diff --git a/global_helpers/panther_iocs.py b/global_helpers/panther_iocs.py index 10a978550..531b48706 100644 --- a/global_helpers/panther_iocs.py +++ b/global_helpers/panther_iocs.py @@ -348,6 +348,43 @@ "zer0day.ru", } +# https://github.com/falcosecurity/rules/blob/64e2adb309b7e07953691eeb53347d28e361b0e3/rules/falco-sandbox_rules.yaml#L1367-L1374 +CRYPTO_MINING_PORTS = { + 3333, + 3334, + 3335, + 3336, + 3357, + 4444, + 5555, + 5556, + 5588, + 5730, + 6099, + 6641, + 6642, + 6666, + 7777, + 7778, + 8000, + 8001, + 8008, + 8080, + 8118, + 8333, + 8888, + 8899, + 9332, + 9999, + 10300, # stratum + 10343, # stratum ssl + 14433, + 14444, + 18080, # monero p2p mainnet + 18081, # monero rpc mainnet + 45560, + 45700, +} # IOC Helper functions: def ioc_match(indicators: list, known_iocs: set) -> list: diff --git a/packs/aws.yml b/packs/aws.yml index 865d1eaf2..f3b6c5939 100644 --- a/packs/aws.yml +++ b/packs/aws.yml @@ -130,6 +130,7 @@ PackDefinition: - AWS.Redshift.Cluster.Logging - AWS.Redshift.Cluster.SnapshotRetention - AWS.Redshift.Cluster.VersionUpgrade + - AWS.VPC.CryptoPorts - AWS.VPC.FlowLogs # AWS DataModels - Standard.AWS.ALB diff --git a/rules/aws_vpc_flow_rules/aws_vpc_crypto_ports.py b/rules/aws_vpc_flow_rules/aws_vpc_crypto_ports.py new file mode 100644 index 000000000..1450ba307 --- /dev/null +++ b/rules/aws_vpc_flow_rules/aws_vpc_crypto_ports.py @@ -0,0 +1,31 @@ +from ipaddress import ip_network + +from panther_base_helpers import aws_rule_context +from panther_iocs import CRYPTO_MINING_PORTS + +# List of allowed destination addresses +# with more commonly-used ports (e.g., 8080) +ALLOWED_DST_ADDRESSES = {} + + +def rule(event): + # Only alert on traffic originating from a private address + # and destined for a public address + if any( + [ + not ip_network(event.get("srcaddr", "0.0.0.0/0")).is_private, + ip_network(event.get("dstaddr", "0.0.0.0/0")).is_private, + ] + ): + return False + + return all( + [ + event.get("dstport") in CRYPTO_MINING_PORTS, + event.get("dstaddr") not in ALLOWED_DST_ADDRESSES, + ] + ) + + +def alert_context(event): + return aws_rule_context(event) diff --git a/rules/aws_vpc_flow_rules/aws_vpc_crypto_ports.yml b/rules/aws_vpc_flow_rules/aws_vpc_crypto_ports.yml new file mode 100644 index 000000000..33cf73061 --- /dev/null +++ b/rules/aws_vpc_flow_rules/aws_vpc_crypto_ports.yml @@ -0,0 +1,53 @@ +AnalysisType: rule +Filename: aws_vpc_crypto_ports.py +RuleID: "AWS.VPC.CryptoPorts" +DisplayName: "VPC Flow Logs Known Cryotomining Ports" +Enabled: false +LogTypes: + - AWS.VPCFlow +Tags: + - AWS + - Configuration Required + - Security Control + - Command and Control:Application Layer Protocol +Reports: + MITRE ATT&CK: + - TA0040:T1496 +Severity: Low +Description: > + Alerts if a known cryptomining port is detected in outbound traffic. +Runbook: > + Investigate the host sending traffic over the known cryptomining ports for activity or signs of compromise or other malicious activity. Update network configurations appropriately. +Reference: https://unit42.paloaltonetworks.com/malicious-operations-of-exposed-iam-keys-cryptojacking/ +SummaryAttributes: + - srcaddr + - dstaddr + - dstport +Tests: + - + Name: DstPortInKnownList-true + ExpectedResult: true + Log: + { + "dstport": 6641, + "dstaddr": "106.58.92.8", + "srcaddr": "10.0.0.1" + } + - + Name: DstPortTwoInKnownList-true + ExpectedResult: true + Log: + { + "dstport": 9332, + "dstaddr": "106.58.92.8", + "srcaddr": "10.0.0.1" + } + - + Name: DstPortNotInKnownList-true + ExpectedResult: false + Log: + { + "dstport": 443, + "dstaddr": "100.100.100.100", + "srcaddr": "10.0.0.1" + }