fevra-dev/Lure
GitHub: fevra-dev/Lure
一款面向 SOC 团队的浏览器原生钓鱼防御平台,通过 Chrome MV3 扩展中的 49 个实时检测器和 Python 邮件分析 CLI 覆盖从载荷投递到凭据窃取的完整钓鱼杀伤链。
Stars: 1 | Forks: 0
# LURE — 浏览器钓鱼防御平台
一款专为 SOC 团队构建的原生浏览器钓鱼防御平台。Chrome MV3 扩展中包含 49 个实时检测模块,覆盖了完整的钓鱼杀伤链——从载荷投递到凭据窃取再到权限维持——并搭配了一个 Python 邮件分析 CLI,能够从原始的 `.eml` 文件中生成判定结果。
该扩展自带基于 Canvas 的实时威胁可视化仪表板(LURE UI),可显示实时检测数据包流,并根据严重程度进行颜色编码。
## 架构
```
graph TB
subgraph "Chrome Extension — 49 Detectors, 25 Waves"
SW[Service Worker
Message Router + Triage Engine] --> W1[Wave 1–3: Foundation
OAuthGuard · DataEgress · ExtensionAuditor · AgentIntentGuard] SW --> W2[Wave 4–6: Interaction Layer
AutofillGuard · ClipboardDefender · FullscreenGuard
PasskeyGuard · QRLjackingGuard] SW --> W3[Wave 7–9: Social Engineering
WebRTCGuard · ScreenShareGuard · PhishVision
ProxyGuard · SyncGuard · FakeSender] SW --> W4[Wave 10–12: Evasion
CTAPGuard · IPFSGuard · LLMScorer
VNCGuard · PWAGuard · TPASentinel] SW --> W5[Wave 13–15: Exfil + Persistence
DrainerGuard · StyleAuditor · WsExfilGuard
SwGuard · EtherHidingGuard · NotificationGuard] SW --> W6[Wave 16–19: Next-Gen
WebTransportGuard · CanvasPhishGuard
CanvasKeystrokeGuard · CanvasExfilGuard
SpeculationRulesGuard] SW --> W7[Wave 20–21: Anti-Fingerprinting + Payment
StealthKit · ProbeGuard · PaymentRequestGuard] SW --> W8[Wave 22–23: File System + Threat Intel
FileSystemGuard · ThreatIntelSync] SW --> W9[Wave 24–25: SPA + Deepfake Sentinel
SPANavigationMonitor · WebRTCSyntheticTrack] end subgraph "Lure CLI — Email Analysis Pipeline" EML[.eml / .msg] --> PA[Stage A: Parser
SPF · DKIM · DMARC · Routing] PA --> PB[Stage B: Extractor
URLs · IPs · Domains · Hashes] PB --> PC[Stage C: YARA Scanner
8 custom rules] PC --> PE[Stage E: Scorer
11 weighted signals] PE --> V{Verdict} end subgraph "Intelligence Layer" SW --> TRI[Triage Engine
NIST 800-61r3 · MITRE ATT&CK] SW --> INT[Intelligence Lifecycle
35 PIRs · 31 Correlation Sets] SW --> TIS[ThreatIntelSync
PhishStats API · phishnet.cc] SW --> TEL[Telemetry
chrome.storage.local] TEL --> POP[LURE Dashboard
Canvas Visualization] TEL -.->|Production| DCR[Azure Monitor DCR] end ``` ## 检测器清单 分为 25 个实施阶段的 49 个检测器,每个检测器均采用累加信号评分机制(0.50 触发告警,0.70 触发拦截,上限 1.0)。 | 阶段 | 检测器 | 威胁 | MITRE ATT&CK | 注入方式 | |------|----------|--------|--------------|-----------| | 1 | OAuthGuard — Device Code Flow | Storm-2372 | T1528 | background | | 1 | OAuthGuard — State Parameter Abuse | Storm-2372 | T1598.004 | background | | 2 | DataEgressMonitor — Blob Credential | NOBELIUM / TA4557 | T1027.006 | programmatic | | 3 | ExtensionAuditor — DNR Audit | QuickLens | T1195.002 | background | | 3 | ExtensionAuditor — Ownership Drift | Cyberhaven-style | T1195.002 | background | | 3 | ExtensionAuditor — C2 Polling | Multiple | T1071.001 | background | | 3 | AgentIntentGuard — GAN Page + Guardrail Bypass | Agentic | T1056.003 | document_idle | | 4 | AutofillGuard — Hidden Field Harvest | Kuosmanen-class | T1056.003 | document_idle | | 4 | AutofillGuard — Extension Clickjack | Toth-class | T1056.003 | document_idle | | 5 | ClipboardDefender — ClickFix Injection | FIN7 / Lazarus | T1059.001 | document_start | | 5 | FullscreenGuard — BitM Overlay | BitM-class | T1185 | document_idle | | 6 | PasskeyGuard — Credential Interception | Spensky DEF CON 33 | T1556.006 | document_start | | 6 | QRLjackingGuard — Session Hijack | APT29 / TA2723 | T1539 | document_idle | | 7 | WebRTCGuard — Virtual Camera | Scattered Spider | T1566.003 | document_start | | 7 | ScreenShareGuard — TOAD Detection | MuddyWater / Luna Moth | T1113 | document_start | | 8 | PhishVision — Brand Impersonation + Favicon Hash | Multiple | T1566.002 | document_idle | | 8 | ProxyGuard — AiTM Proxy | Evilginx / Modlishka | T1557.003 | document_idle | | 9 | SyncGuard — Browser Sync Hijack | Scattered Spider | T1078.004 | document_idle | | 9 | FakeSender — Helpdesk Impersonation | Multiple | T1566.002 | document_idle | | 10 | CTAPGuard — FIDO Downgrade | Tycoon 2FA | T1556.006 | document_idle | | 10 | IPFSGuard — Gateway Phishing | Commodity | T1583.006 | document_idle | | 11 | LLMScorer — AI-Generated Phishing | TA4557 / Scattered Spider | T1566.002 | document_idle | | 11 | VNCGuard — EvilnoVNC AiTM | Storm-1811 / TA577 | T1557.003 | document_idle | | 12 | PWAGuard — Progressive Web App Phishing | Czech/Hungarian campaigns | T1036.005 | document_idle | | 12 | TPASentinel — Consent Phishing | Storm-0324 / APT29 | T1528 | document_idle | | 13 | DrainerGuard — Crypto Wallet Drainer | Inferno / Angel / Pink | T1656 | document_idle | | 13 | StyleAuditor — CSS Credential Exfil | Advanced kits | T1056.003 | document_idle | | 14 | WsExfilGuard — WebSocket Credential Exfil | EvilProxy / Modlishka 2.0+ | T1056.003 | document_start | | 14 | SwGuard — Service Worker Persistence | Watering-hole campaigns | T1176 | document_start | | 15 | EtherHidingGuard — Blockchain Payload Delivery | ClearFake / ClickFix | T1059.007 | document_start | | 15 | NotificationGuard — Push Notification Phishing | Multiple | T1204.001 | document_start | | 16 | WebTransportGuard — WebTransport AiTM Relay | Advanced PhaaS kits | T1056.003 | document_start | | 17 | CanvasPhishGuard — Canvas Credential Phishing | Advanced kits / Flutter Web | T1056.003 | document_idle | | 18 | CanvasKeystrokeGuard — Canvas Keystroke Capture | Advanced kits / Flutter Web | T1056.003 | document_start (MAIN world) | | 18 | CanvasExfilGuard — Canvas Credential Exfiltration | Advanced kits / Flutter Web | T1041 | document_start | | 19 | SpeculationRulesGuard — Speculation Rules Phishing | XSS → Prerender abuse | T1598.003 | document_start | | 20 | StealthKit — Anti-Fingerprinting Hardening | Detection evasion | — | document_start (MAIN world) | | 20 | ProbeGuard — Security Tool Probing Detection | Tycoon 2FA / EvilProxy / CreepJS | T1518.001 | document_start (MAIN world) | | 21 | PaymentRequestGuard — Payment API Phishing Signal | PII harvesting via browser-native UI | T1056.003 | document_start (MAIN world) | | 22 | FileSystemGuard — File System Access API Abuse | RøB-style ransomware / PhaaS kits | T1552.001 | document_start (MAIN world) | | 23 | ThreatIntelSync — Domain Reputation Check | Confirmed phishing infrastructure | T1566.002 | background (alarm-based) | | 24 | SPANavigationMonitor — SPA Login Path Injection | XSS/Nav API pushState phishing | T1185 | background | | 25 | WebRTCSyntheticTrackSentinel — Deepfake Track Injection | Scattered Spider / state actors | T1566.003 | document_start (MAIN world) | ## 信号评分模型 每个检测器均使用相同的累加评分框架: - 每个信号贡献一个权重(0.10–0.40) - 信号进行累加求和,上限为 1.0 - **严重程度**:>= 0.90 严重,>= 0.70 高危,>= 0.50 中危 - **响应动作**:>= 0.70 拦截(禁用字段,注入警告横幅),>= 0.50 告警 来自 WebTransportGuard 的示例: | 信号 | 权重 | 触发条件 | |--------|--------|---------| | `wt:transport_on_credential_page` | +0.40 | 在包含凭据字段的页面上建立 WebTransport 连接 | | `wt:self_signed_cert_hashes` | +0.30 | 使用了 `serverCertificateHashes` 选项(自签名证书) | | `wt:cross_origin_transport_with_creds` | +0.25 | WebTransport 目标主机名与页面源不同 | | `wt:credential_data_in_stream` | +0.20 | 在流/数据报写入中发现输入字段的值 | | `wt:transport_without_media_context` | +0.15 | 没有视频/流媒体 UI 的 WebTransport | ## 情报层 每个检测事件在持久化之前都会经过三个引擎的丰富处理: **分诊引擎** (`lib/triage.js`) — 符合 NIST SP 800-61r3 的分类并带有 MITRE ATT&CK 映射,SANS PICERL 优先级/SLA 分配,以及针对每种事件类型的建议遏制措施。 **情报生命周期** (`lib/intelligence_lifecycle.js`) — 35 个优先情报需求、置信度评分、去重处理、用于活动分组的 31 个关联集,以及战术情报摘要生成。 **ThreatIntelSync** (`lib/threat_intel_sync.js`) — 定期从 PhishStats API 和 phishnet.cc feed.txt 摄取数据。构建紧凑的 domain/IP/exfil-endpoint 查找集,存储在 `chrome.storage.local['threatIntel']` 中,并通过 `chrome.alarms` 每 4 小时刷新一次。所有查找均为辅助手段——如果数据源不可达,核心检测质量也不会下降。 ## 快速开始 ### Chrome 扩展 ``` git clone
cd lur3
# 在 Chrome 或 Brave 中加载:
# 1. 导航至 chrome://extensions(或 brave://extensions)
# 2. 启用“Developer mode”
# 3. 点击“Load unpacked” → 选择 extension/ 目录
```
### 运行测试
```
# Extension 测试 (Vitest) — 40 个 suites 中的 1439 个测试
cd extension && npm test
# Lure CLI 测试 (pytest)
cd lure && pip install -e ".[dev,yara]" && pytest -v
```
## LURE 仪表板
弹窗会渲染所有检测事件的实时 Canvas 可视化效果。数据包沿贝塞尔曲线线程路径传播,按严重程度进行颜色编码:
- **橄榄色** (`#8b9e73`) — 正常 / 低 / 中危流量
- **古铜色** (`#b59a6d`) — 高危检测
- **红色** (`#c25e5e`) — 带发光效果的严重检测
每个威胁数据包都带有一个标签,显示检测器名称和关键细节(例如 `AiTM Proxy: evilginx.example.com`、`FS API Credential Exfil: .aws, .env`)。
## Lure CLI
从原始 `.eml` 文件中生成分类判定结果的邮件分析管道。
| 阶段 | 模块 | 功能描述 |
|-------|--------|-------------|
| A | `parser.py` | 解析 RFC 5322 / OLE .msg,验证 SPF/DKIM/DMARC,遍历 Received 链 |
| B | `extractor.py` | 提取 URL、IP、域、哈希、邮件、加密钱包 |
| C | `scanner.py` | 使用 8 条自定义规则进行 YARA 扫描 |
| E | `scorer.py` | 11 个加权信号生成分类判定结果 |
## 项目结构
```
lur3/
├── extension/ # Chrome MV3 extension
│ ├── manifest.json # v1.0.0, 47 detectors, alarms permission
│ ├── background/ # Service worker (Wave 1–25 message routing + ThreatIntelSync)
│ ├── content/ # 40 content scripts
│ ├── lib/ # triage.js · intelligence_lifecycle.js · telemetry.js
│ │ # stealth_kit.js · threat_intel_sync.js
│ ├── popup/ # LURE canvas visualization dashboard
│ └── tests/ # 40 Vitest test files, 1439 tests
│
├── lure/ # Email analysis CLI
│ ├── lure/modules/ # parser, extractor, scanner, scorer
│ ├── rules/ # YARA rule files
│ └── tests/ # pytest tests
│
├── Research/ # Threat research and detector design docs
├── Plans/ # Architecture and implementation planning docs
├── CUTTING_EDGE_DETECTORS.md # Next-gen detection candidates
├── RESEARCH_PROMPTS.md # Structured research prompts
└── THREAT_INTELLIGENCE.md # Detector → threat intel source mapping
```
## 威胁情报来源
请参阅 [THREAT_INTELLIGENCE.md](THREAT_INTELLIGENCE.md) 获取每个检测器与其主要威胁情报源的完整映射。
请参阅 [CUTTING_EDGE_DETECTORS.md](CUTTING_EDGE_DETECTORS.md) 获取有关下一代候选检测器的研究。
## 未包含内容(设计如此)
- **Azure Monitor DCR 集成** — 需要基础设施支持。遥测架构已记录在文档中;本地存储存根演示了完整的流程。
- **Chrome Web Store 发布** — 侧载(sideload)足以进行审查。
- **已填充的 Favicon 哈希映射** — PhishVision 中的 `FAVICON_HASH_TO_BRAND` 初始为空。基础设施已完成;哈希值可在实际运营中使用源码注释中的 DevTools 脚本进行收集。
- **urlscan.io 响应式富化** — 二级集成(需要 API 密钥)。架构已设计完毕;出于设计限制已推迟。
Message Router + Triage Engine] --> W1[Wave 1–3: Foundation
OAuthGuard · DataEgress · ExtensionAuditor · AgentIntentGuard] SW --> W2[Wave 4–6: Interaction Layer
AutofillGuard · ClipboardDefender · FullscreenGuard
PasskeyGuard · QRLjackingGuard] SW --> W3[Wave 7–9: Social Engineering
WebRTCGuard · ScreenShareGuard · PhishVision
ProxyGuard · SyncGuard · FakeSender] SW --> W4[Wave 10–12: Evasion
CTAPGuard · IPFSGuard · LLMScorer
VNCGuard · PWAGuard · TPASentinel] SW --> W5[Wave 13–15: Exfil + Persistence
DrainerGuard · StyleAuditor · WsExfilGuard
SwGuard · EtherHidingGuard · NotificationGuard] SW --> W6[Wave 16–19: Next-Gen
WebTransportGuard · CanvasPhishGuard
CanvasKeystrokeGuard · CanvasExfilGuard
SpeculationRulesGuard] SW --> W7[Wave 20–21: Anti-Fingerprinting + Payment
StealthKit · ProbeGuard · PaymentRequestGuard] SW --> W8[Wave 22–23: File System + Threat Intel
FileSystemGuard · ThreatIntelSync] SW --> W9[Wave 24–25: SPA + Deepfake Sentinel
SPANavigationMonitor · WebRTCSyntheticTrack] end subgraph "Lure CLI — Email Analysis Pipeline" EML[.eml / .msg] --> PA[Stage A: Parser
SPF · DKIM · DMARC · Routing] PA --> PB[Stage B: Extractor
URLs · IPs · Domains · Hashes] PB --> PC[Stage C: YARA Scanner
8 custom rules] PC --> PE[Stage E: Scorer
11 weighted signals] PE --> V{Verdict} end subgraph "Intelligence Layer" SW --> TRI[Triage Engine
NIST 800-61r3 · MITRE ATT&CK] SW --> INT[Intelligence Lifecycle
35 PIRs · 31 Correlation Sets] SW --> TIS[ThreatIntelSync
PhishStats API · phishnet.cc] SW --> TEL[Telemetry
chrome.storage.local] TEL --> POP[LURE Dashboard
Canvas Visualization] TEL -.->|Production| DCR[Azure Monitor DCR] end ``` ## 检测器清单 分为 25 个实施阶段的 49 个检测器,每个检测器均采用累加信号评分机制(0.50 触发告警,0.70 触发拦截,上限 1.0)。 | 阶段 | 检测器 | 威胁 | MITRE ATT&CK | 注入方式 | |------|----------|--------|--------------|-----------| | 1 | OAuthGuard — Device Code Flow | Storm-2372 | T1528 | background | | 1 | OAuthGuard — State Parameter Abuse | Storm-2372 | T1598.004 | background | | 2 | DataEgressMonitor — Blob Credential | NOBELIUM / TA4557 | T1027.006 | programmatic | | 3 | ExtensionAuditor — DNR Audit | QuickLens | T1195.002 | background | | 3 | ExtensionAuditor — Ownership Drift | Cyberhaven-style | T1195.002 | background | | 3 | ExtensionAuditor — C2 Polling | Multiple | T1071.001 | background | | 3 | AgentIntentGuard — GAN Page + Guardrail Bypass | Agentic | T1056.003 | document_idle | | 4 | AutofillGuard — Hidden Field Harvest | Kuosmanen-class | T1056.003 | document_idle | | 4 | AutofillGuard — Extension Clickjack | Toth-class | T1056.003 | document_idle | | 5 | ClipboardDefender — ClickFix Injection | FIN7 / Lazarus | T1059.001 | document_start | | 5 | FullscreenGuard — BitM Overlay | BitM-class | T1185 | document_idle | | 6 | PasskeyGuard — Credential Interception | Spensky DEF CON 33 | T1556.006 | document_start | | 6 | QRLjackingGuard — Session Hijack | APT29 / TA2723 | T1539 | document_idle | | 7 | WebRTCGuard — Virtual Camera | Scattered Spider | T1566.003 | document_start | | 7 | ScreenShareGuard — TOAD Detection | MuddyWater / Luna Moth | T1113 | document_start | | 8 | PhishVision — Brand Impersonation + Favicon Hash | Multiple | T1566.002 | document_idle | | 8 | ProxyGuard — AiTM Proxy | Evilginx / Modlishka | T1557.003 | document_idle | | 9 | SyncGuard — Browser Sync Hijack | Scattered Spider | T1078.004 | document_idle | | 9 | FakeSender — Helpdesk Impersonation | Multiple | T1566.002 | document_idle | | 10 | CTAPGuard — FIDO Downgrade | Tycoon 2FA | T1556.006 | document_idle | | 10 | IPFSGuard — Gateway Phishing | Commodity | T1583.006 | document_idle | | 11 | LLMScorer — AI-Generated Phishing | TA4557 / Scattered Spider | T1566.002 | document_idle | | 11 | VNCGuard — EvilnoVNC AiTM | Storm-1811 / TA577 | T1557.003 | document_idle | | 12 | PWAGuard — Progressive Web App Phishing | Czech/Hungarian campaigns | T1036.005 | document_idle | | 12 | TPASentinel — Consent Phishing | Storm-0324 / APT29 | T1528 | document_idle | | 13 | DrainerGuard — Crypto Wallet Drainer | Inferno / Angel / Pink | T1656 | document_idle | | 13 | StyleAuditor — CSS Credential Exfil | Advanced kits | T1056.003 | document_idle | | 14 | WsExfilGuard — WebSocket Credential Exfil | EvilProxy / Modlishka 2.0+ | T1056.003 | document_start | | 14 | SwGuard — Service Worker Persistence | Watering-hole campaigns | T1176 | document_start | | 15 | EtherHidingGuard — Blockchain Payload Delivery | ClearFake / ClickFix | T1059.007 | document_start | | 15 | NotificationGuard — Push Notification Phishing | Multiple | T1204.001 | document_start | | 16 | WebTransportGuard — WebTransport AiTM Relay | Advanced PhaaS kits | T1056.003 | document_start | | 17 | CanvasPhishGuard — Canvas Credential Phishing | Advanced kits / Flutter Web | T1056.003 | document_idle | | 18 | CanvasKeystrokeGuard — Canvas Keystroke Capture | Advanced kits / Flutter Web | T1056.003 | document_start (MAIN world) | | 18 | CanvasExfilGuard — Canvas Credential Exfiltration | Advanced kits / Flutter Web | T1041 | document_start | | 19 | SpeculationRulesGuard — Speculation Rules Phishing | XSS → Prerender abuse | T1598.003 | document_start | | 20 | StealthKit — Anti-Fingerprinting Hardening | Detection evasion | — | document_start (MAIN world) | | 20 | ProbeGuard — Security Tool Probing Detection | Tycoon 2FA / EvilProxy / CreepJS | T1518.001 | document_start (MAIN world) | | 21 | PaymentRequestGuard — Payment API Phishing Signal | PII harvesting via browser-native UI | T1056.003 | document_start (MAIN world) | | 22 | FileSystemGuard — File System Access API Abuse | RøB-style ransomware / PhaaS kits | T1552.001 | document_start (MAIN world) | | 23 | ThreatIntelSync — Domain Reputation Check | Confirmed phishing infrastructure | T1566.002 | background (alarm-based) | | 24 | SPANavigationMonitor — SPA Login Path Injection | XSS/Nav API pushState phishing | T1185 | background | | 25 | WebRTCSyntheticTrackSentinel — Deepfake Track Injection | Scattered Spider / state actors | T1566.003 | document_start (MAIN world) | ## 信号评分模型 每个检测器均使用相同的累加评分框架: - 每个信号贡献一个权重(0.10–0.40) - 信号进行累加求和,上限为 1.0 - **严重程度**:>= 0.90 严重,>= 0.70 高危,>= 0.50 中危 - **响应动作**:>= 0.70 拦截(禁用字段,注入警告横幅),>= 0.50 告警 来自 WebTransportGuard 的示例: | 信号 | 权重 | 触发条件 | |--------|--------|---------| | `wt:transport_on_credential_page` | +0.40 | 在包含凭据字段的页面上建立 WebTransport 连接 | | `wt:self_signed_cert_hashes` | +0.30 | 使用了 `serverCertificateHashes` 选项(自签名证书) | | `wt:cross_origin_transport_with_creds` | +0.25 | WebTransport 目标主机名与页面源不同 | | `wt:credential_data_in_stream` | +0.20 | 在流/数据报写入中发现输入字段的值 | | `wt:transport_without_media_context` | +0.15 | 没有视频/流媒体 UI 的 WebTransport | ## 情报层 每个检测事件在持久化之前都会经过三个引擎的丰富处理: **分诊引擎** (`lib/triage.js`) — 符合 NIST SP 800-61r3 的分类并带有 MITRE ATT&CK 映射,SANS PICERL 优先级/SLA 分配,以及针对每种事件类型的建议遏制措施。 **情报生命周期** (`lib/intelligence_lifecycle.js`) — 35 个优先情报需求、置信度评分、去重处理、用于活动分组的 31 个关联集,以及战术情报摘要生成。 **ThreatIntelSync** (`lib/threat_intel_sync.js`) — 定期从 PhishStats API 和 phishnet.cc feed.txt 摄取数据。构建紧凑的 domain/IP/exfil-endpoint 查找集,存储在 `chrome.storage.local['threatIntel']` 中,并通过 `chrome.alarms` 每 4 小时刷新一次。所有查找均为辅助手段——如果数据源不可达,核心检测质量也不会下降。 ## 快速开始 ### Chrome 扩展 ``` git clone
标签:AI安全, AI钓鱼检测, Canvas钓鱼, Chat Copilot, EML解析, IP 地址批量处理, MV3扩展, OAuth滥用防护, Python CLI, SOC团队, Web3安全, WebRTC安全, WebSocket数据外发, 企业安全, 凭证窃取防护, 反钓鱼, 威胁可视化, 威胁情报, 安全工程, 安全规则引擎, 实时检测, 开发者工具, 搜索语句(dork), 数据可视化, 数据防泄露, 杀戮链分析, 浏览器指纹, 端点防护, 网络安全, 网络资产管理, 自定义脚本, 身份安全, 逆向工具, 邮件分析, 钓鱼防御, 防御套件, 隐私保护, 零依赖