From df39bc0a576113e63f24714b1817757e38d246dd Mon Sep 17 00:00:00 2001 From: egibs Date: Mon, 27 Nov 2023 08:31:51 -0600 Subject: [PATCH] Add rule to alert on known cryptomining ports in VPC flow logs --- global_helpers/panther_iocs.py | 33 ++++++++++++ .../aws_vpc_crypto_ports.py | 29 ++++++++++ .../aws_vpc_crypto_ports.yml | 53 +++++++++++++++++++ 3 files changed, 115 insertions(+) create mode 100644 rules/aws_vpc_flow_rules/aws_vpc_crypto_ports.py create mode 100644 rules/aws_vpc_flow_rules/aws_vpc_crypto_ports.yml diff --git a/global_helpers/panther_iocs.py b/global_helpers/panther_iocs.py index 90a209e1f..24721dbb5 100644 --- a/global_helpers/panther_iocs.py +++ b/global_helpers/panther_iocs.py @@ -163,6 +163,39 @@ "shscrypto.net", } +CRYPTO_MINING_PORTS = { + 25, + 3333, + 3334, + 3335, + 3336, + 3357, + 4444, + 5555, + 5556, + 5588, + 5730, + 6099, + 6641, + 6642, + 6666, + 7777, + 7778, + 8000, + 8001, + 8008, + 8080, + 8118, + 8333, + 8888, + 8899, + 9332, + 9999, + 14433, + 14444, + 45560, + 45700, +} # IOC Helper functions: def ioc_match(indicators: list, known_iocs: set) -> list: diff --git a/rules/aws_vpc_flow_rules/aws_vpc_crypto_ports.py b/rules/aws_vpc_flow_rules/aws_vpc_crypto_ports.py new file mode 100644 index 000000000..dd71e3da1 --- /dev/null +++ b/rules/aws_vpc_flow_rules/aws_vpc_crypto_ports.py @@ -0,0 +1,29 @@ +from ipaddress import ip_network + +from panther_base_helpers import aws_rule_context +from panther_iocs import CRYPTO_MINING_PORTS + +# List of allowed destination addresses +# with more commonly-used ports (e.g., 8080) +ALLOWED_DST_ADDRESSES = {} + + +def rule(event): + # Only alert on traffic originating from a private address + # and destined for a public address + if any([ + not ip_network(event.get("srcaddr", "0.0.0.0/0")).is_private, + ip_network(event.get("dstaddr", "0.0.0.0/0")).is_private + ]): + return False + + return all( + [ + event.get("dstport") in CRYPTO_MINING_PORTS, + event.get("dstaddr") not in ALLOWED_DST_ADDRESSES, + ] + ) + + +def alert_context(event): + return aws_rule_context(event) diff --git a/rules/aws_vpc_flow_rules/aws_vpc_crypto_ports.yml b/rules/aws_vpc_flow_rules/aws_vpc_crypto_ports.yml new file mode 100644 index 000000000..999e1f294 --- /dev/null +++ b/rules/aws_vpc_flow_rules/aws_vpc_crypto_ports.yml @@ -0,0 +1,53 @@ +AnalysisType: rule +Filename: aws_vpc_crypto_ports.py +RuleID: "AWS.VPC.CryptoPorts" +DisplayName: "VPC Flow Logs Known Cryotomining Ports" +Enabled: true +LogTypes: + - AWS.VPCFlow +Tags: + - AWS + - Configuration Required + - Security Control + - Command and Control:Application Layer Protocol +Reports: + MITRE ATT&CK: + - TA0040:T1496 +Severity: High +Description: > + Alerts if a known cryptomining port is detected in outbound traffic. +Runbook: > + Investigate the host sending traffic over the known cryptomining ports for activity or signs of compromise or other malicious activity. Update network configurations appropriately. +Reference: https://unit42.paloaltonetworks.com/malicious-operations-of-exposed-iam-keys-cryptojacking/ +SummaryAttributes: + - srcaddr + - dstaddr + - dstport +Tests: + - + Name: DstPortInKnownList-true + ExpectedResult: true + Log: + { + "dstport": 6641, + "dstaddr": "106.58.92.8", + "srcaddr": "10.0.0.1" + } + - + Name: DstPortTwoInKnownList-true + ExpectedResult: true + Log: + { + "dstport": 9332, + "dstaddr": "106.58.92.8", + "srcaddr": "10.0.0.1" + } + - + Name: DstPortNotInKnownList-true + ExpectedResult: false + Log: + { + "dstport": 443, + "dstaddr": "100.100.100.100", + "srcaddr": "10.0.0.1" + }