panther-labs · le4ker · Jul 16, 2024 · Jul 8, 2024 · Jul 8, 2024 · Jul 8, 2024
@@ -25,7 +25,7 @@ jobs:
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 #v4.1.7
 
       - name: Set python version
-        uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d #v5.1.0
+        uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f #v5.1.1
         with:
           python-version: "3.11"
 

@@ -28,10 +28,10 @@ jobs:
             www.python.org:443
       - name: Checkout panther-analysis
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 #v4.1.7
-      - uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 #v3.0.0
+      - uses: docker/setup-qemu-action@5927c834f5b4fdf503fca6f4c7eccda82949e1ee #v3.1.0
       - name: Set up Docker Buildx
         id: buildx
-        uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb #v3.3.0
+        uses: docker/setup-buildx-action@4fd812986e6c8c2a69e18311145f9371337f27d4 #v3.4.0
       - name: Build Image
         run: docker buildx build --load -f Dockerfile -t panther-analysis:latest .
       - name: Test Image

@@ -22,7 +22,7 @@ jobs:
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 #v4.1.7
 
       - name: Set python version
-        uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d #v5.1.0
+        uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f #v5.1.1
         with:
           python-version: "3.11"
 

@@ -4,7 +4,7 @@ on:
   workflow_dispatch:
 
 permissions:
-  contents: read    
+  contents: read
 
 jobs:
   release:
@@ -29,7 +29,7 @@ jobs:
           aws-region: ${{ secrets.AWS_REGION }}
           role-session-name: panther-analysis-release
       - name: Install Python
-        uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d #v5.1.0
+        uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f #v5.1.1
         with:
           python-version: "3.11"
       - name: Create new panther-analysis release

@@ -23,7 +23,7 @@ jobs:
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 #v4.1.7
 
       - name: Set python version
-        uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d #v5.1.0
+        uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f #v5.1.1
         with:
           python-version: "3.11"
 

@@ -4,7 +4,7 @@ on:
       - main
 
 permissions:
-  contents: read      
+  contents: read
 
 jobs:
   upload:
@@ -27,7 +27,7 @@ jobs:
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 #v4.1.7
 
       - name: Set python version
-        uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d #v5.1.0
+        uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f #v5.1.1
         with:
           python-version: "3.11"
 

@@ -0,0 +1,48 @@
+AnalysisType: correlation_rule
+RuleID: "AWS.EC2.StopInstance.FOLLOWED.BY.ModifyInstanceAttributes"
+DisplayName: "StopInstance FOLLOWED BY ModifyInstanceAttributes"
+Enabled: true
+Severity: High
+Description: Identifies when StopInstance and ModifyInstanceAttributes CloudTrail events occur in a short period of time. Since EC2 startup scripts cannot be modified without first stopping the instance, StopInstances should be a signal.
+Reference: https://unit42.paloaltonetworks.com/malicious-operations-of-exposed-iam-keys-cryptojacking/
+Reports:
+  MITRE ATT&CK:
+    - TA0002:T1059
+Detection:
+    - Sequence:
+        - ID: StopInstance
+          RuleID: AWS.EC2.StopInstances
+        - ID: StartupScriptChange
+          RuleID: AWS.EC2.Startup.Script.Change
+      Transitions:
+        - ID: StopInstance FOLLOWED BY StartupScriptChange
+          From: StopInstance
+          To: StartupScriptChange
+          Match:
+            - On: p_alert_context.instance_ids
+      LookbackWindowMinutes: 90
+      Schedule:
+        RateMinutes: 60
+        TimeoutMinutes: 1
+Tests:
+    - Name: Instance Stopped, Followed By Script Change
+      ExpectedResult: true
+      RuleOutputs:
+        - ID: StopInstance
+          Matches:
+            p_alert_context.instance_ids:
+              'i-abcdef0123456789a':
+                - "2024-06-01T10:00:01Z"
+        - ID: StartupScriptChange
+          Matches:
+            p_alert_context.instance_ids:
+              'i-abcdef0123456789a':
+                - "2024-06-01T10:01:01Z"
+    - Name: Instance Stopped, Not Followed By Script Change
+      ExpectedResult: false
+      RuleOutputs:
+        - ID: StopInstance
+          Matches:
+            p_alert_context.instance_ids:
+              'i-abcdef0123456789a':
+                - "2024-06-01T10:00:01Z"
@@ -0,0 +1,64 @@
+AnalysisType: correlation_rule
+RuleID: "AWS.Potentially.Stolen.Service.Role"
+DisplayName: "AWS Potentiall Stolen Service Role"
+Enabled: true
+Tags:
+    - AWS
+Severity: High
+Reports:
+  MITRE ATT&CK:
+    - T1528 # Steal Application Access Token
+Description: A role was assumed by an AWS service, followed by a user within 24 hours.  This could indicate a stolen or compromised AWS service role.
+Detection:
+  - Sequence:
+      - ID: Role Assumed by Service
+        RuleID: Role.Assumed.by.AWS.Service
+      - ID: Role Assumed by User
+        RuleID: Role.Assumed.by.User
+    Transitions:
+      - ID: Role Assumed by Service TO Role Assumed by User ON username
+        From: Role Assumed by Service
+        To: Role Assumed by User
+        Match:
+          - On: requestParameters.roleArn
+    Schedule:
+      RateMinutes: 60
+      TimeoutMinutes: 2
+    LookbackWindowMinutes: 1440
+Tests:
+    - Name: Role Assumed By Service, Followed By Role Assumed By User
+      ExpectedResult: true
+      RuleOutputs:
+        - ID: Role Assumed by Service
+          Matches:
+            requestParameters.roleArn:
+              FAKE_ROLE_ARN: [0]
+        - ID: Role Assumed by User
+          Matches:
+            requestParameters.roleArn:
+              FAKE_ROLE_ARN: [30]
+    - Name: Role Assumed By Service, Followed By Different Role Assumed By User
+      ExpectedResult: false
+      RuleOutputs:
+        - ID: Role Assumed by Service
+          Matches:
+            requestParameters.roleArn:
+              FAKE_ROLE_ARN: [0]
+        - ID: Role Assumed by User
+          Matches:
+            requestParameters.roleArn:
+              OTHER_ROLE_ARN: [30]
+    - Name: Role Assumed By Service, Not Followed By Role Assumed By User
+      ExpectedResult: false
+      RuleOutputs:
+        - ID: Role Assumed by Service
+          Matches:
+            requestParameters.roleArn:
+              FAKE_ROLE_ARN: [0]
+    - Name: Role Assumed By User, Not Preceded By Role Assumed By Service
+      ExpectedResult: false
+      RuleOutputs:
+        - ID: Role Assumed by User
+          Matches:
+            requestParameters.roleArn:
+              FAKE_ROLE_ARN: [0]
@@ -0,0 +1,72 @@
+AnalysisType: correlation_rule
+RuleID: "AWS.Privilege.Escalation.Via.User.Compromise"
+DisplayName: "AWS Privilege Escalation Via User Compromise"
+Enabled: true
+Severity: Medium
+Reports:
+  MITRE ATT&CK:
+    - T1098.001 # Additional Cloud Credentials
+Detection:
+    - Sequence:
+        - ID: User Backdoored
+          RuleID: AWS.IAM.Backdoor.User.Keys
+        - ID: User Accessed
+          RuleID: AWS.CloudTrail.UserAccessKeyAuth
+      Transitions:
+        - ID: User Backdoored TO User Accessed ON IP Addr
+          From: User Backdoored
+          To: User Accessed
+          Match:
+            - On: p_alert_context.ip_accessKeyId
+      Schedule:
+        RateMinutes: 15
+        TimeoutMinutes: 2
+      LookbackWindowMinutes: 60
+Tests:
+    - Name: Access Key Created and Used from Same IP
+      ExpectedResult: true
+      RuleOutputs:
+        - ID: User Backdoored
+          Matches:
+            p_alert_context.ip_accessKeyId:
+              1.1.1.1-FAKE_ACCESS_KEY_ID: [0]
+        - ID: User Accessed
+          Matches:
+            p_alert_context.ip_accessKeyId:
+              1.1.1.1-FAKE_ACCESS_KEY_ID: [30]
+    - Name: Access Key Created and Used from Different IPs
+      ExpectedResult: false
+      RuleOutputs:
+        - ID: User Backdoored
+          Matches:
+            p_alert_context.ip_accessKeyId:
+              1.1.1.1-FAKE_ACCESS_KEY_ID: [0]
+        - ID: User Accessed
+          Matches:
+            p_alert_context.ip_accessKeyId:
+              2.2.2.2-FAKE_ACCESS_KEY_ID: [30]
+    - Name: Single IP Creates Access Key, Uses Different Key
+      ExpectedResult: false
+      RuleOutputs:
+        - ID: User Backdoored
+          Matches:
+            p_alert_context.ip_accessKeyId:
+              1.1.1.1-FAKE_ACCESS_KEY_ID: [0]
+        - ID: User Accessed
+          Matches:
+            p_alert_context.ip_accessKeyId:
+              1.1.1.1-OTHER_ACCESS_KEY_ID: [30]
+    - Name: Access Key Created But Not Used
+      ExpectedResult: false
+      RuleOutputs:
+        - ID: User Backdoored
+          Matches:
+            p_alert_context.ip_accessKeyId:
+              1.1.1.1-FAKE_ACCESS_KEY_ID: [0]
+    - Name: Access Key Used But Not Created
+      ExpectedResult: false
+      RuleOutputs:
+        - ID: User Accessed
+          Matches:
+            p_alert_context.ip_accessKeyId:
+              1.1.1.1-FAKE_ACCESS_KEY_ID: [30]
@@ -0,0 +1,61 @@
+AnalysisType: correlation_rule
+RuleID: "AWS.User.Takeover.Via.Password.Reset"
+DisplayName: "AWS User Takeover Via Password Reset"
+Enabled: true
+Severity: High
+Reports:
+  MITRE ATT&CK:
+    - T1098.001 # Additional Cloud Credentials
+Detection:
+    - Sequence:
+        - ID: Password Reset
+          RuleID: AWS.CloudTrail.LoginProfileCreatedOrModified
+        - ID: Login
+          RuleID: AWS.Console.Login
+      Transitions:
+        - ID: Password Reset TO Login ON IP Addr
+          From: Password Reset
+          To: Login
+          Match:
+            - On: sourceIPAddress
+      Schedule:
+        RateMinutes: 15
+        TimeoutMinutes: 2
+      LookbackWindowMinutes: 60
+Tests:
+    - Name: Password Reset, Then Login From Same IP
+      ExpectedResult: true
+      RuleOutputs:
+        - ID: Password Reset
+          Matches:
+            sourceIPAddress:
+              '1.1.1.1': [0]
+        - ID: Login
+          Matches:
+            sourceIPAddress:
+              '1.1.1.1': [5]
+    - Name: Password Reset, Then Login From Different IPs
+      ExpectedResult: false
+      RuleOutputs:
+        - ID: Password Reset
+          Matches:
+            sourceIPAddress:
+              '1.1.1.1': [0]
+        - ID: Login
+          Matches:
+            sourceIPAddress:
+              '2.2.2.2': [5]
+    - Name: Password Reset Without Login
+      ExpectedResult: false
+      RuleOutputs:
+        - ID: Password Reset
+          Matches:
+            sourceIPAddress:
+              '1.1.1.1': [0]
+    - Name: Login Without Password Reset
+      ExpectedResult: false
+      RuleOutputs:
+        - ID: Login
+          Matches:
+            sourceIPAddress:
+              '1.1.1.1': [5]
@@ -0,0 +1,72 @@
+AnalysisType: correlation_rule
+RuleID: "GCP.Cloud.Run.Service.Created.FOLLOWED.BY.Set.IAM.Policy"
+DisplayName: "GCP Cloud Run Service Created FOLLOWED BY Set IAM Policy"
+Enabled: true
+Severity: High
+Description: Detects run.services.create method for privilege escalation in GCP. The exploit creates a new Cloud Run 
+  Service that, when invoked, returns the Service Account's access token by accessing the metadata API of the server 
+  it is running on.
+Reference: https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/
+Runbook: Confirm this was authorized and necessary behavior
+Reports:
+    MITRE ATT&CK:
+        - TA0004:T1548  # Abuse Elevation Control Mechanism
+Detection:
+    - Sequence:
+        - ID: ServiceCreated
+          RuleID: GCP.Cloud.Run.Service.Created
+        - ID: SetIAMPolicy
+          RuleID: GCP.Cloud.Run.Set.IAM.Policy
+      Transitions:
+        - ID: ServiceCreated FOLLOWED BY SetIAMPolicy
+          From: ServiceCreated
+          To: SetIAMPolicy
+          Match:
+            - On: p_alert_context.caller_ip
+      LookbackWindowMinutes: 90
+      Schedule:
+        RateMinutes: 60 
+        TimeoutMinutes: 1
+Tests:
+    - Name: GCP Service Run, Followed By IAM Policy Change From Same IP
+      ExpectedResult: true
+      RuleOutputs:
+        - ID: ServiceCreated
+          Matches:
+            p_alert_context.caller_ip:
+              1.1.1.1:
+                - "2024-06-01T10:00:00Z"
+        - ID: SetIAMPolicy
+          Matches:
+            p_alert_context.caller_ip:
+              1.1.1.1:
+                - "2024-06-01T10:00:01Z"
+    - Name: GCP Service Run, Not Followed By IAM Policy Change
+      ExpectedResult: false
+      RuleOutputs:
+        - ID: ServiceCreated
+          Matches:
+            p_alert_context.caller_ip:
+              1.1.1.1:
+                - "2024-06-01T10:00:00Z"
+    - Name: IAM Policy Change, Not Preceeded By GCP Service Run
+      ExpectedResult: false
+      RuleOutputs:
+        - ID: SetIAMPolicy
+          Matches:
+            p_alert_context.caller_ip:
+              1.1.1.1:
+                - "2024-06-01T10:00:01Z"
+    - Name: GCP Service Run, Followed By IAM Policy Change From Different IP
+      ExpectedResult: false
+      RuleOutputs:
+        - ID: ServiceCreated
+          Matches:
+            p_alert_context.caller_ip:
+              1.1.1.1:
+                - "2024-06-01T10:00:00Z"
+        - ID: SetIAMPolicy
+          Matches:
+            p_alert_context.caller_ip:
+              2.2.2.2:
+                - "2024-06-01T10:00:01Z"