Mycelium-W3RKZ/SOLAR-CTI

GitHub: Mycelium-W3RKZ/SOLAR-CTI

一个由独立安全研究员基于 Ghidra 逆向与多沙箱交叉验证方法论产出的网络威胁情报仓库，提供包含 YARA 规则、Sigma 规则、IOC 表和 ATT&CK 映射的深度恶意软件分析报告。

Stars: 0 | Forks: 0

# 🍄 SOLAR-CTI

``` ███████╗ ██████╗ ██╗ █████╗ ██████╗ ██████╗████████╗██╗ ██╔════╝██╔═══██╗██║ ██╔══██╗██╔══██╗ ██╔════╝╚══██╔══╝██║ ███████╗██║ ██║██║ ███████║██████╔╝ ██║ ██║ ██║ ╚════██║██║ ██║██║ ██╔══██║██╔══██╗ ██║ ██║ ██║ ███████║╚██████╔╝███████╗██║ ██║██║ ██║ ╚██████╗ ██║ ██║ ╚══════╝ ╚═════╝ ╚══════╝╚═╝ ╚═╝╚═╝ ╚═╝ ╚═════╝ ╚═╝ ╚═╝ ``` **JAWz_TheSolarPoweredBard 的网络威胁情报** *菌丝猎手在 NET 中。* [![TLP](https://img.shields.io/badge/TLP-WHITE-white?style=flat-square)](https://www.cisa.gov/tlp) [![报告](https://img.shields.io/badge/Reports-Active-brightgreen?style=flat-square&logo=github)](https://github.com/JAWzTheSolarPoweredBard/SOLAR-CTI) [![MITRE ATT&CK](https://img.shields.io/badge/MITRE-ATT%26CK%20Mapped-red?style=flat-square)](https://attack.mitre.org) [![YARA](https://img.shields.io/badge/YARA-Rules%20Included-blueviolet?style=flat-square)](https://virustotal.github.io/yara/) [![Sigma](https://img.shields.io/badge/Sigma-Detection%20Rules-blue?style=flat-square)](https://github.com/SigmaHQ/sigma) [![方法论](https://img.shields.io/badge/Methodology-Cloud%20Native-orange?style=flat-square)]()

## 🕵️ 菌丝猎手是谁 ``` "In the dark forest of the NET, the hunter doesn't wait for the prey to announce itself. You read the ground. You read the spores. You follow the mycelium until you find the fruiting body — and then you document every thread before you ever write a line." ``` 我是 **Joshua Alexander Wright** —— 一名独立安全研究员、恶意软件分析师，以及使用 **JAWz_TheSolarPoweredBard** 代号的 CTI 作者。这个仓库是我的公开威胁情报实验室。这里的每份报告都是真实分析会话的输出：打开 Ghidra，并行运行三个沙箱，用 Wireshark 分析 PCAP，研究笔记文档一行行充实起来。将菌丝径直追踪到它的根源。 ## 🌐 SOLAR-CTI 的使命 ``` WHO IS ATTACKING? ──► Adversary profiles. Named actors. Unknown clusters. WHAT DO THEY WANT? ──► Operational context. Motives. Targeting logic. Campaign scope. HOW DO THEY OPERATE? ──► TTPs. ATT&CK-mapped. Evidence-anchored. Per technique. WHAT DO WE LOOK FOR? ──► IOCs. YARA rules. Sigma detections. Actionable and deployable. ``` 每份报告生成的情报分类： | 分类 | 含义 | 所在位置 | |---|---|---| | **战术** | 攻击者的 TTPs —— 按技术映射 ATT&CK | 每份报告 | | **技术** | IOCs、YARA 规则、Sigma 规则 —— 可直接部署 | 每份报告 | | **运营** | 攻击者动机与活动背景 | Runner's Log | | **战略** | 威胁宏观态势框架 | Executive Summary | ## 🗂️ 报告索引 | # | 家族 | 分类 | 日期 | T-codes | YARA | Sigma | IOCs | |---|---|---|---|---|---|---|---| | R0 | **[Akira Ransomware](https://github.com/Mycelium-W3RKZ/SOLAR-CTI/blob/main/Akira/PUNK_SPIDER_SOLAR_CTI_v2-2026.md) ** | 双重勒索 / PUNK SPIDER (G1024) | 2024 年 11 月 | 18 | ✅ | ✅ | ✅ | | R1 | *即将推出 — Infostealer* | — | — | — | — | — | — | | R2 | *即将推出 — RAT* | — | — | — | — | — | — | | R3 | *即将推出 — Loader* | — | — | — | — | — | — | ## ⚗️ 方法论概述 ``` ╔══════════════════════════════════════════════════════════════════════════╗ ║ THE REMOTE-LITE ANALYSIS STACK ║ ╠══════════╦═══════════════════════════════════════════════════════════════╣ ║ SOURCE ║ MalwareBazaar · VirusShare · ThreatFox · URLhaus ║ ╠══════════╬═══════════════════════════════════════════════════════════════╣ ║ SANDBOX ║ ANY.RUN (interactive) · Hybrid Analysis · Tria.ge ║ ║ ║ Three independent environments. Cross-corroborated. ║ ╠══════════╬═══════════════════════════════════════════════════════════════╣ ║ INTEL ║ VirusTotal · ThreatFox · AbuseIPDB · Shodan · URLScan ║ ╠══════════╬═══════════════════════════════════════════════════════════════╣ ║ STATIC ║ Ghidra · FLOSS · PEStudio · PEview · PEBear · malapi.io ║ ╠══════════╬═══════════════════════════════════════════════════════════════╣ ║ NETWORK ║ Wireshark (PCAP analysis — downloaded from sandboxes) ║ ╠══════════╬═══════════════════════════════════════════════════════════════╣ ║ DETECT ║ YARA (binary) · Sigma (behavioral) · vSOCiety ║ ╠══════════╬═══════════════════════════════════════════════════════════════╣ ║ PUBLISH ║ GitHub ║ ╚══════════╩═══════════════════════════════════════════════════════════════╝ ``` **每份报告均遵循八阶段实战方法论：** ``` PHASE 0 Acquisition ── Hash-first. Source the sample safely. PHASE 1 Triage ── Multi-vendor baseline. Pre-analysis hypothesis. PHASE 2 Platform Harvest── Three sandboxes. Maximum behavioral telemetry. PHASE 3 Static Analysis── Ghidra + FLOSS + PE tools. Read the code. PHASE 4 Network Analysis── Wireshark against three PCAPs. Read the traffic. PHASE 5 Correlation ── Connect every thread. Static ↔ Dynamic. ATT&CK. PHASE 6 Report ── Write the intelligence. Not the log. PHASE 7 Delivery ── Publish. Distribute. Backlink. Detect. ``` ## 📦 交付物 **每份报告包含：** - ✅ **Executive Summary** —— 具体、哈希关联、有证据支撑 - ✅ **Technical Profile** —— 完整的样本元数据块 - ✅ **Static Analysis** —— Ghidra 函数注释、FLOSS 字符串恢复、PE 分析 - ✅ **Dynamic Analysis** —— 带有置信度的跨沙箱行为关联 - ✅ **Network Analysis** —— Wireshark PCAP 分析、C2 协议识别 - ✅ **Structured IOC Table** —— 所有类型（文件、网络、行为）、置信度级别、来源 - ✅ **ATT&CK Mapping** —— 包含子技术的 T-codes，每行附带具体证据 - ✅ **YARA Rule** —— 由已确认的指标构建，并针对样本进行过测试 - ✅ **Sigma Rule** —— 基于行为和注册表的检测 - ✅ **Recommendations** —— 关联到具体的 T-codes，非通用建议 - ✅ **Runner's Log** —— 菌丝猎手的叙述性情报条目 ## 🎮 Runner's Log 每份报告都以 Runner's Log 结尾，这是一个通过 **Mike Pondsmith 的 Cyberpunk Red** 宇宙中“网络行者 (Netrunner)”视角讲述的威胁情报叙事。 NET 是一个“[黑暗森林](https://en.wikipedia.org/wiki/Dark_forest_hypothesis#Game_theory)”。攻击者不过是其中的另一个居民。他们的代码，即影响力。“菌丝猎手”是为了构建**运营上下文**而开发的角色 —— 涵盖攻击者共情、活动框架，以及使技术数据变得可操作且令人难忘的人类情报与 intrigue。 “猎杀就是主动将每一条尚未验证的数字菌丝追溯到其子实体 —— 在这片森林转移前，记录下我发现的一切。” ## 🛡️ 致防御者本仓库中的所有内容均为 **TLP:WHITE** —— 可自由共享，可自由部署。 **使用 YARA 规则：** ``` yara [family].yar /path/to/scan/ ``` ## **使用 Sigma 规则：** 将 `.yml` 文件导入到您的 SIEM、EDR 或检测 pipeline 中。 Sigma 规则可以通过 [sigmac](https://github.com/SigmaHQ/sigma) 转换为任何平台的格式。 ## 🔬 操作者简介 ``` Handle: JAWz_TheSolarPoweredBard Entity: [WIP] Credential: HTB Certified Penetration Testing Specialist (CPTS) Cyber Threat Hunting - Coursera (Years of Curious Self Study) Training: ROPemporium · Ethernaut · Microcorruption · HackTheBox · (Any resource I can get my mitts on) CTF: NahamCon 2022 — Top 10% solo · HTB Cyber Apocalypse 2021 — Top 3% Research: [Offensive Writeups] · SOLAR-CTI Stack: JavaScript/Node · Ruby · Kotlin Native · x86/x64 ASM Languages: English (native) · Korean (conversational) · Spanish (conversational) · Japanese (conversational) · Dutch (Beginner) · Russian (Beginner) · Chinese (Beginner) · Arabic (Written Translation Experience) · Latin (Foundational Study) · Czech (Interested) · Portuguese (Interested)· (And a few more polyglotisms i've forgotten or buried for emergency-use) ``` **背景：** 我工作于攻击性安全、安全工程、监控和威胁情报的交汇处。拥有 CPTS 认证，具备二进制漏洞利用的实操经验（ROPemporium、Microcorruption、Nightmare），活跃于 Electron 和原生桌面漏洞研究，并且拥有涵盖勒索软件、信息窃取器、RAT 和高级持续性威胁行为者画像的已发布 CTI 实践。将攻击方方法论与防守方情报生产相结合是刻意为之。了解威胁行为者的思维方式、他们的逃避逻辑、他们的运营限制、他们的谈判心理，能让情报对抵御他们的防御者更有用。 ## 📡 寻找菌丝猎手

| 平台 | 链接 | |---|---| | 🍄 **SOLAR-CTI 博客** | [暂定于此](.) | | 💼 **LinkedIn** | [linkedin.com/in/joshua-wright-118900290](https://linkedin.com/in/joshua-wright-118900290) | | 📬 **研究联系** | solarpoweredbard@wearehackerone.com |

``` 🍄 The mycelium connects everything. Follow the threads. Stay patched Peepz. 🍄 ``` *SOLAR-CTI · JAWz_TheSolarPoweredBard* *TLP:WHITE — 所有报告均可自由共享*

标签：ATT&CK映射, DAST, DNS信息、DNS暴力破解, DNS 反向解析, Ghidra, IOC指标, IP 地址批量处理, OpenCanary, Sigma规则, YARA规则, 云资产清单, 信息窃取木马, 加载器, 勒索软件, 失陷标示, 威胁情报, 威胁报告, 安全检测规则, 安全研究员, 开发者工具, 恶意软件分析, 恶意软件沙箱, 擦除器, 数据包嗅探, 无线安全, 目标导入, 网络信息收集, 网络安全, 远控木马, 逆向工程, 速率限制处理, 隐私保护