Skip to content

Commit

Permalink
Merge pull request #1338 from panther-labs/release
Browse files Browse the repository at this point in the history
Prepare for `v3.62.0`
  • Loading branch information
arielkr256 authored Aug 27, 2024
2 parents dca7bc6 + a4aed26 commit 428e614
Show file tree
Hide file tree
Showing 84 changed files with 3,117 additions and 1,087 deletions.
2 changes: 1 addition & 1 deletion Pipfile
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ wrapt = "~=1.15"
[packages]
policyuniverse = "==1.5.1.20230817"
requests = "==2.31.0"
panther-analysis-tool = "~=0.51"
panther-analysis-tool = "~=0.52.1"
panther-detection-helpers = "==0.4.0"

[requires]
Expand Down
1,139 changes: 590 additions & 549 deletions Pipfile.lock

Large diffs are not rendered by default.

Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ Tags:
Severity: Info
Reports:
MITRE ATT&CK:
- T1528 # Steal Application Access Token
- TA0006:T1528 # Steal Application Access Token
Description: A role was assumed by an AWS service, followed by a user within 24 hours. This could indicate a stolen or compromised AWS service role.
Detection:
- Sequence:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ Enabled: true
Severity: Medium
Reports:
MITRE ATT&CK:
- T1098.001 # Additional Cloud Credentials
- TA0004:T1098.001 # Additional Cloud Credentials
Detection:
- Sequence:
- ID: User Backdoored
Expand Down
2 changes: 1 addition & 1 deletion correlation_rules/aws_user_takeover_via_password_reset.yml
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ Enabled: true
Severity: High
Reports:
MITRE ATT&CK:
- T1098.001 # Additional Cloud Credentials
- TA0004:T1098.001 # Additional Cloud Credentials
Detection:
- Sequence:
- ID: Password Reset
Expand Down
4 changes: 2 additions & 2 deletions correlation_rules/okta_login_without_push.yml
Original file line number Diff line number Diff line change
Expand Up @@ -7,8 +7,8 @@ Tags:
- Configuration Required
Reports:
MITRE ATT&CK:
- T1212 # Exploitation for Credential Access
- T1539 # Steal Web Session Cookie
- TA0006:T1212 # Exploitation for Credential Access
- TA0006:T1539 # Steal Web Session Cookie
Severity: Critical
Detection:
- Sequence:
Expand Down
4 changes: 2 additions & 2 deletions correlation_rules/potential_compromised_okta_credentials.yml
Original file line number Diff line number Diff line change
Expand Up @@ -7,8 +7,8 @@ Tags:
- Configuration Required
Reports:
MITRE ATT&CK:
- T1212 # Exploitation for Credential Access
- T1539 # Steal Web Session Cookie
- TA0006:T1212 # Exploitation for Credential Access
- TA0006:T1539 # Steal Web Session Cookie
Severity: Critical
Detection:
- Sequence:
Expand Down
2 changes: 1 addition & 1 deletion correlation_rules/secret_exposed_and_not_quarantined.yml
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ Tags:
Severity: High
Reports:
MITRE ATT&CK:
- T1552.001
- TA0006:T1552.001
Description: The rule detects when a GitHub Secret Scan detects an exposed secret, which is not followed by the expected quarantine operation in AWS. When you make a repository public, or push changes to a public repository, GitHub always scans the code for secrets that match partner patterns. Public packages on the npm registry are also scanned. If secret scanning detects a potential secret, we notify the service provider who issued the secret. The service provider validates the string and then decides whether they should revoke the secret, issue a new secret, or contact you directly. Their action will depend on the associated risks to you or them.
Reference: https://docs.github.com/en/code-security/secret-scanning/about-secret-scanning
Detection:
Expand Down
16 changes: 16 additions & 0 deletions global_helpers/crowdstrike_event_streams_helpers.py
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,22 @@


def cs_alert_context(event):
return audit_keys_dict(event)


def audit_keys_dict(event):
return key_value_list_to_dict(
event.deep_get("event", "AuditKeyValues", default=[]), "Key", "ValueString"
)


def str_to_list(liststr: str) -> list[str]:
"""Several crowdstrike values are returned as a list like "[x y z]". This function convetrs
such entries to Python list of strings, like: ["x", "y", "z"]."""
# Return empty list for empty string
if not liststr:
return []
# Validate
if liststr[0] != "[" or liststr[-1] != "]":
raise ValueError(f"Invalid list string: {liststr}")
return [x.strip() for x in liststr[1:-1].split(" ")]
66 changes: 0 additions & 66 deletions global_helpers/panther_iocs.py
Original file line number Diff line number Diff line change
@@ -1,71 +1,5 @@
# pylint: disable=line-too-long

# 2022-06-02 Confluence 0-Day IOCs:
# https://github.com/volexity/threat-intel/blob/main/2022/2022-06-02%20Active%20Exploitation%20Of%20Confluence%200-day/indicators/indicators.csv
VOLEXITY_CONFLUENCE_IP_IOCS = {
"156.146.34.46",
"156.146.34.9",
"156.146.56.136",
"198.147.22.148",
"45.43.19.91",
"66.115.182.102",
"66.115.182.111",
"67.149.61.16",
"154.16.105.147",
"64.64.228.239",
"156.146.34.52",
"154.146.34.145",
"221.178.126.244",
"59.163.248.170",
"98.32.230.38",
}

# SUNBURST IOCs:
# https://github.com/fireeye/sunburst_countermeasures/blob/main/indicator_release/Indicator_Release_NBIs.csv
# Last accessed: 2021-11-17
SUNBURST_FQDN_IOCS = {
"databasegalore.com",
"deftsecurity.com",
"freescanonline.com",
"highdatabase.com",
"incomeupdate.com",
"panhardware.com",
"thedoccloud.com",
"websitetheme.com",
"zupertech.com",
"6a57jk2ba1d9keg15cbg.appsync-api.eu-west-1.avsvmcloud.com",
"7sbvaemscs0mc925tb99.appsync-api.us-west-2.avsvmcloud.com",
"gq1h856599gqh538acqn.appsync-api.us-west-2.avsvmcloud.com",
"ihvpgv9psvq02ffo77et.appsync-api.us-east-2.avsvmcloud.com",
"k5kcubuassl3alrf7gm3.appsync-api.eu-west-1.avsvmcloud.com",
"mhdosoksaccf9sni9icp.appsync-api.eu-west-1.avsvmcloud.com",
}

SUNBURST_IP_IOCS = {"0.0.0.1"}

# https://github.com/mandiant/sunburst_countermeasures/blob/main/indicator_release/Indicator_Release_Hashes.csv
# Last accessed: 2021-11-17
SUNBURST_SHA256_IOCS = {
"019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134",
"292327e5c94afa352cc5a02ca273df543f2020d0e76368ff96c84f4e90778712",
"32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77",
"53f8dfc65169ccda021b72a62e0c22a4db7c4077f002fa742717d41b3c40f2c7",
"abe22cf0d78836c3ea072daeaf4c5eeaf9c29b6feb597741651979fc8fbd2417",
"ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6",
"d0d626deb3f9484e649294a8dfa814c5568f846d5aa02d4cdad5d041a29d5600",
}

# LOG4J IOCs:
# IPs Pulled from the following sources, deduped and compiled here.
# https://gist.github.com/gnremy/c546c7911d5f876f263309d7161a7217
# https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Log4j_IOC_List.csv
# https://raw.githubusercontent.com/Malwar3Ninja/Exploitation-of-Log4j2-CVE-2021-44228/main/Threatview.io-log4j2-IOC-list
# Created 12-13-21

LOG4J_IP_IOCS = {
# The rule using this set has been deprecated and disabled by default
"0.0.0.1"
}

# Example sources:
# - https://www.fastly.com/blog/new-data-and-insights-into-log4shell-attacks-cve-2021-44228
Expand Down
14 changes: 12 additions & 2 deletions packs/crowdstrike_event_streams.yml
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,17 @@ PackID: PantherManaged.CrowdstrikeEventStreams
Description: Group of all Crowdstrike Event Stream detections
PackDefinition:
IDs:
- crowdstrike_event_streams_helpers
- panther_base_helpers

- Crowdstrike.AdminRoleAssigned
- Crowdstrike.AllowlistRemoved
- Crowdstrike.API.Key.Created
- Crowdstrike.API.Key.Deleted
- panther_base_helpers
- crowdstrike_event_streams_helpers
- Crowdstrike.EphemeralUserAccount
- Crowdstrike.IpAllowlistChanged
- Crowdstrike.NewAdminUserCreated
- Crowdstrike.NewUserCreated
- Crowdstrike.SingleIpAllowlisted
- Crowdstrike.UserDeleted
- Crowdstrike.UserPasswordChange
3 changes: 2 additions & 1 deletion packs/github.yml
Original file line number Diff line number Diff line change
Expand Up @@ -14,11 +14,12 @@ PackDefinition:
- GitHub.Org.Modified
- Github.Repo.CollaboratorChange
- Github.Repo.Created
- GitHub.Repo.HookModified
#- GitHub.Repo.HookModified
- GitHub.Repo.InitialAccess
- Github.Repo.VisibilityChange
- GitHub.Secret.Scanning.Alert.Created
- GitHub.Team.Modified
- GitHub.Webhook.Modified
- GitHub.User.AccessKeyCreated
- GitHub.User.RoleUpdated
- Github.Organization.App.Integration.Installed
Expand Down
9 changes: 0 additions & 9 deletions packs/log4j.yml

This file was deleted.

Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ Tags:
Severity: High
Reports:
MITRE ATT&CK:
- T1528 # Steal Application Access Token
- TA0006:T1528 # Steal Application Access Token
Description: A role was assumed by an AWS service, followed by a user within 24 hours. This could indicate a stolen or compromised AWS service role.
Filename: scheduled_rule_default.py
ScheduledQueries:
Expand Down
1 change: 1 addition & 0 deletions rules/auth0_rules/auth0_user_invitation_created.yml
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ Enabled: true
Filename: auth0_user_invitation_created.py
Reference: https://auth0.com/docs/manage-users/organizations/configure-organizations/invite-members
Severity: Info
CreateAlert: false
Tests:
- ExpectedResult: true
Log:
Expand Down
1 change: 1 addition & 0 deletions rules/auth0_rules/auth0_user_joined_tenant.yml
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ Filename: auth0_user_joined_tenant.py
RuleID: Auth0.User.Joined.Tenant
Reference: https://auth0.com/docs/manage-users/organizations/configure-organizations/invite-members#send-membership-invitations:~:text=.-,Send%20membership%20invitations,-You%20can
Severity: Info
CreateAlert: false
LogTypes:
- Auth0.Events
Tests:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ Reports:
MITRE ATT&CK:
- TA0007:T1087
Severity: Info
CreateAlert: false
Tests:
- ExpectedResult: true
Log:
Expand Down
13 changes: 3 additions & 10 deletions rules/aws_cloudtrail_rules/aws_ec2_traffic_mirroring.py
Original file line number Diff line number Diff line change
Expand Up @@ -12,9 +12,9 @@ def rule(event):
"DeleteTrafficMirrorFilterRule",
"DeleteTrafficMirrorSession",
"DeleteTrafficMirrorTarget",
"DescribeTrafficMirrorFilters",
"DescribeTrafficMirrorSessions",
"DescribeTrafficMirrorTargets",
# "DescribeTrafficMirrorFilters",
# "DescribeTrafficMirrorSessions",
# "DescribeTrafficMirrorTargets",
"ModifyTrafficMirrorFilterNetworkServices",
"ModifyTrafficMirrorFilterRule",
"ModifyTrafficMirrorSession",
Expand All @@ -28,9 +28,6 @@ def rule(event):


def title(event):
# (Optional) Return a string which will be shown as the alert title.
# If no 'dedup' function is defined, the return value of this method will
# act as deduplication string.
return (
f"{event.get('userIdentity',{}).get('arn','no-type')} ec2 activity found for "
f"{event.get('eventName')} in account {event.get('recipientAccountId')} "
Expand All @@ -39,12 +36,8 @@ def title(event):


def dedup(event):
# (Optional) Return a string which will be used to deduplicate similar alerts.
# Dedupe based on user identity, to not include multiple events from the same identity.
return f"{event.get('userIdentity',{}).get('arn','no-user-identity-provided')}"


def alert_context(event):
# (Optional) Return a dictionary with additional data to be included
# in the alert sent to the SNS/SQS/Webhook destination
return aws_rule_context(event)
16 changes: 8 additions & 8 deletions rules/aws_cloudtrail_rules/aws_ec2_traffic_mirroring.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,13 @@ Tags:
- AWS
- Cloudtrail
- MITRE
DedupPeriodMinutes: 1440
LogTypes:
- AWS.CloudTrail
RuleID: "AWS.EC2.Traffic.Mirroring"
SummaryAttributes:
- userIdentity.type
Threshold: 1
Tests:
- ExpectedResult: true
Log:
Expand Down Expand Up @@ -341,7 +348,7 @@ Tests:
webIdFederationData: {}
type: AssumedRole
Name: DeleteTrafficMirrorTarget
- ExpectedResult: true
- ExpectedResult: false
Log:
awsRegion: us-east-1
eventCategory: Management
Expand Down Expand Up @@ -553,10 +560,3 @@ Tests:
"type": "AssumedRole",
},
}
DedupPeriodMinutes: 60
LogTypes:
- AWS.CloudTrail
RuleID: "AWS.EC2.Traffic.Mirroring"
SummaryAttributes:
- userIdentity.type
Threshold: 1
3 changes: 2 additions & 1 deletion rules/aws_cloudtrail_rules/aws_ecr_crud.yml
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,8 @@ Reports:
- 3.12
MITRE ATT&CK:
- TA0005:T1525
Severity: High
Severity: Info
CreateAlert: false
Description: Unauthorized ECR Create, Read, Update, or Delete event occurred.
Runbook: https://docs.aws.amazon.com/AmazonECR/latest/userguide/logging-using-cloudtrail.html
Reference: https://docs.aws.amazon.com/AmazonECR/latest/userguide/security-iam.html#security_iam_authentication
Expand Down
3 changes: 2 additions & 1 deletion rules/aws_cloudtrail_rules/aws_ecr_events.yml
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,8 @@ Tags:
Reports:
MITRE ATT&CK:
- TA0005:T1535
Severity: Medium
Severity: Info
CreateAlert: false
Description: An ECR event occurred outside of an expected account or region
Runbook: https://docs.aws.amazon.com/AmazonECR/latest/userguide/logging-using-cloudtrail.html
Reference: https://aws.amazon.com/blogs/containers/amazon-ecr-in-multi-account-and-multi-region-architectures/
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ Filename: aws_iam_group_read_only_events.py
Reference: https://attack.mitre.org/techniques/T1069/
Runbook: Examine other activities done by this user to determine whether or not activity is suspicious.
Severity: Info
CreateAlert: false
Tags:
- AWS
- Cloudtrail
Expand Down
3 changes: 2 additions & 1 deletion rules/aws_cloudtrail_rules/aws_s3_activity_greynoise.yml
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,8 @@ Reports:
MITRE ATT&CK:
- TA0009:T1530
Runbook: Investigate all actions taken and validate that the ARN conducting the acitivty was not compromised
Severity: High
Severity: Info
CreateAlert: false
DedupPeriodMinutes: 60
Threshold: 1
SummaryAttributes:
Expand Down
11 changes: 11 additions & 0 deletions rules/aws_cloudtrail_rules/aws_snapshot_made_public.py
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,8 @@
from panther_base_helpers import aws_rule_context, deep_get
from panther_default import aws_cloudtrail_success

IS_SINGLE_USER_SHARE = False # Used to adjust severity


def rule(event):
if not aws_cloudtrail_success(event):
Expand All @@ -19,11 +21,20 @@ def rule(event):
if not isinstance(item, (Mapping, dict)):
continue
if item.get("userId") or item.get("group") == "all":
global IS_SINGLE_USER_SHARE # pylint: disable=global-statement
IS_SINGLE_USER_SHARE = "userId" in item # Used for dynamic severity
return True
return False

return False


def severity(_):
# Set severity to INFO if only shared with a single user
if IS_SINGLE_USER_SHARE:
return "INFO"
return "DEFAULT"


def alert_context(event):
return aws_rule_context(event)
Loading

0 comments on commit 428e614

Please sign in to comment.