Add rule to alert on known cryptomining ports in VPC flow logs

panther-labs · Nov 27, 2023 · c6e4467 · c6e4467
1 parent 6252b95
commit c6e4467
Show file tree

Hide file tree

Showing 3 changed files with 117 additions and 0 deletions.
diff --git a/global_helpers/panther_iocs.py b/global_helpers/panther_iocs.py
@@ -163,6 +163,39 @@
     "shscrypto.net",
 }
 
+CRYPTO_MINING_PORTS = {
+    25,
+    3333,
+    3334,
+    3335,
+    3336,
+    3357,
+    4444,
+    5555,
+    5556,
+    5588,
+    5730,
+    6099,
+    6641,
+    6642,
+    6666,
+    7777,
+    7778,
+    8000,
+    8001,
+    8008,
+    8080,
+    8118,
+    8333,
+    8888,
+    8899,
+    9332,
+    9999,
+    14433,
+    14444,
+    45560,
+    45700,
+}
 
 # IOC Helper functions:
 def ioc_match(indicators: list, known_iocs: set) -> list:

diff --git a/rules/aws_vpc_flow_rules/aws_vpc_crypto_ports.py b/rules/aws_vpc_flow_rules/aws_vpc_crypto_ports.py
@@ -0,0 +1,31 @@
+from ipaddress import ip_network
+
+from panther_base_helpers import aws_rule_context
+from panther_iocs import CRYPTO_MINING_PORTS
+
+# List of allowed destination addresses
+# with more commonly-used ports (e.g., 8080)
+ALLOWED_DST_ADDRESSES = {}
+
+
+def rule(event):
+    # Only alert on traffic originating from a private address
+    # and destined for a public address
+    if any(
+        [
+            not ip_network(event.get("srcaddr", "0.0.0.0/0")).is_private,
+            ip_network(event.get("dstaddr", "0.0.0.0/0")).is_private,
+        ]
+    ):
+        return False
+
+    return all(
+        [
+            event.get("dstport") in CRYPTO_MINING_PORTS,
+            event.get("dstaddr") not in ALLOWED_DST_ADDRESSES,
+        ]
+    )
+
+
+def alert_context(event):
+    return aws_rule_context(event)
diff --git a/rules/aws_vpc_flow_rules/aws_vpc_crypto_ports.yml b/rules/aws_vpc_flow_rules/aws_vpc_crypto_ports.yml
@@ -0,0 +1,53 @@
+AnalysisType: rule
+Filename: aws_vpc_crypto_ports.py
+RuleID: "AWS.VPC.CryptoPorts"
+DisplayName: "VPC Flow Logs Known Cryotomining Ports"
+Enabled: true
+LogTypes:
+  - AWS.VPCFlow
+Tags:
+  - AWS
+  - Configuration Required
+  - Security Control
+  - Command and Control:Application Layer Protocol
+Reports:
+  MITRE ATT&CK:
+    - TA0040:T1496
+Severity: High
+Description: >
+  Alerts if a known cryptomining port is detected in outbound traffic.
+Runbook: >
+  Investigate the host sending traffic over the known cryptomining ports for activity or signs of compromise or other malicious activity. Update network configurations appropriately.
+Reference: https://unit42.paloaltonetworks.com/malicious-operations-of-exposed-iam-keys-cryptojacking/
+SummaryAttributes:
+  - srcaddr
+  - dstaddr
+  - dstport
+Tests:
+  -
+    Name: DstPortInKnownList-true
+    ExpectedResult: true
+    Log:
+      {
+        "dstport": 6641,
+        "dstaddr": "106.58.92.8",
+        "srcaddr": "10.0.0.1"
+      }
+  -
+    Name: DstPortTwoInKnownList-true
+    ExpectedResult: true
+    Log:
+      {
+        "dstport": 9332,
+        "dstaddr": "106.58.92.8",
+        "srcaddr": "10.0.0.1"
+      }
+  -
+    Name: DstPortNotInKnownList-true
+    ExpectedResult: false
+    Log:
+      {
+        "dstport": 443,
+        "dstaddr": "100.100.100.100",
+        "srcaddr": "10.0.0.1"
+      }