vuln/breakglass-intel
GitHub: vuln/breakglass-intel
来自 Breakglass Intelligence 的威胁情报仓库,提供基于 232 项真实调查的检测规则、IOC 指标和 STIX 情报包,帮助安全团队快速部署针对最新威胁的检测与响应能力。
Stars: 3 | Forks: 0
# Breakglass Intelligence
来自 [Breakglass Intelligence](https://intel.breakglass.tech) 调查的检测规则、IOC 和威胁情报。
## 统计
| 类别 | 数量 |
|----------|-------|
| IPv4 地址 | 1,307 |
| 域名 | 848 |
| URL | 797 |
| SHA256 哈希 | 1,033 |
| SHA1 哈希 | 149 |
| MD5 哈希 | 442 |
| YARA 规则 | 103 |
| Suricata 规则 | 55 |
| STIX 包 | 24 |
| KQL 查询 | 16 |
| Nuclei 模板 | 4 |
| 调查 | 233 |
## 结构
```
breakglass-intel/
├── yara/ — 103 YARA detection rules
├── suricata/ — 55 Suricata/Snort network rules
├── kql/ — Microsoft Defender/Sentinel KQL queries
├── nuclei/ — Nuclei scanner templates
├── iocs/
│ ├── all-ipv4.txt — 1,253 IPv4 indicators
│ ├── all-domains.txt — 1,717 domain indicators
│ ├── all-urls.txt — 797 URL indicators (defanged)
│ ├── all-sha256.txt — 1,031 SHA256 hashes
│ ├── all-sha1.txt — 149 SHA1 hashes
│ ├── all-md5.txt — 442 MD5 hashes
│ ├── all-file-indicators.json — Filenames, paths, registry keys, mutexes
│ ├── feed.json — Machine-readable IOC feed index
│ └── by-investigation/ — 232 per-investigation IOC files
└── stix/ — 24 STIX 2.1 intelligence bundles
```
## 精选调查
| 日期 | 调查 | 标签 |
|------|-------------|------|
| 2026-04-01 | [SumUp 网络钓鱼工具包 — 开放面板,摩洛哥运营者](https://intel.breakglass.tech/post/sumup-phishing-kit-open-panel-moroccan-operators-7-deployments) | phishing, credential-harvesting |
| 2026-04-01 | [木马化的 Zelix KlassMaster — 通过盗版实现 DoH C2](https://intel.breakglass.tech/post/trojanized-zelix-klassmaster-doh-c2-mcleaks-piracy-supply-chain) | supply-chain, java, dns-over-https |
| 2026-04-01 | [SERPENTINE 转向德语目标 — 双重 RAT,自定义 Donut](https://intel.breakglass.tech/post/serpentine-cloud-german-wave-dual-rat-custom-donut-chaskey) | dcrat, xenorat, donut |
| 2026-04-01 | [波音 RFQ / NKFZ5966 — Cobalt Strike](https://intel.breakglass.tech/post/boeing-rfq-nkfz5966-cobalt-strike-6-stage-filemail) | cobalt-strike, spear-phishing |
| 2026-04-01 | [LofyGang NYX 窃取器 — npm,仍处于活跃状态](https://intel.breakglass.tech/post/lofygang-nyx-stealer-npm-supply-chain-still-live) | npm, supply-chain |
| 2026-04-01 | [InvisibleFerret — DPRK Lazarus-Kimsuky](https://intel.breakglass.tech/post/invisibleferret-contagious-interview-dprk-lazarus-kimsuky-crossover) | dprk, lazarus, kimsuky |
| 2026-04-01 | [ClearFake — 24 个域名,零检测率](https://intel.breakglass.tech/post/clearfake-aerovector-webdav-24-domains-zero-detection-payloads) | clearfake, webdav |
| 2026-04-01 | [GlassWorm — Solana 区块链 C2](https://intel.breakglass.tech/post/glassworm-wave3-solana-blockchain-c2-rotation-forensics) | solana, blockchain-c2 |
| 2026-04-01 | [SilverFox — 30 个样本,手机群控农场](https://intel.breakglass.tech/post/silverfox-valleyrat-scam-compound-lures-phone-farm-front-apr2026) | silverfox, valleyrat |
| 2026-04-01 | [SheetRAT — Pinggy 隧道 C2](https://intel.breakglass.tech/post/sheetrat-pinggy-tunnel-c2-32-plugin-rat-builder) | pinggy, tunnel-c2 |
| 2026-04-01 | [VENON — Rust 银行木马,3 个欺诈引擎](https://intel.breakglass.tech/post/venon-rust-brazilian-banker-screenshot-proof-overlays-pix-swap) | banking-trojan, rust |
| 2026-04-01 | [RatonRAT MaaS 曝光](https://intel.breakglass.tech/post/ratonrat-maas-platform-silly-developer-unmasked) | maas, rat |
| 2026-04-01 | [PlugX — 2026 年构建中的 2016 COM](https://intel.breakglass.tech/post/plugx-decade-reuse-2016-com-type-library-mustang-panda) | plugx, mustang-panda |
| 2026-03-31 | [Riptide — 27.1 万连接的代理帝国](https://intel.breakglass.tech/post/riptide-proxy-empire-pprof-exposure) | proxy, pprof |
| 2026-03-31 | [Mustang Panda 越南目标 — 6 层 Shellcode](https://intel.breakglass.tech/post/mustang-panda-vietnam-corruption-scandal-6-layer-shellcode-injector) | mustang-panda, donut |
| 2026-03-31 | [HexReaper — GitHub Gist 死信箱](https://intel.breakglass.tech/post/hexreaper-kortex-rat-github-gist-dead-drop-c2) | nodejs, github |
| 2026-03-31 | [TeomSlive 行动 — 从失效域名追踪的 88 个支点](https://intel.breakglass.tech/post/operation-teomslive-authoritative-dns-bypass-malware-gambling-fraud) | osint, dns |
[在 intel.breakglass.tech 查看全部 232 项调查](https://intel.breakglass.tech)
## 用法
### YARA
```
yara -r yara/breakglass-all.yar
```
### Suricata
```
suricata -S suricata/breakglass-all.rules -r capture.pcap
```
### KQL (Microsoft Defender / Sentinel)
将 `kql/` 中的查询导入到高级搜寻 或分析规则 中。
### IOC 订阅源
位于 `iocs/feed.json` 的机器可读订阅源。按调查分类的 IOC 位于 `iocs/by-investigation/.json`。
```
import json, urllib.request
feed = json.loads(urllib.request.urlopen(
"https://raw.githubusercontent.com/vuln/breakglass-intel/main/iocs/feed.json"
).read())
print(f"Total indicators: {sum(feed['total_indicators'].values())}")
```
### STIX
将 `stix/` 中的包导入到您的 TIP 中(MISP、OpenCTI、ThreatConnect 等)。
## 引用
```
@misc{breakglass2026,
author = {Breakglass Intelligence},
title = {Breakglass Intelligence — Detection Rules and IOCs},
year = {2026},
publisher = {GitHub},
url = {https://github.com/vuln/breakglass-intel}
}
```
## 许可证
检测规则:[MIT 许可证](LICENSE)。IOC 和 STIX 包:[TLP:WHITE](https://www.first.org/tlp/)。
## 联系方式
- 网站:[intel.breakglass.tech](https://intel.breakglass.tech)
- Twitter:[@BreakGlassIntel](https://x.com/BreakGlassIntel)
- 邮箱:security@breakglass.tech
标签:Burp项目解析, DAST, ESC4, Google, Homebrew安装, IOCs, IPv4, IP 地址批量处理, KQL, MD5, Metaprompt, Nuclei, OSINT, SHA256, SIGMA, STIX, Suricata, YARA, 云资产可视化, 凭据窃取, 哈希, 域名, 失陷标示, 威胁情报, 威胁情报共享, 安全运营, 开发者工具, 恶意软件分析, 情报分析, 情报包, 扫描框架, 检测规则, 现代安全运营, 端点检测, 网络信息收集, 网络安全, 网络流量分析, 网络诊断, 网络资产发现, 隐私保护