


def analyze_icmp_tunneling(pcap_path):
    """检测 PCAP 中的 ICMP 隧道。"""
    packets = rdpcap(pcap_path)
    icmp_stats = defaultdict(lambda: {"count": 0, "payload_sizes": [], "payloads": []})

    for pkt in packets:
        if pkt.haslayer(ICMP) and pkt.haslayer(IP):
            src = pkt[IP].src
            dst = pkt[IP].dst
            key = f"{src}->{dst}"

            payload = bytes(pkt[ICMP].payload)
            icmp_stats[key]["count"] += 1
            icmp_stats[key]["payload_sizes"].append(len(payload))
            if len(payload) > 64:
                icmp_stats[key]["payloads"].append(payload[:100])

    suspicious = []
    for flow, stats in icmp_stats.items():
        if stats["count"] < 5:
            continue
        avg_size = sum(stats["payload_sizes"]) / len(stats["payload_sizes"])
        if avg_size > 64 or stats["count"] > 100:
            suspicious.append({
                "flow": flow,
                "packets": stats["count"],
                "avg_payload_size": round(avg_size, 1),
                "reason": "大型/频繁的 ICMP 载荷表明存在隧道",
            })

    return suspicious


if __name__ == "__main__":
    if len(sys.argv) < 2:
        print(f"用法：{sys.argv[0]} <pcap_file>")
        sys.exit(1)

    print("[+] DNS 隧道分析")
    dns_results = analyze_dns_tunneling(sys.argv[1])
    for r in dns_results:
        print(f"  {r['domain']}（评分：{r['score']}）")
        for reason in r['reasons']:
            print(f"    - {reason}")

    print("\n[+] ICMP 隧道分析")
    icmp_results = analyze_icmp_tunneling(sys.argv[1])
    for r in icmp_results:
        print(f"  {r['flow']}：{r['reason']}")

验证标准

通过熵值、子域名长度和查询量分析检测 DNS 隧道
通过载荷大小异常识别 ICMP 隐蔽信道
区分隧道域名和合法的 CDN/云流量
从捕获的流量中估算数据泄露量
提取 C2 通信模式和信标间隔

参考资料

Palo Alto Unit42 - DNS 隧道活动
Elastic - 检测隐蔽数据泄露
Vectra AI - ICMP 隧道检测
MITRE ATT&CK T1071 - 应用层协议

killvxk/analyzing-network-covert-channels-in-malware

skills/analyzing-network-covert-channels-in-malware/SKILL.md

检测和分析恶意软件使用的隐蔽通信信道，包括 DNS 隧道、ICMP 数据泄露、HTTP 隐写术和协议滥用，用于 C2 通信和数据泄露。

9 stars

tools

Updated Apr 16, 2026

$ install --global

skillsauth

npx skillsauth add killvxk/cybersecurity-skills-zh analyzing-network-covert-channels-in-malware

Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.

Security Scan Results

3 of 9 scanners reported clean

Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.

Scanners Passed

Scanners in report

Clean

TrivyContainer and dependency vulnerability scanner

95%

Clean

SemgrepStatic code analysis for vulnerabilities

95%

Clean

mcp-scan (Snyk)Model Context Protocol security validation

95%

Skipped

Snyk (dep)Open source security scanning

50%

Skipped

Socket.devSupply chain security analysis

50%

Skipped

VirusTotalMulti-engine malware detection

50%

Skipped

CrowdStrikeAdvanced threat intelligence

50%

Skipped

OSV-ScannerOpen Source Vulnerability database check

50%

Skipped

OWASP Dep-Check

50%

Last scanned: Apr 16, 2026, 10:48 PM8.1s6 files scanned

SKILL.md

name:: analyzing-network-covert-channels-in-malware
description:: 检测和分析恶意软件使用的隐蔽通信信道，包括 DNS 隧道、ICMP 数据泄露、HTTP 隐写术和协议滥用，用于 C2 通信和数据泄露。
domain:: cybersecurity
subdomain:: malware-analysis
tags:: [covert-channels, dns-tunneling, icmp-exfiltration, malware-analysis, network-forensics, c2-detection, data-exfiltration]
version:: 1.0
author:: mahipal
license:: Apache-2.0

分析恶意软件中的网络隐蔽信道

概述

前置条件

Python 3.9+，安装 scapy、dpkt、dnslib
Wireshark/tshark，用于 PCAP 分析
Zeek（原 Bro），用于网络监控
DNS 查询日志基础设施
对 DNS、ICMP、HTTP 协议的数据包级理解

操作步骤

步骤 1：DNS 隧道检测

#!/usr/bin/env python3
"""检测网络流量中的 DNS 隧道和隐蔽信道。"""
import sys
import json
import math
from collections import Counter, defaultdict

try:
    from scapy.all import rdpcap, DNS, DNSQR, DNSRR, IP, ICMP
except ImportError:
    print("pip install scapy")
    sys.exit(1)


def entropy(data):
    if not data:
        return 0
    freq = Counter(data)
    length = len(data)
    return -sum((c/length) * math.log2(c/length) for c in freq.values())


def analyze_dns_tunneling(pcap_path):
    """检测 PCAP 中的 DNS 隧道指标。"""
    packets = rdpcap(pcap_path)
    domain_stats = defaultdict(lambda: {
        "queries": 0, "total_qname_len": 0, "subdomain_lengths": [],
        "query_types": Counter(), "unique_subdomains": set(),
    })

    for pkt in packets:
        if pkt.haslayer(DNS) and pkt.haslayer(DNSQR):
            qname = pkt[DNSQR].qname.decode('utf-8', errors='replace').rstrip('.')
            qtype = pkt[DNSQR].qtype

            parts = qname.split('.')
            if len(parts) >= 3:
                base_domain = '.'.join(parts[-2:])
                subdomain = '.'.join(parts[:-2])

                stats = domain_stats[base_domain]
                stats["queries"] += 1
                stats["total_qname_len"] += len(qname)
                stats["subdomain_lengths"].append(len(subdomain))
                stats["query_types"][qtype] += 1
                stats["unique_subdomains"].add(subdomain)

    # 对域名进行隧道指标评分
    suspicious = []
    for domain, stats in domain_stats.items():
        if stats["queries"] < 5:
            continue

        avg_subdomain_len = (sum(stats["subdomain_lengths"]) /
                             len(stats["subdomain_lengths"]))
        unique_ratio = len(stats["unique_subdomains"]) / stats["queries"]

        # 计算子域名熵
        all_subdomains = ''.join(stats["unique_subdomains"])
        sub_entropy = entropy(all_subdomains)

        score = 0
        reasons = []

        if avg_subdomain_len > 30:
            score += 30
            reasons.append(f"子域名过长（平均 {avg_subdomain_len:.0f} 字符）")
        if unique_ratio > 0.9:
            score += 25
            reasons.append(f"唯一性高（{unique_ratio:.2%}）")
        if sub_entropy > 4.0:
            score += 25
            reasons.append(f"熵值高（{sub_entropy:.2f}）")
        if stats["query_types"].get(16, 0) > 10:  # TXT 记录
            score += 20
            reasons.append(f"大量 TXT 查询（{stats['query_types'][16]} 次）")

        if score >= 50:
            suspicious.append({
                "domain": domain,
                "score": score,
                "queries": stats["queries"],
                "avg_subdomain_length": round(avg_subdomain_len, 1),
                "unique_subdomains": len(stats["unique_subdomains"]),
                "subdomain_entropy": round(sub_entropy, 2),
                "reasons": reasons,
            })

    return sorted(suspicious, key=lambda x: -x["score"])


def analyze_icmp_tunneling(pcap_path):
    """检测 PCAP 中的 ICMP 隧道。"""
    packets = rdpcap(pcap_path)
    icmp_stats = defaultdict(lambda: {"count": 0, "payload_sizes": [], "payloads": []})

    for pkt in packets:
        if pkt.haslayer(ICMP) and pkt.haslayer(IP):
            src = pkt[IP].src
            dst = pkt[IP].dst
            key = f"{src}->{dst}"

            payload = bytes(pkt[ICMP].payload)
            icmp_stats[key]["count"] += 1
            icmp_stats[key]["payload_sizes"].append(len(payload))
            if len(payload) > 64:
                icmp_stats[key]["payloads"].append(payload[:100])

    suspicious = []
    for flow, stats in icmp_stats.items():
        if stats["count"] < 5:
            continue
        avg_size = sum(stats["payload_sizes"]) / len(stats["payload_sizes"])
        if avg_size > 64 or stats["count"] > 100:
            suspicious.append({
                "flow": flow,
                "packets": stats["count"],
                "avg_payload_size": round(avg_size, 1),
                "reason": "大型/频繁的 ICMP 载荷表明存在隧道",
            })

    return suspicious


if __name__ == "__main__":
    if len(sys.argv) < 2:
        print(f"用法：{sys.argv[0]} <pcap_file>")
        sys.exit(1)

    print("[+] DNS 隧道分析")
    dns_results = analyze_dns_tunneling(sys.argv[1])
    for r in dns_results:
        print(f"  {r['domain']}（评分：{r['score']}）")
        for reason in r['reasons']:
            print(f"    - {reason}")

    print("\n[+] ICMP 隧道分析")
    icmp_results = analyze_icmp_tunneling(sys.argv[1])
    for r in icmp_results:
        print(f"  {r['flow']}：{r['reason']}")

验证标准

通过熵值、子域名长度和查询量分析检测 DNS 隧道
通过载荷大小异常识别 ICMP 隐蔽信道
区分隧道域名和合法的 CDN/云流量
从捕获的流量中估算数据泄露量
提取 C2 通信模式和信标间隔

参考资料

Palo Alto Unit42 - DNS 隧道活动
Elastic - 检测隐蔽数据泄露
Vectra AI - ICMP 隧道检测
MITRE ATT&CK T1071 - 应用层协议

Related Skills

killvxk/conducting-social-engineering-penetration-test

testing

VerifiedTrustedCommunity

设计并执行社会工程学渗透测试，包括钓鱼、语音钓鱼、短信钓鱼和物理借口活动，以衡量人员安全韧性并识别培训差距。

10SKILL.mdUpdated Apr 29, 2026

killvxk/conducting-social-engineering-penetration-test

killvxk/conducting-post-incident-lessons-learned

testing

VerifiedTrustedCommunity

主持结构化的事件后审查，以识别根本原因、记录有效和无效的措施，并提出可操作的改进建议以提升未来的事件响应能力。

10SKILL.mdUpdated Apr 29, 2026

killvxk/conducting-post-incident-lessons-learned

killvxk/conducting-phishing-incident-response

testing

VerifiedTrustedCommunity

通过分析举报的邮件、提取指标、评估凭据受攻陷情况、在全组织范围隔离恶意邮件并修复受影响账号来响应网络钓鱼事件。涵盖邮件头分析、URL/附件沙箱检测和邮箱范围清除操作。适用于网络钓鱼响应、邮件事件、凭据钓鱼、鱼叉式网络钓鱼调查或钓鱼修复相关请求。

10SKILL.mdUpdated Apr 29, 2026

killvxk/conducting-phishing-incident-response

killvxk/conducting-pass-the-ticket-attack

tools

VerifiedTrustedCommunity

票据传递（Pass-the-Ticket，PtT）是一种横向移动技术，使用窃取的 Kerberos 票据（TGT 或 TGS）在不知道用户密码的情况下向服务进行认证。通过从已控制的主机内存中提取 Kerberos 票据，攻击者可以将这些票据注入自己的会话以模拟票据所有者。

10SKILL.mdUpdated Apr 29, 2026

killvxk/conducting-pass-the-ticket-attack

Download

For Claude Desktop. Download once, then upload the file in the app — no terminal needed.

Need help? View full Cowork setup guide →

Install manually

Choose your platform

# Clone the repo
git clone https://github.com/killvxk/cybersecurity-skills-zh.git

# Copy into Claude Code skills folder (global)
cp -r cybersecurity-skills-zh/skills/analyzing-network-covert-channels-in-malware ~/.claude/skills/

Claude Code Skills — official skills path docs.

Repository

killvxk/cybersecurity-skills-zh

9 stars

Compatible with

Claude Code

OpenAI Codex CLI

ChatGPT