killvxk/analyzing-supply-chain-malware-artifacts
skills/analyzing-supply-chain-malware-artifacts/SKILL.md
调查供应链攻击工件,包括被木马化的软件更新、被攻陷的构建流水线和侧载的依赖项,以识别入侵向量和攻陷范围。
$ install --global
skillsauthnpx skillsauth add killvxk/cybersecurity-skills-zh analyzing-supply-chain-malware-artifactsInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 17, 2026, 4:26 AM178.7s6 files scanned
SKILL.md
- name:
- analyzing-supply-chain-malware-artifacts
- description:
- 调查供应链攻击工件,包括被木马化的软件更新、被攻陷的构建流水线和侧载的依赖项,以识别入侵向量和攻陷范围。
- domain:
- cybersecurity
- subdomain:
- malware-analysis
- tags:
- [supply-chain, malware-analysis, trojanized-software, solarwinds, 3cx, dependency-confusion, software-integrity]
- version:
- 1.0
- author:
- mahipal
- license:
- Apache-2.0
分析供应链恶意软件工件
概述
供应链攻击通过破坏合法软件分发渠道,借助受信任的更新机制投递恶意软件。典型案例包括 SolarWinds SUNBURST(2020 年,影响 18,000 多个客户)、3CX SmoothOperator(2023 年,一起源自 Trading Technologies 的级联供应链攻击)以及大量 npm/PyPI 包投毒活动。分析工作涉及:将木马化二进制文件与合法版本进行比对、识别构建工件中的注入代码、检查代码签名异常,以及追踪从初始攻陷到载荷投递的感染链。截至 2025 年,供应链攻击占所有违规事件的 30%,较前几年增加了 100%。
前置条件
- Python 3.9+,安装
pefile、ssdeep、hashlib - 二进制对比工具(BinDiff、Diaphora)
- 代码签名验证工具(sigcheck、codesign)
- 软件成分分析(SCA)工具
- 访问合法软件版本以供比对
- 包仓库监控(npm、PyPI、NuGet)
操作步骤
步骤 1:二进制比对分析
#!/usr/bin/env python3
"""比对木马化二进制文件与合法版本。"""
import hashlib
import pefile
import sys
import json
def compare_pe_files(legitimate_path, suspect_path):
"""比对合法版本与可疑版本之间的 PE 文件结构。"""
legit_pe = pefile.PE(legitimate_path)
suspect_pe = pefile.PE(suspect_path)
report = {"differences": [], "suspicious_sections": [], "import_changes": []}
# 比对节
legit_sections = {s.Name.rstrip(b'\x00').decode(): {
"size": s.SizeOfRawData,
"entropy": s.get_entropy(),
"characteristics": s.Characteristics,
} for s in legit_pe.sections}
suspect_sections = {s.Name.rstrip(b'\x00').decode(): {
"size": s.SizeOfRawData,
"entropy": s.get_entropy(),
"characteristics": s.Characteristics,
} for s in suspect_pe.sections}
# 查找新增或已修改的节
for name, props in suspect_sections.items():
if name not in legit_sections:
report["suspicious_sections"].append({
"name": name, "reason": "合法版本中不存在的新节",
"size": props["size"], "entropy": round(props["entropy"], 2),
})
elif abs(props["size"] - legit_sections[name]["size"]) > 1024:
report["suspicious_sections"].append({
"name": name, "reason": "节大小发生显著变化",
"legit_size": legit_sections[name]["size"],
"suspect_size": props["size"],
})
# 比对导入
legit_imports = set()
if hasattr(legit_pe, 'DIRECTORY_ENTRY_IMPORT'):
for entry in legit_pe.DIRECTORY_ENTRY_IMPORT:
for imp in entry.imports:
if imp.name:
legit_imports.add(f"{entry.dll.decode()}!{imp.name.decode()}")
suspect_imports = set()
if hasattr(suspect_pe, 'DIRECTORY_ENTRY_IMPORT'):
for entry in suspect_pe.DIRECTORY_ENTRY_IMPORT:
for imp in entry.imports:
if imp.name:
suspect_imports.add(f"{entry.dll.decode()}!{imp.name.decode()}")
new_imports = suspect_imports - legit_imports
if new_imports:
report["import_changes"] = list(new_imports)
# 检查代码签名
report["legit_signed"] = bool(legit_pe.OPTIONAL_HEADER.DATA_DIRECTORY[4].Size)
report["suspect_signed"] = bool(suspect_pe.OPTIONAL_HEADER.DATA_DIRECTORY[4].Size)
return report
def hash_file(filepath):
"""计算文件的多种哈希值。"""
hashes = {}
with open(filepath, 'rb') as f:
data = f.read()
for algo in ['md5', 'sha1', 'sha256']:
h = hashlib.new(algo)
h.update(data)
hashes[algo] = h.hexdigest()
return hashes
if __name__ == "__main__":
if len(sys.argv) < 3:
print(f"用法:{sys.argv[0]} <legitimate_binary> <suspect_binary>")
sys.exit(1)
report = compare_pe_files(sys.argv[1], sys.argv[2])
print(json.dumps(report, indent=2, ensure_ascii=False))
验证标准
- 通过二进制对比识别出被木马化的组件
- 注入的代码被隔离并单独分析
- 代码签名异常已记录
- 从构建工件重建感染时间线
- 评估对受影响系统的下游影响范围
- 提取 IoC 用于检测和封锁
参考资料
- ReversingLabs - 3CX 供应链分析
- Fortinet - SolarWinds 供应链攻击
- Picus - 3CX SmoothOperator 分析
- MITRE ATT&CK T1195 - 供应链攻陷
Related Skills
killvxk/conducting-social-engineering-penetration-test
testing
VerifiedTrustedCommunity
设计并执行社会工程学渗透测试,包括钓鱼、语音钓鱼、短信钓鱼和物理借口活动,以衡量人员安全韧性并识别培训差距。
10SKILL.mdUpdated Apr 29, 2026
killvxk/conducting-post-incident-lessons-learned
testing
VerifiedTrustedCommunity
主持结构化的事件后审查,以识别根本原因、记录有效和无效的措施,并提出可操作的改进建议以提升未来的事件响应能力。
10SKILL.mdUpdated Apr 29, 2026
killvxk/conducting-phishing-incident-response
testing
VerifiedTrustedCommunity
通过分析举报的邮件、提取指标、评估凭据受攻陷情况、在全组织范围隔离恶意邮件并修复受影响账号来响应网络钓鱼事件。涵盖邮件头分析、URL/附件沙箱检测和邮箱范围清除操作。适用于网络钓鱼响应、邮件事件、凭据钓鱼、鱼叉式网络钓鱼调查或钓鱼修复相关请求。
10SKILL.mdUpdated Apr 29, 2026
killvxk/conducting-pass-the-ticket-attack
tools
VerifiedTrustedCommunity
票据传递(Pass-the-Ticket,PtT)是一种横向移动技术,使用窃取的 Kerberos 票据(TGT 或 TGS)在不知道用户密码的情况下向服务进行认证。通过从已控制的主机内存中提取 Kerberos 票据,攻击者可以将这些票据注入自己的会话以模拟票据所有者。
10SKILL.mdUpdated Apr 29, 2026