Add rule to alert on known cryptomining ports in VPC flow logs (#972)

* Add rule to alert on known cryptomining ports in VPC flow logs * Lower severity; turn off by default * Add to pack * Remove SMTP; add reference * fmt * Add monero ports
panther-labs · Nov 28, 2023 · 28e3bd7 · 28e3bd7
1 parent d201e9e
commit 28e3bd7
Show file tree

Hide file tree

Showing 4 changed files with 122 additions and 0 deletions.
diff --git a/global_helpers/panther_iocs.py b/global_helpers/panther_iocs.py
@@ -348,6 +348,43 @@
     "zer0day.ru",
 }
 
+# https://github.com/falcosecurity/rules/blob/64e2adb309b7e07953691eeb53347d28e361b0e3/rules/falco-sandbox_rules.yaml#L1367-L1374
+CRYPTO_MINING_PORTS = {
+    3333,
+    3334,
+    3335,
+    3336,
+    3357,
+    4444,
+    5555,
+    5556,
+    5588,
+    5730,
+    6099,
+    6641,
+    6642,
+    6666,
+    7777,
+    7778,
+    8000,
+    8001,
+    8008,
+    8080,
+    8118,
+    8333,
+    8888,
+    8899,
+    9332,
+    9999,
+    10300,  # stratum
+    10343,  # stratum ssl
+    14433,
+    14444,
+    18080,  # monero p2p mainnet
+    18081,  # monero rpc mainnet
+    45560,
+    45700,
+}
 
 # IOC Helper functions:
 def ioc_match(indicators: list, known_iocs: set) -> list:

diff --git a/packs/aws.yml b/packs/aws.yml
@@ -130,6 +130,7 @@ PackDefinition:
     - AWS.Redshift.Cluster.Logging
     - AWS.Redshift.Cluster.SnapshotRetention
     - AWS.Redshift.Cluster.VersionUpgrade
+    - AWS.VPC.CryptoPorts
     - AWS.VPC.FlowLogs
     # AWS DataModels
     - Standard.AWS.ALB

diff --git a/rules/aws_vpc_flow_rules/aws_vpc_crypto_ports.py b/rules/aws_vpc_flow_rules/aws_vpc_crypto_ports.py
@@ -0,0 +1,31 @@
+from ipaddress import ip_network
+
+from panther_base_helpers import aws_rule_context
+from panther_iocs import CRYPTO_MINING_PORTS
+
+# List of allowed destination addresses
+# with more commonly-used ports (e.g., 8080)
+ALLOWED_DST_ADDRESSES = {}
+
+
+def rule(event):
+    # Only alert on traffic originating from a private address
+    # and destined for a public address
+    if any(
+        [
+            not ip_network(event.get("srcaddr", "0.0.0.0/0")).is_private,
+            ip_network(event.get("dstaddr", "0.0.0.0/0")).is_private,
+        ]
+    ):
+        return False
+
+    return all(
+        [
+            event.get("dstport") in CRYPTO_MINING_PORTS,
+            event.get("dstaddr") not in ALLOWED_DST_ADDRESSES,
+        ]
+    )
+
+
+def alert_context(event):
+    return aws_rule_context(event)
diff --git a/rules/aws_vpc_flow_rules/aws_vpc_crypto_ports.yml b/rules/aws_vpc_flow_rules/aws_vpc_crypto_ports.yml
@@ -0,0 +1,53 @@
+AnalysisType: rule
+Filename: aws_vpc_crypto_ports.py
+RuleID: "AWS.VPC.CryptoPorts"
+DisplayName: "VPC Flow Logs Known Cryotomining Ports"
+Enabled: false
+LogTypes:
+  - AWS.VPCFlow
+Tags:
+  - AWS
+  - Configuration Required
+  - Security Control
+  - Command and Control:Application Layer Protocol
+Reports:
+  MITRE ATT&CK:
+    - TA0040:T1496
+Severity: Low
+Description: >
+  Alerts if a known cryptomining port is detected in outbound traffic.
+Runbook: >
+  Investigate the host sending traffic over the known cryptomining ports for activity or signs of compromise or other malicious activity. Update network configurations appropriately.
+Reference: https://unit42.paloaltonetworks.com/malicious-operations-of-exposed-iam-keys-cryptojacking/
+SummaryAttributes:
+  - srcaddr
+  - dstaddr
+  - dstport
+Tests:
+  -
+    Name: DstPortInKnownList-true
+    ExpectedResult: true
+    Log:
+      {
+        "dstport": 6641,
+        "dstaddr": "106.58.92.8",
+        "srcaddr": "10.0.0.1"
+      }
+  -
+    Name: DstPortTwoInKnownList-true
+    ExpectedResult: true
+    Log:
+      {
+        "dstport": 9332,
+        "dstaddr": "106.58.92.8",
+        "srcaddr": "10.0.0.1"
+      }
+  -
+    Name: DstPortNotInKnownList-true
+    ExpectedResult: false
+    Log:
+      {
+        "dstport": 443,
+        "dstaddr": "100.100.100.100",
+        "srcaddr": "10.0.0.1"
+      }