killvxk/building-vulnerability-scanning-workflow
skills/building-vulnerability-scanning-workflow/SKILL.md
使用 Nessus、Qualys 和 OpenVAS 等工具构建结构化的漏洞扫描工作流, 对基础设施中的安全漏洞进行发现、优先级排序和修复跟踪。适用于 SOC 团队 需要建立定期漏洞评估流程、将扫描结果与 SIEM 告警集成,以及构建 修复跟踪仪表盘的场景。
$ install --global
skillsauthnpx skillsauth add killvxk/cybersecurity-skills-zh building-vulnerability-scanning-workflowInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 29, 2026, 8:04 AM200.8s3 files scanned
SKILL.md
- name:
- building-vulnerability-scanning-workflow
- description:
- >
- domain:
- cybersecurity
- subdomain:
- soc-operations
- tags:
- [soc, vulnerability-scanning, nessus, qualys, openvas, cvss, remediation, patch-management]
- version:
- 1.0
- author:
- mahipal
- license:
- Apache-2.0
构建漏洞扫描工作流
适用场景
以下情况使用本技能:
- SOC 团队需要建立或改进定期漏洞扫描计划
- 扫描结果需要结合资产背景和威胁情报,超越原始 CVSS 分数进行优先级排序
- 漏洞数据必须集成到 SIEM 中,与利用尝试进行关联
- 修复跟踪需要通过基于 SLA 的仪表盘和报告正式化
不适用于渗透测试或主动利用——漏洞扫描识别弱点,渗透测试验证可利用性。
前置条件
- 漏洞扫描器(Tenable Nessus Professional、Qualys VMDR 或 OpenVAS/Greenbone)
- 具有关键性分类的资产清单(业务关键、标准、开发)
- 从扫描器到所有目标网段的网络访问(基于代理或网络扫描)
- 用于扫描结果接入和关联的 SIEM 集成
- 用于修复跟踪的补丁管理系统(WSUS、SCCM、Intune)
工作流程
步骤 1:定义扫描范围和计划
创建覆盖所有资产类型的扫描策略:
Nessus 扫描配置(API):
import requests
nessus_url = "https://nessus.company.com:8834"
headers = {"X-ApiKeys": f"accessKey={access_key};secretKey={secret_key}"}
# 创建扫描策略
policy = {
"uuid": "advanced",
"settings": {
"name": "SOC Weekly Infrastructure Scan",
"description": "Weekly credentialed scan of all server and workstation segments",
"scanner_id": 1,
"policy_id": 0,
"text_targets": "10.0.0.0/16, 172.16.0.0/12",
"launch": "WEEKLY",
"starttime": "20240315T020000",
"rrules": "FREQ=WEEKLY;INTERVAL=1;BYDAY=SA",
"enabled": True
},
"credentials": {
"add": {
"Host": {
"Windows": [{
"domain": "company.local",
"username": "nessus_svc",
"password": "SCAN_SERVICE_PASSWORD",
"auth_method": "Password"
}],
"SSH": [{
"username": "nessus_svc",
"private_key": "/path/to/nessus_key",
"auth_method": "public key"
}]
}
}
}
}
response = requests.post(f"{nessus_url}/scans", headers=headers, json=policy, verify=False)
scan_id = response.json()["scan"]["id"]
print(f"扫描已创建:ID {scan_id}")
Qualys VMDR 扫描(API):
import qualysapi
conn = qualysapi.connect(
hostname="qualysapi.qualys.com",
username="api_user",
password="API_PASSWORD"
)
# 启动漏洞扫描
params = {
"action": "launch",
"scan_title": "Weekly_Infrastructure_Scan",
"ip": "10.0.0.0/16",
"option_id": "123456", # 扫描配置文件 ID
"iscanner_name": "Internal_Scanner_01",
"priority": "0"
}
response = conn.request("/api/2.0/fo/scan/", params)
print(f"扫描已启动:{response}")
步骤 2:处理和优先级排序扫描结果
下载结果并应用基于风险的优先级排序:
import requests
import csv
# 导出 Nessus 结果
response = requests.get(
f"{nessus_url}/scans/{scan_id}/export",
headers=headers,
params={"format": "csv"},
verify=False
)
# 解析并优先级排序
vulns = []
reader = csv.DictReader(response.text.splitlines())
for row in reader:
cvss = float(row.get("CVSS v3.0 Base Score", 0))
asset_criticality = get_asset_criticality(row["Host"]) # 来自资产清单
# 基于风险的优先级计算
risk_score = cvss * asset_criticality_multiplier(asset_criticality)
# 如果被主动利用则提高评分(检查 CISA KEV)
if row.get("CVE") in cisa_kev_list:
risk_score *= 1.5
vulns.append({
"host": row["Host"],
"plugin_name": row["Name"],
"severity": row["Risk"],
"cvss": cvss,
"cve": row.get("CVE", "N/A"),
"risk_score": round(risk_score, 1),
"asset_criticality": asset_criticality,
"kev": row.get("CVE") in cisa_kev_list
})
# 按风险评分排序
vulns.sort(key=lambda x: x["risk_score"], reverse=True)
CISA KEV(已知被利用漏洞)检查:
import requests
kev_response = requests.get(
"https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json"
)
kev_data = kev_response.json()
cisa_kev_list = {v["cveID"] for v in kev_data["vulnerabilities"]}
# 检查漏洞是否被主动利用
def is_actively_exploited(cve_id):
return cve_id in cisa_kev_list
步骤 3:定义修复 SLA
应用基于 SLA 的修复时间线:
| 优先级 | CVSS 范围 | 资产类型 | SLA | 示例 | |----------|-----------|------------|-----|---------| | P1 关键 | 9.0-10.0 + KEV | 所有资产 | 24 小时 | 生产服务器上的 Log4Shell、EternalBlue | | P2 高 | 7.0-8.9 或 9.0+ 非 KEV | 业务关键 | 7 天 | 无已知利用的 RCE | | P3 中 | 4.0-6.9 | 业务关键 | 30 天 | 认证型权限提升 | | P4 低 | 0.1-3.9 | 标准 | 90 天 | 信息泄露、低影响 DoS | | P5 信息 | 0.0 | 开发 | 下个周期 | 最佳实践发现、配置加固 |
步骤 4:与 SIEM 集成进行利用检测
将漏洞扫描数据与 SIEM 告警关联,检测主动利用:
index=vulnerability sourcetype="nessus:scan"
| eval vuln_key = Host.":".CVE
| join vuln_key type=left [
search index=ids_ips sourcetype="snort" OR sourcetype="suricata"
| eval vuln_key = dest_ip.":".cve_id
| stats count AS exploit_attempts, latest(_time) AS last_exploit_attempt by vuln_key
]
| where isnotnull(exploit_attempts)
| eval risk = "关键 — 漏洞正在被主动利用"
| sort - exploit_attempts
| table Host, CVE, plugin_name, cvss_score, exploit_attempts, last_exploit_attempt, risk
当关键资产上检测到 KEV 漏洞时告警:
index=vulnerability sourcetype="nessus:scan" severity="Critical"
| lookup cisa_kev_lookup.csv cve_id AS CVE OUTPUT kev_status, due_date
| where kev_status="active"
| lookup asset_criticality_lookup.csv ip AS Host OUTPUT criticality
| where criticality IN ("business-critical", "mission-critical")
| table Host, CVE, plugin_name, cvss_score, kev_status, due_date, criticality
步骤 5:构建修复跟踪仪表盘
Splunk 漏洞指标仪表盘:
-- 按严重性统计未修复漏洞
index=vulnerability sourcetype="nessus:scan" status="open"
| stats count by severity
| eval order = case(severity="Critical", 1, severity="High", 2, severity="Medium", 3,
severity="Low", 4, 1=1, 5)
| sort order
-- SLA 合规跟踪
index=vulnerability sourcetype="nessus:scan" status="open"
| eval sla_days = case(
severity="Critical", 1,
severity="High", 7,
severity="Medium", 30,
severity="Low", 90
)
| eval days_open = round((now() - first_detected) / 86400)
| eval sla_status = if(days_open > sla_days, "已超期", "在 SLA 内")
| stats count by severity, sla_status
-- 90 天修复趋势
index=vulnerability sourcetype="nessus:scan"
| eval is_open = if(status="open", 1, 0)
| eval is_closed = if(status="fixed", 1, 0)
| timechart span=1w sum(is_open) AS opened, sum(is_closed) AS remediated
步骤 6:自动化修复工单
为高优先级发现自动创建工单:
import requests
servicenow_url = "https://company.service-now.com/api/now/table/incident"
headers = {
"Content-Type": "application/json",
"Authorization": f"Bearer {snow_token}"
}
for vuln in vulns:
if vuln["risk_score"] >= 8.0:
ticket = {
"short_description": f"[VULN] {vuln['cve']} — {vuln['plugin_name']} on {vuln['host']}",
"description": (
f"漏洞:{vuln['plugin_name']}\n"
f"CVE:{vuln['cve']}\n"
f"CVSS:{vuln['cvss']}\n"
f"主机:{vuln['host']}\n"
f"资产关键性:{vuln['asset_criticality']}\n"
f"CISA KEV:{'是' if vuln['kev'] else '否'}\n"
f"风险评分:{vuln['risk_score']}\n"
f"修复 SLA:{'24 小时' if vuln['kev'] else '7 天'}"
),
"urgency": "1" if vuln["kev"] else "2",
"impact": "1" if vuln["asset_criticality"] == "business-critical" else "2",
"assignment_group": "IT Infrastructure",
"category": "Vulnerability"
}
response = requests.post(servicenow_url, headers=headers, json=ticket)
print(f"工单已创建:{response.json()['result']['number']}")
核心概念
| 术语 | 定义 | |------|-----------| | CVSS | 通用漏洞评分系统——漏洞的标准化严重性评级(0-10) | | CISA KEV | 已知被利用漏洞目录——CISA 维护的具有确认主动利用的漏洞列表 | | 凭据扫描(Credentialed Scan) | 使用认证访问的漏洞扫描,比纯网络扫描检测更深入 | | 资产关键性(Asset Criticality) | 确定修复优先级的业务影响分类(关键任务、业务关键、标准) | | 修复 SLA(Remediation SLA) | 定义按严重性修补漏洞最长允许时间的服务级别协议 | | EPSS | 利用预测评分系统——基于机器学习预测被利用可能性的概率评分 |
工具与系统
- Tenable Nessus / Tenable.io:具有 200,000+ 插件检查和合规审计的企业级漏洞扫描器
- Qualys VMDR:具有资产发现、优先级排序和补丁集成的云端漏洞管理平台
- OpenVAS(Greenbone):具有社区维护漏洞库的开源漏洞扫描器
- CISA KEV 目录:美国政府维护的需要强制修复的主动被利用漏洞列表
- Rapid7 InsightVM:具有实时仪表盘和修复项目跟踪的漏洞管理平台
常见场景
- 零日响应:新 CVE 发布——针对受影响软件运行定向扫描,与 KEV 和利用数据库交叉对比
- 合规审计准备:生成显示扫描覆盖范围和修复状态的 PCI DSS 或 HIPAA 漏洞报告
- 补丁后验证:对已打补丁系统重新扫描,确认漏洞已关闭并更新跟踪仪表盘
- 网络扩展:基础设施新增子网——将其加入扫描范围并配置适当策略
- 第三方风险:扫描对外暴露的资产,在集成前验证供应商补丁合规性
输出格式
漏洞扫描报告 — 每周摘要
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
扫描日期: 2024-03-16 02:00 UTC
扫描范围: 10.0.0.0/16(已扫描 1,247 台主机)
持续时间: 4 小时 23 分钟
覆盖率: 98.7%(16 台主机不可达)
发现结果:
严重性 数量 新增 CISA KEV
关键 23 5 3
高 187 34 12
中 892 78 0
低 1,456 112 0
信息 3,891 201 0
最高优先级(P1 — 24 小时 SLA):
CVE-2024-21762 FortiOS RCE 3 台主机 KEV:是
CVE-2024-1709 ConnectWise RCE 1 台主机 KEV:是
CVE-2024-3400 Palo Alto PAN-OS RCE 2 台主机 KEV:是
SLA 合规率:
关键:82% 在 SLA 内(4 项已超期)
高: 91% 在 SLA 内(17 项已超期)
中: 88% 在 SLA 内(107 项已超期)
已创建工单:39 张(ServiceNow)
Related Skills
killvxk/conducting-social-engineering-penetration-test
testing
VerifiedTrustedCommunity
设计并执行社会工程学渗透测试,包括钓鱼、语音钓鱼、短信钓鱼和物理借口活动,以衡量人员安全韧性并识别培训差距。
10SKILL.mdUpdated Apr 29, 2026
killvxk/conducting-post-incident-lessons-learned
testing
VerifiedTrustedCommunity
主持结构化的事件后审查,以识别根本原因、记录有效和无效的措施,并提出可操作的改进建议以提升未来的事件响应能力。
10SKILL.mdUpdated Apr 29, 2026
killvxk/conducting-phishing-incident-response
testing
VerifiedTrustedCommunity
通过分析举报的邮件、提取指标、评估凭据受攻陷情况、在全组织范围隔离恶意邮件并修复受影响账号来响应网络钓鱼事件。涵盖邮件头分析、URL/附件沙箱检测和邮箱范围清除操作。适用于网络钓鱼响应、邮件事件、凭据钓鱼、鱼叉式网络钓鱼调查或钓鱼修复相关请求。
10SKILL.mdUpdated Apr 29, 2026
killvxk/conducting-pass-the-ticket-attack
tools
VerifiedTrustedCommunity
票据传递(Pass-the-Ticket,PtT)是一种横向移动技术,使用窃取的 Kerberos 票据(TGT 或 TGS)在不知道用户密码的情况下向服务进行认证。通过从已控制的主机内存中提取 Kerberos 票据,攻击者可以将这些票据注入自己的会话以模拟票据所有者。
10SKILL.mdUpdated Apr 29, 2026