ruzickap/malware-cryptominer-container

# 用于测试目的的包含恶意软件和加密挖矿程序的容器镜像 [](https://artifacthub.io/packages/search?repo=malware-cryptominer-container) [](https://github.com/ruzickap/malware-cryptominer-container/actions/workflows/container-build.yml)  [](https://github.com/ruzickap/malware-cryptominer-container/releases/latest) [](https://scorecard.dev/viewer/?uri=github.com/ruzickap/malware-cryptominer-container) [](https://www.bestpractices.dev/projects/9865) [](https://codespaces.new/ruzickap/malware-cryptominer-container)    - [用于测试目的的包含恶意软件和加密挖矿程序的容器镜像](#container-image-with-malware-and-crypto-miner-for-testing-purposes) - [易受攻击镜像的部署](#deployment-of-the-vulnerable-image) - [CloudFormation - EC2 实例](#cloudformation---ec2-instance) - [Amazon ECS](#amazon-ecs) - [Amazon EKS](#amazon-eks) - [扫描器测试](#scanner-tests) - [验证镜像完整性](#verify-image-integrity) - [本地测试](#local-tests) 我决定构建一个最小的基于 [nginx](https://hub.docker.com/_/nginx) 的 [容器镜像](https://quay.io/repository/petr_ruzicka/malware-cryptominer-container?tab=tags&tag=latest) 其中包含恶意软件 / 勒索软件 / 加密挖矿程序 / ... 安全工具应该能够扫描该镜像并发现有害文件。 - 容器镜像： - [quay.io/petr_ruzicka/malware-cryptominer-container:3](https://quay.io/petr_ruzicka/malware-cryptominer-container:3) - 容器仓库： - - 容器构建流水线： - - 用于构建容器的 Dockerfile： - 容器镜像内的恶意软件文件下载自： - [eicar](https://www.eicar.org/download-anti-malware-testfile/) - [xmrig](https://xmrig.com/) - - - - 恶意软件/加密挖矿程序文件位于 `/usr/share/nginx/html` 目录中： ``` /usr/share/nginx/html ├── eicar │   ├── eicar.com [EICAR virus test files] │   ├── eicar.com.txt [EICAR virus test files] │   └── eicar_com.zip [Zip archive data, at least v1.0 to extract] ├── malware │ ├── ILOVEYOU.vbs [C source, ASCII text] │ ├── Invoke-ConPtyShell.ps1 [ASCII text, with very long lines (361)] │ ├── L0Lz.bat [DOS batch file, ASCII text] │ ├── Linux.Trojan.Multiverze.elf.x86 [ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, with debug_info, not stripped] │ ├── MadMan.exe [MS-DOS executable, MZ for MS-DOS] │ ├── Melissa.doc [Composite Document File V2 Document, Little Endian, Os: Windows, Version 4.10, Code page: 1252, Title: Password List for March 26th 1999, Subject: Adult Website Passwords, Author: John Holmes, Keywords: 73 sites in this list, Comments: Password List for March 26th 1999, Template: Normal.dot, Last Saved By: Him, Revision Number: 2, Name of Creating Application: Microsoft Word 8.0, Create Time/Date: Fri Mar 26 11:39:00 1999, Last Saved Time/Date: Fri Mar 26 11:39:00 1999, Number of Pages: 2, Number of Words: 745, Number of Characters: 4249, Security: 0] │ ├── Py.Trojan.NecroBot.py [Python script, ASCII text executable, with very long lines (4330), with CRLF line terminators] │ ├── Trojan.Java.Fractureiser.MTB.jar [Java archive data (JAR)] │ ├── TrojanSpy.MacOS.XCSSET.A.bin [Mach-O 64-bit x86_64 executable, flags:] │ ├── Txt.Malware.Sustes.sh [Bourne-Again shell script, ASCII text executable] │ ├── Unix.Downloader.Rocke.sh [POSIX shell script, ASCII text executable] │ ├── Unix.Malware.Kaiji.elf.arm [ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), statically linked, Go, stripped] │ ├── Unix.Trojan.Mirai.elf.m68k [ELF 32-bit MSB executable, Motorola m68k, 68020, version 1 (SYSV), statically linked, stripped] │ ├── Unix.Trojan.Mirai.elf.mips [ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, not stripped] │ ├── Unix.Trojan.Mirai.elf.ppc [ELF 32-bit MSB executable, PowerPC or cisco 4500, version 1 (SYSV), statically linked, not stripped] │ ├── Unix.Trojan.Mirai.elf.sparc [ELF 32-bit MSB executable, SPARC, version 1 (SYSV), statically linked, not stripped] │ ├── Unix.Trojan.Mirai.elf.x86_64 [ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), statically linked, stripped] │ ├── Unix.Trojan.Spike.elf.arm [ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), statically linked, for GNU/Linux 2.6.16, with debug_info, not stripped] │ ├── Walker.com [DOS executable (COM), start instruction 0xe9cd04e8 5400e871] │ ├── WannaCry.exe [PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections] │ ├── Win.Trojan.Perl.perl [Perl script text executable] │ └── Zloader.xlsm [Microsoft Excel 2007+] └── xmrig    ├── my-xmrig [ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped]    ├── xmrig [ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped]    └── xmrig-linux-static-x64.tar.gz [gzip compressed data, from Unix, original size modulo 2^32 8291840] ``` 恶意软件/勒索软件/加密挖矿程序文件列表： - [eicar](https://secure.eicar.org/eicar.com) [EICAR 病毒测试文件] - [Virustotal](https://www.virustotal.com/gui/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f) - [xmrig](https://xmrig.com/) [ELF 64-bit LSB 共享对象, x86-64, 版本 1 (SYSV), 动态链接, 已剥离] - [Virustotal](https://www.virustotal.com/gui/file/0ad68d5804804c25a6f6f3d87cc3a3886583f69b7115ba01ab7c6dd96a186404) - [Hybrid Analysis](https://www.hybrid-analysis.com/sample/0ad68d5804804c25a6f6f3d87cc3a3886583f69b7115ba01ab7c6dd96a186404) - [ILOVEYOU.vbs](https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Email-Worm/ILOVEYOU.vbs) [C 源代码, ASCII 文本] - [Virustotal](https://www.virustotal.com/gui/file/556700ac50ffa845e5de853498242ee5abb288eb5b8ae1ae12bfdb5746e3b7b1) - [Hybrid Analysis](https://www.hybrid-analysis.com/sample/556700ac50ffa845e5de853498242ee5abb288eb5b8ae1ae12bfdb5746e3b7b1) - [Invoke-ConPtyShell.ps1](https://github.com/antonioCoco/ConPtyShell/blob/master/Invoke-ConPtyShell.ps1) [ASCII 文本, 包含极长行 (361)] - [Virustotal](https://www.virustotal.com/gui/file/90a17fd47fe1042cd86ae32fba8d9a5ccdef6162578d9c384fe534112700fb64) - [Hybrid Analysis](https://www.hybrid-analysis.com/sample/90a17fd47fe1042cd86ae32fba8d9a5ccdef6162578d9c384fe534112700fb64) - [L0Lz.bat](https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Trojan/L0Lz.bat) [DOS 批处理文件, ASCII 文本] - [Virustotal](https://www.virustotal.com/gui/file/fc94130b45112bdf7fe64713eb807f4958cdcdb758c25605ad9318cd5a8e17ae) - [Hybrid Analysis](https://www.hybrid-analysis.com/sample/fc94130b45112bdf7fe64713eb807f4958cdcdb758c25605ad9318cd5a8e17ae) - [Linux.Trojan.Multiverze.elf.x86](https://archive.softwareheritage.org/browse/content/sha1_git:75b86678f1003978cbb3a67a81e6bea02e6ec892/) [ELF 32-bit LSB 可执行文件, Intel 80386, 版本 1 (SYSV), ...] - [Virustotal](https://www.virustotal.com/gui/file/0a5a7008fa1a17c8ee32ea4e2f7e25d7302f9dfc4201c16d793a1d03f95b9fa5) - [Hybrid Analysis](https://www.hybrid-analysis.com/sample/0a5a7008fa1a17c8ee32ea4e2f7e25d7302f9dfc4201c16d793a1d03f95b9fa5) - [MadMan.exe](https://github.com/Da2dalus/The-MALWARE-Repo/raw/master/Virus/MadMan.exe) [MS-DOS 可执行文件] - [Virustotal](https://www.virustotal.com/gui/file/17d81134a5957fb758b9d69a90b033477a991c8b0f107d9864dc790ca37e6a23) - [Hybrid Analysis](https://www.hybrid-analysis.com/sample/17d81134a5957fb758b9d69a90b033477a991c8b0f107d9864dc790ca37e6a23) - [Melissa.doc](https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Virus/Melissa.doc) [复合文档文件 V2 文档, 小端序, 操作系统: Windows, 版本 4.10, ...] - [Virustotal](https://www.virustotal.com/gui/file/554701bc874da646285689df79e5002b3b1a1f76daf705bea9586640026697ca) - [Hybrid Analysis](https://www.hybrid-analysis.com/sample/554701bc874da646285689df79e5002b3b1a1f76daf705bea9586640026697ca) - [Py.Trojan.NecroBot.py](https://archive.softwareheritage.org/browse/content/sha1_git:d161dca43bbda88be030adc91943be3ade0ae35e/) [Python 脚本, ASCII 文本可执行, 包含极长行 (4330), 带有 CRLF ...] - [Virustotal](https://www.virustotal.com/gui/file/0e600095a3c955310d27c08f98a012720caff698fe24303d7e0dcb4c5e766322) - [Hybrid Analysis](https://www.hybrid-analysis.com/sample/0e600095a3c955310d27c08f98a012720caff698fe24303d7e0dcb4c5e766322) - [Trojan:Java/Fractureiser!MTB](https://github.com/HonbraDev/fractureiser-samples/raw/221bcc4bf45d5896f8908b21d5a8f3e7fcbc2875/stage-0-infected-DisplayEntityEditor-1.0.4.jar) [Java 归档数据 (JAR)] - [Virustotal](https://www.virustotal.com/gui/file/d79874c1a0040cb29418343c766d2f6c69cf8fa5ecd0629cac7cc60d69c4f107) - [Hybrid Analysis](https://www.hybrid-analysis.com/sample/d79874c1a0040cb29418343c766d2f6c69cf8fa5ecd0629cac7cc60d69c4f107) - [TrojanSpy.MacOS.XCSSET.A](https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Trojan/XCSSETMacMalware/TrojanSpy.MacOS.XCSSET.A.6614978ab256f922d7b6dbd7cc15c6136819f4bcfb5a0fead480561f0df54ca6) [Mach-O 64-bit x86_64 可执行文件, 标志:] - [Virustotal](https://www.virustotal.com/gui/file/6614978ab256f922d7b6dbd7cc15c6136819f4bcfb5a0fead480561f0df54ca6) - [Hybrid Analysis](https://www.hybrid-analysis.com/sample/6614978ab256f922d7b6dbd7cc15c6136819f4bcfb5a0fead480561f0df54ca6) - [Txt.Malware.Sustes.sh](https://archive.softwareheritage.org/browse/content/sha1_git:b7f88a8e5cfeef85270448a62afee533ee2f5e6d/) [Bourne-Again shell 脚本, ASCII 文本可执行] - [Virustotal](https://www.virustotal.com/gui/file/0e77291955664d2c25d5bfe617cec12a388e5389f82dee5ae4fd5c5d1f1bdefe) - [Hybrid Analysis](https://www.hybrid-analysis.com/sample/0e77291955664d2c25d5bfe617cec12a388e5389f82dee5ae4fd5c5d1f1bdefe) - [Unix.Downloader.Rocke.sh](https://archive.softwareheritage.org/browse/content/sha1_git:8c22d0fbf45f8ebd0993baa2f6c1bf58234afa08/) [POSIX shell 脚本, ASCII 文本可执行] - [Virustotal](https://www.virustotal.com/gui/file/228ec858509a928b21e88d582cb5cfaabc03f72d30f2179ef6fb232b6abdce97) - [Hybrid Analysis](https://www.hybrid-analysis.com/sample/228ec858509a928b21e88d582cb5cfaabc03f72d30f2179ef6fb232b6abdce97) - [Unix.Malware.Kaiji.elf.arm](https://archive.softwareheritage.org/browse/content/sha1_git:331eab207649e8be186dc0bb0c618cb5cce91174/) [ELF 64-bit LSB 可执行文件, ARM aarch64, 版本 1 (SYSV), 静态链接, ...] - [Virustotal](https://www.virustotal.com/gui/file/3e68118ad46b9eb64063b259fca5f6682c5c2cb18fd9a4e7d97969226b2e6fb4) - [Hybrid Analysis](https://www.hybrid-analysis.com/sample/3e68118ad46b9eb64063b259fca5f6682c5c2cb18fd9a4e7d97969226b2e6fb4) - [Unix.Trojan.Mirai.elf.m68k](https://archive.softwareheritage.org/browse/content/sha1_git:10cea6f50ad8e8d19bbc4ddeeb74c893ce4bef28/) [ELF 32-bit MSB 可执行文件, Motorola m68k, 68020, 版本 1 (SYSV), ...] - [Virustotal](https://www.virustotal.com/gui/file/11242cdb5dac9309a2f330bd0dad96efba9ccc9b9d46f2361e8bf8e4cde543c1) - [Hybrid Analysis](https://www.hybrid-analysis.com/sample/11242cdb5dac9309a2f330bd0dad96efba9ccc9b9d46f2361e8bf8e4cde543c1) - [Unix.Trojan.Mirai.elf.mips](https://archive.softwareheritage.org/browse/content/sha1_git:e3c6d5adec8e9997ef4a37cb558ac6289fd12fa5/) [ELF 32-bit MSB 可执行文件, MIPS, MIPS-I 版本 1 (SYSV), 静态链接, ...] - [Virustotal](https://www.virustotal.com/gui/file/faa0deaba42ba76192609c5d2f59664e871c7bc68ebb5d99c91bf8ea4ddb8ea5) - [Hybrid Analysis](https://www.hybrid-analysis.com/sample/faa0deaba42ba76192609c5d2f59664e871c7bc68ebb5d99c91bf8ea4ddb8ea5) - [Unix.Trojan.Mirai.elf.ppc](https://archive.softwareheritage.org/browse/content/sha1_git:3820d6c1b6dbc68b9acbf9ea161388cfff63f505/) [ELF 32-bit MSB 可执行文件, PowerPC 或 cisco 4500, 版本 1 (SYSV), ...] - [Virustotal](https://www.virustotal.com/gui/file/d5230c95c4af4e1fcddf9660070932b7876a9569dc3a2baedf762abbe37b1ad5) - [Hybrid Analysis](https://www.hybrid-analysis.com/sample/d5230c95c4af4e1fcddf9660070932b7876a9569dc3a2baedf762abbe37b1ad5) - [Unix.Trojan.Mirai.elf.sparc](https://archive.softwareheritage.org/browse/content/sha1_git:7ad125819f6f4f2ab4b4a7678a9496615385a0e5/) [ELF 32-bit MSB 可执行文件, SPARC, 版本 1 (SYSV), 静态链接, ...] - [Virustotal](https://www.virustotal.com/gui/file/190333b93af51f9a3e3dc4186e4f1bdb4f92c05d3ce047fbe5c3670d1b5a87b4) - [Hybrid Analysis](https://www.hybrid-analysis.com/sample/190333b93af51f9a3e3dc4186e4f1bdb4f92c05d3ce047fbe5c3670d1b5a87b4) - [Unix.Trojan.Mirai.elf.x86_64](https://archive.softwareheritage.org/browse/content/sha1_git:8609980b7e6bc4cffc0aad9de157bf952f775da2/) [ELF 64-bit LSB 可执行文件, x86-64, 版本 1 (GNU/Linux), 静态链接, ...] - [Virustotal](https://www.virustotal.com/gui/file/40e8d9d82800728a5f1cfc2c2e156d5ee72fb44c54c26a86cfd35e95ea737e37) - [Hybrid Analysis](https://www.hybrid-analysis.com/sample/40e8d9d82800728a5f1cfc2c2e156d5ee72fb44c54c26a86cfd35e95ea737e37) - [Unix.Trojan.Spike.elf.arm](https://archive.softwareheritage.org/browse/content/sha1_git:9aeb7ec7845b68d5d61750b0c39d737fffcb19d6/) [ELF 32-bit LSB 可执行文件, ARM, EABI5 版本 1 (SYSV), 静态链接, ...] - [Virustotal](https://www.virustotal.com/gui/file/04d88a0f5ffa8da57cfd9b1ae6e4fd9758610a3de72688516b258b5564735476) - [Hybrid Analysis](https://www.hybrid-analysis.com/sample/04d88a0f5ffa8da57cfd9b1ae6e4fd9758610a3de72688516b258b5564735476) - [Walker.com](https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Virus/Walker.com) [DOS 可执行文件 (COM)] - [Virustotal](https://www.virustotal.com/gui/file/b87b48dcbf779b06c6ca6491cd31328cf840578d29a6327b7a44f9043ce1eb07) - [Hybrid Analysis](https://www.hybrid-analysis.com/sample/b87b48dcbf779b06c6ca6491cd31328cf840578d29a6327b7a44f9043ce1eb07) - [WannaCry.exe](https://github.com/Da2dalus/The-MALWARE-Repo/raw/master/Ransomware/WannaCry.exe) [PE32 可执行文件 (GUI) Intel 80386, 适用于 MS Windows] - [Virustotal](https://www.virustotal.com/gui/file/be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844) - [Hybrid Analysis](https://www.hybrid-analysis.com/sample/be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844) - [Win.Trojan.Perl.perl](https://archive.softwareheritage.org/browse/content/sha1_git:ad26ca5b748cecc18a686c5eba47b6a533be9f26/) [Perl 脚本文本可执行] - [Virustotal](https://www.virustotal.com/gui/file/9aed7ab8806a90aa9fac070fbf788466c6da3d87deba92a25ac4dd1d63ce4c44) - [Hybrid Analysis](https://www.hybrid-analysis.com/sample/9aed7ab8806a90aa9fac070fbf788466c6da3d87deba92a25ac4dd1d63ce4c44) - [Zloader.xlsm](https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Banking-Malware/Zloader.xlsm) [Microsoft Excel 2007+] - [Virustotal](https://www.virustotal.com/gui/file/90c03a8ca35c33aad5e77488625598da6deeb08794e6efc9f1ddbe486df33e0c) - [Hybrid Analysis](https://www.hybrid-analysis.com/sample/90c03a8ca35c33aad5e77488625598da6deeb08794e6efc9f1ddbe486df33e0c) ## 易受攻击镜像的部署 运行“恶意软件容器镜像”的方法有多种，以下是其中几种。 ### CloudFormation - EC2 实例 运行启用了 SSM（仅控制台访问）并包含 [quay.io/petr_ruzicka/malware-cryptominer-container](https://quay.io/repository/petr_ruzicka/malware-cryptominer-container?tab=tags) 容器的 EC2 实例： ``` export AWS_DEFAULT_REGION="eu-central-1" aws cloudformation deploy --capabilities CAPABILITY_IAM \ --stack-name "${USER}-malware-cryptominer-container-ec2" \ --parameter-overrides "ContainerImage=quay.io/petr_ruzicka/malware-cryptominer-container:3" \ --template-file EC2InstanceWithDockerSample.yaml \ --tags "Name=${USER}-malware-cryptominer-container-ec2" # aws cloudformation delete-stack --stack-name ${USER}-malware-cryptominer-container-ec2 ``` ### Amazon ECS [Copilot](https://aws.amazon.com/blogs/containers/introducing-aws-copilot/) 示例： ``` export AWS_DEFAULT_REGION="eu-central-1" copilot init --app "${USER}-malware-cryptominer-app" --name "${USER}-malware-cryptominer" \ --image quay.io/petr_ruzicka/malware-cryptominer-container:3 \ --type 'Load Balanced Web Service' --port 8080 --deploy # copilot app delete --name "${USER}-malware-cryptominer-app" ``` ### Amazon EKS 运行包含“恶意软件 Pod”的简单 [Amazon EKS](https://aws.amazon.com/eks/) 集群： ``` export AWS_DEFAULT_REGION="eu-central-1" export CLUSTER_NAME="${USER}-malware-cryptominer-eks" export KUBECONFIG="/tmp/kubeconfig-${CLUSTER_NAME}.conf" eksctl create cluster --name "${CLUSTER_NAME}" --instance-types t3a.small --kubeconfig "${KUBECONFIG}" kubectl run malware-cryptominer --image=quay.io/petr_ruzicka/malware-cryptominer-container:3 # eksctl delete cluster --name "${CLUSTER_NAME}" ``` ## 扫描器测试 来自各种扫描器测试（Aqua、Trivy、Prisma Cloud、Wiz.io、Grype、Snyk）的详细信息可以在 [扫描器测试](./docs/scanner-tests.md) 中找到 ## 验证镜像完整性 ``` CONTAINER_REGISTRY_IMAGE_NAME="quay.io/petr_ruzicka/malware-cryptominer-container" CONTAINER_IMAGE_TAG="3" CONTAINER_IMAGE_DIGEST=$(regctl image digest "${CONTAINER_REGISTRY_IMAGE_NAME}:${CONTAINER_IMAGE_TAG}") CONTAINER_REGISTRY_IMAGE="${CONTAINER_REGISTRY_IMAGE_NAME}@${CONTAINER_IMAGE_DIGEST}" COSIGN_CERTIFICATE_IDENTITY_REGEXP="https://github.com/ruzickap/malware-cryptominer-container/.github/workflows" COSIGN_CERTIFICATE_OIDC_ISSUER="https://token.actions.githubusercontent.com" COSIGN_ATTESTATION_TYPE="https://cyclonedx.org/bom" CONTAINER_IMAGE_PLATFORMS="linux/amd64,linux/arm64" # 验证 manifest list 已签名 cosign verify \ --certificate-identity-regexp="${COSIGN_CERTIFICATE_IDENTITY_REGEXP}" \ --certificate-oidc-issuer="${COSIGN_CERTIFICATE_OIDC_ISSUER}" \ "${CONTAINER_REGISTRY_IMAGE}" | jq --color-output # 验证是否每个 platform image manifest 已签名 while read -r MANIFEST_DIGESTS; do cosign verify \ --certificate-identity-regexp="${COSIGN_CERTIFICATE_IDENTITY_REGEXP}" \ --certificate-oidc-issuer="${COSIGN_CERTIFICATE_OIDC_ISSUER}" \ "${CONTAINER_REGISTRY_IMAGE_NAME}@${MANIFEST_DIGESTS}" | jq --color-output done <<< "$(regctl manifest get "${CONTAINER_REGISTRY_IMAGE}" --format '{{jsonPretty .}}' | jq -r '.manifests[].digest')" cosign verify-attestation --type="${COSIGN_ATTESTATION_TYPE}" \ --certificate-oidc-issuer="${COSIGN_CERTIFICATE_OIDC_ISSUER}" \ --certificate-identity-regexp="${COSIGN_CERTIFICATE_IDENTITY_REGEXP}" \ "${CONTAINER_REGISTRY_IMAGE}" | jq --color-output '.payload |= .[:2000] + "......"' --color-output cosign verify-attestation --type="${COSIGN_ATTESTATION_TYPE}" \ --certificate-oidc-issuer="${COSIGN_CERTIFICATE_OIDC_ISSUER}" \ --certificate-identity-regexp="${COSIGN_CERTIFICATE_IDENTITY_REGEXP}" \ "${CONTAINER_REGISTRY_IMAGE}" | jq '.payload | @base64d | fromjson | .predicate' | grype for PLATFORM in ${CONTAINER_IMAGE_PLATFORMS//,/ }; do cosign download attestation --platform="${PLATFORM}" --predicate-type="${COSIGN_ATTESTATION_TYPE}" \ "${CONTAINER_REGISTRY_IMAGE}" | jq -r .payload | base64 -d | jq .predicate | grype --add-cpes-if-none done cosign verify-attestation --type="slsaprovenance" \ --certificate-oidc-issuer="${COSIGN_CERTIFICATE_OIDC_ISSUER}" \ --certificate-identity-regexp='^https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/tags/v[0-9]+.[0-9]+.[0-9]+$' \ "${CONTAINER_REGISTRY_IMAGE}" | jq --color-output slsa-verifier verify-image --print-provenance --source-uri "github.com/ruzickap/malware-cryptominer-container" \ "${CONTAINER_REGISTRY_IMAGE}" | jq --color-output cosign tree "${CONTAINER_REGISTRY_IMAGE}" ``` ## 本地测试 容器构建： ``` docker build . -t malware-cryptominer-container ``` 运行容器并下载恶意软件文件： ``` docker run -it --rm -p 8080:8080 malware-cryptominer-container curl http://localhost:8080/eicar/ ``` 调试容器： ``` docker run -it --rm --entrypoint=/bin/sh --user root malware-cryptominer-container ``` 在 Kubernetes 中运行： ``` kubectl run malware-cryptominer --image=quay.io/petr_ruzicka/malware-cryptominer-container:3 ```

标签：AMSI绕过, DevSecOps, Docker, Web截图, 上游代理, 加密货币挖矿, 勒索软件, 威胁检测, 安全测试, 安全防御评估, 容器安全, 恶意软件, 挖矿病毒, 攻击性安全, 攻击模拟, 数据展示, 数据集, 红队, 请求拦截, 靶场环境, 驱动签名利用