Merge pull request #1319 from panther-labs/release

Prepare for `3.60.0`
panther-labs · Aug 6, 2024 · 100e543 · 100e543
2 parents bca7e1f + c885020
commit 100e543
Show file tree

Hide file tree

Showing 25 changed files with 384 additions and 94 deletions.
diff --git a/.github/workflows/check-packs.yml b/.github/workflows/check-packs.yml
@@ -11,7 +11,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
+      - uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
         with:
           disable-sudo: true
           egress-policy: block

diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
@@ -11,7 +11,7 @@ jobs:
     name: Build Dockerfile
     runs-on: ubuntu-latest
     steps:
-      - uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
+      - uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
         with:
           disable-sudo: true
           egress-policy: block
@@ -31,7 +31,7 @@ jobs:
       - uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf #v3.2.0
       - name: Set up Docker Buildx
         id: buildx
-        uses: docker/setup-buildx-action@aa33708b10e362ff993539393ff100fa93ed6a27 #v3.5.0
+        uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db #v3.6.1
       - name: Build Image
         run: docker buildx build --load -f Dockerfile -t panther-analysis:latest .
       - name: Test Image

diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -10,7 +10,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
+      - uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
         with:
           disable-sudo: true
           egress-policy: block

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -15,7 +15,7 @@ jobs:
     env:
       GITHUB_TOKEN: ${{ secrets.PANTHER_BOT_AUTOMATION_TOKEN }}
     steps:
-      - uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
+      - uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
         with:
           egress-policy: audit
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 #v4.1.7

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -10,7 +10,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
+      - uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
         with:
           disable-sudo: true
           egress-policy: block

diff --git a/.github/workflows/upload.yml b/.github/workflows/upload.yml
@@ -14,7 +14,7 @@ jobs:
       API_HOST: ${{ secrets.API_HOST }}
       API_TOKEN: ${{ secrets.API_TOKEN }}
     steps:
-      - uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
+      - uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
         with:
           egress-policy: audit
       - name: Validate Secrets

diff --git a/.vscode/rule_jsonschema.json b/.vscode/rule_jsonschema.json
@@ -14,6 +14,9 @@
     "Enabled": {
       "$ref": "#/definitions/Enabled"
     },
+    "CreateAlert": {
+      "$ref": "#/definitions/CreateAlert"
+    },
     "Filename": {
       "$ref": "#/definitions/Filename"
     },
@@ -99,6 +102,11 @@
       "type": "boolean",
       "default": true
     },
+    "CreateAlert": {
+      "description": "Whether the correlation rule should create an alert or not (default: true)",
+      "type": "boolean",
+      "default": true
+    },
     "Filename": {
       "title": "Filename to the python file that acommpanies this detection.",
       "description": "Python file with the detection logic",

diff --git a/correlation_rules/aws_potentially_compromised_service_role.yml b/correlation_rules/aws_potentially_compromised_service_role.yml
diff --git a/correlation_rules/github_advanced_security_change_not_followed_by_repo_archived.yml b/correlation_rules/github_advanced_security_change_not_followed_by_repo_archived.yml
@@ -1,23 +1,24 @@
 AnalysisType: correlation_rule
 RuleID: "GitHub.Advanced.Security.Change.NOT.FOLLOWED.BY.Repo.Archived"
-DisplayName: "GitHub Advanced Security Change NOT FOLLOWED BY Repo Archived"
+DisplayName: "GitHub Advanced Security Change WITHOUT Repo Archived"
 Enabled: true
 Severity: Critical 
 Description: Identifies when advances security change was made not to archive a repo. Eliminates false positives in the Advances Security Change Rule when the repo is archived.
 Reference: https://docs.github.com/en/code-security/getting-started/auditing-security-alerts
 Detection:
-  - Sequence:
+  - Group:
       - ID: GHASChange
         RuleID: GitHub.Advanced.Security.Change
       - ID: RepoArchived
         RuleID: Github.Repo.Archived
         Absence: true
-    Transitions:
-      - ID: GHASChange NOT FOLLOWED BY RepoArchived
-        From: GHASChange
-        To: RepoArchived
-        Match:
-          - On: p_alert_context.repo
+    MatchCriteria: 
+      field_name:
+      - GroupID: GHASChange
+        Match: p_alert_context.repo
+      - GroupID: RepoArchived
+        Match: p_alert_context.repo
+    EventEvaluationOrder: Chronological
     LookbackWindowMinutes: 90
     Schedule:
       RateMinutes: 60
@@ -36,6 +37,19 @@ Tests:
             p_alert_context.repo:
               my-org/example-repo:
                 - "2024-06-01T10:00:01Z"
+    - Name: Repo Archived followed by GHAS change on same repo
+      ExpectedResult: false
+      RuleOutputs:
+        - ID: RepoArchived
+          Matches:
+            p_alert_context.repo:
+              my-org/example-repo:
+                - "2024-06-01T10:00:01Z"
+        - ID: GHASChange
+          Matches:
+            p_alert_context.repo:
+              my-org/example-repo:
+                - "2024-06-01T10:00:05Z"
     - Name: Security Change on Repo, Followed By Different Repo Archived
       ExpectedResult: true
       RuleOutputs:

diff --git a/queries/aws_queries/aws_potentially_compromised_service_role.yml b/queries/aws_queries/aws_potentially_compromised_service_role.yml
@@ -0,0 +1,14 @@
+AnalysisType: scheduled_rule
+RuleID: "AWS.Potentially.Stolen.Service.Role"
+DisplayName: "AWS Potentially Stolen Service Role"
+Enabled: true
+Tags:
+    - AWS
+Severity: High
+Reports:
+  MITRE ATT&CK:
+    - T1528 # Steal Application Access Token
+Description: A role was assumed by an AWS service, followed by a user within 24 hours.  This could indicate a stolen or compromised AWS service role.
+Filename: scheduled_rule_default.py
+ScheduledQueries:
+  - "AWS Potentially Stolen Service Role"
diff --git a/queries/aws_queries/aws_potentially_compromised_service_role_query.yml b/queries/aws_queries/aws_potentially_compromised_service_role_query.yml
@@ -0,0 +1,23 @@
+AnalysisType: scheduled_query
+Description: A role was assumed by an AWS service, followed by a user within 24 hours.  This could indicate a stolen or compromised AWS service role.
+Enabled: false
+Query: |
+  SELECT
+    requestParameters:roleArn AS role,
+    ARRAY_AGG(distinct userIdentity:principalId) AS users,
+    ARRAY_AGG(distinct userIdentity:type) AS types
+  FROM
+    panther_logs.public.aws_cloudtrail
+  WHERE
+    P_OCCURS_SINCE('1 day')
+    AND eventName = 'AssumeRole'
+    AND errorCode IS NULL
+  GROUP BY role
+  HAVING
+    ARRAY_SIZE(types) > 1
+    AND ARRAY_CONTAINS('AWSService'::VARIANT, types)
+  LIMIT 100
+QueryName: "AWS Potentially Stolen Service Role"
+Schedule:
+  RateMinutes: 1440
+  TimeoutMinutes: 5
diff --git a/rules/aws_cloudtrail_rules/aws_cloudtrail_useraccesskeyauth.py b/rules/aws_cloudtrail_rules/aws_cloudtrail_useraccesskeyauth.py
@@ -3,7 +3,7 @@ def rule(event):
     if event.get("errorCode") or event.get("errorMessage"):
         return False
     # Reference: https://awsteele.com/blog/2020/09/26/aws-access-key-format.html
-    return event.deep_get("userIdentity", "accessKeyId").startswith("AKIA")
+    return event.deep_get("userIdentity", "accessKeyId", default="").startswith("AKIA")
 
 
 def title(event):
@@ -14,7 +14,7 @@ def title(event):
 
 def alert_context(event):
     return {
-        "ip_accessKeyId": event.get("sourceIpAddress")
+        "ip_accessKeyId": event.get("sourceIpAddress", default="{not found}")
         + ":"
-        + event.deep_get("userIdentity", "accessKeyId")
+        + event.deep_get("userIdentity", "accessKeyId", default="{not found}")
     }
diff --git a/rules/aws_cloudtrail_rules/aws_cloudtrail_useraccesskeyauth.yml b/rules/aws_cloudtrail_rules/aws_cloudtrail_useraccesskeyauth.yml
@@ -205,4 +205,74 @@ Tests:
                     userName: AWSReservedSSO_DevAdmin_635426549a280cc6
                 webIdFederationData: {}
             type: AssumedRole
+    - Name: No Access Key
+      ExpectedResult: false
+      Log:
+        additionalEventData:
+            MFAUsed: "No"
+            MobileVersion: "No"
+        awsRegion: us-west-2
+        eventCategory: Management
+        eventID: 364ad368-42bf-4e05-a500-971ddfe8ebff
+        eventName: AssumeRole
+        eventSource: signin.amazonaws.com
+        eventTime: "2024-06-02 19:41:40.000000000"
+        eventType: AwsConsoleSignIn
+        eventVersion: "1.08"
+        managementEvent: true
+        p_any_actor_ids:
+            - AROASXP6SDP2F4WLQVARB
+            - AROASXP6SDP2F4WLQVARB:nicholas.hakmiller
+        p_any_aws_account_ids:
+            - "187901811700"
+        p_any_aws_arns:
+            - arn:aws:iam::187901811700:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_DevAdmin_635426549a280cc6
+            - arn:aws:sts::187901811700:assumed-role/AWSReservedSSO_DevAdmin_635426549a280cc6/nicholas.hakmiller
+            - arn:aws:iam::187901811700:role/aws-reserved/sso.amazonaws.com/us-west-2/AWSReservedSSO_DevAdmin_635426549a280cc6
+        p_any_ip_addresses:
+            - 73.252.165.138
+        p_any_trace_ids:
+            - ASIASXP6SDP2HUZY3TOB
+        p_any_usernames:
+            - nicholas.hakmiller
+        p_event_time: "2024-06-02 19:41:40.000000000"
+        p_log_type: AWS.CloudTrail
+        p_parse_time: "2024-06-02 19:50:54.391407154"
+        p_row_id: f26228572e3f9acd88e0cadc1f80a502
+        p_schema_version: 0
+        p_source_file:
+            aws_s3_bucket: threat-research-trail-trail-bucket-xhh4yndpq5
+            aws_s3_key: AWSLogs/187901811700/CloudTrail/us-west-2/2024/06/02/187901811700_CloudTrail_us-west-2_20240602T1945Z_ggfzMNc1AHPJypqR.json.gz
+        p_source_id: 469edf86-a0c6-4d13-ba48-47c4060bb804
+        p_source_label: threat-research-trail-us-west-2
+        p_udm:
+            source:
+                address: 73.252.165.138
+                ip: 73.252.165.138
+            user:
+                arns:
+                    - arn:aws:iam::187901811700:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_DevAdmin_635426549a280cc6
+                    - arn:aws:sts::187901811700:assumed-role/AWSReservedSSO_DevAdmin_635426549a280cc6/nicholas.hakmiller
+        readOnly: false
+        recipientAccountId: "187901811700"
+        responseElements:
+            ConsoleLogin: Success
+        sourceIPAddress: 73.252.165.138
+        tlsDetails:
+            cipherSuite: TLS_AES_128_GCM_SHA256
+            clientProvidedHostHeader: us-west-2.signin.aws.amazon.com
+            tlsVersion: TLSv1.3
+        userAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36
+        userIdentity:
+            accountId: "187901811700"
+            arn: arn:aws:sts::187901811700:assumed-role/AWSReservedSSO_DevAdmin_635426549a280cc6/nicholas.hakmiller
+            principalId: AROASXP6SDP2F4WLQVARB:nicholas.hakmiller
+            sessionContext:
+                attributes:
+                    creationDate: "2024-06-02T19:41:40Z"
+                    mfaAuthenticated: "false"
+                sessionIssuer:
+                    type: lambda
+                webIdFederationData: {}
+            type: AssumedRole
 CreateAlert: false
diff --git a/rules/aws_cloudtrail_rules/aws_iam_user_key_created.py b/rules/aws_cloudtrail_rules/aws_iam_user_key_created.py
@@ -30,8 +30,10 @@ def dedup(event):
 def alert_context(event):
     base = aws_rule_context(event)
     base["ip_accessKeyId"] = (
-        event.get("sourceIpAddress")
+        event.get("sourceIpAddress", "<NO_IP_ADDRESS>")
         + ":"
-        + event.deep_get("responseElements", "accessKey", "accessKeyId")
+        + event.deep_get(
+            "responseElements", "accessKey", "accessKeyId", default="<NO_ACCESS_KEY_ID>"
+        )
     )
     return base
diff --git a/rules/aws_cloudtrail_rules/role_assumed_by_aws_service.yml b/rules/aws_cloudtrail_rules/role_assumed_by_aws_service.yml
@@ -2,7 +2,7 @@ AnalysisType: rule
 Filename: role_assumed_by_aws_service.py
 RuleID: "Role.Assumed.by.AWS.Service"
 DisplayName: "SIGNAL - Role Assumed by AWS Service"
-Enabled: true
+Enabled: false
 CreateAlert: false
 LogTypes:
     - AWS.CloudTrail

diff --git a/rules/aws_cloudtrail_rules/role_assumed_by_user.yml b/rules/aws_cloudtrail_rules/role_assumed_by_user.yml
@@ -2,7 +2,7 @@ AnalysisType: rule
 Filename: role_assumed_by_user.py
 RuleID: "Role.Assumed.by.User"
 DisplayName: "SIGNAL - Role Assumed by User"
-Enabled: true
+Enabled: false
 CreateAlert: false
 LogTypes:
     - AWS.CloudTrail