From c6e44679584715c9bc81adb772d9a40bcbeadad0 Mon Sep 17 00:00:00 2001
From: egibs <keybase@egibs.xyz>
Date: Mon, 27 Nov 2023 08:31:51 -0600
Subject: [PATCH 1/6] Add rule to alert on known cryptomining ports in VPC flow
 logs

---
 global_helpers/panther_iocs.py                | 33 ++++++++++++
 .../aws_vpc_crypto_ports.py                   | 31 +++++++++++
 .../aws_vpc_crypto_ports.yml                  | 53 +++++++++++++++++++
 3 files changed, 117 insertions(+)
 create mode 100644 rules/aws_vpc_flow_rules/aws_vpc_crypto_ports.py
 create mode 100644 rules/aws_vpc_flow_rules/aws_vpc_crypto_ports.yml

diff --git a/global_helpers/panther_iocs.py b/global_helpers/panther_iocs.py
index 90a209e1f..24721dbb5 100644
--- a/global_helpers/panther_iocs.py
+++ b/global_helpers/panther_iocs.py
@@ -163,6 +163,39 @@
     "shscrypto.net",
 }
 
+CRYPTO_MINING_PORTS = {
+    25,
+    3333,
+    3334,
+    3335,
+    3336,
+    3357,
+    4444,
+    5555,
+    5556,
+    5588,
+    5730,
+    6099,
+    6641,
+    6642,
+    6666,
+    7777,
+    7778,
+    8000,
+    8001,
+    8008,
+    8080,
+    8118,
+    8333,
+    8888,
+    8899,
+    9332,
+    9999,
+    14433,
+    14444,
+    45560,
+    45700,
+}
 
 # IOC Helper functions:
 def ioc_match(indicators: list, known_iocs: set) -> list:
diff --git a/rules/aws_vpc_flow_rules/aws_vpc_crypto_ports.py b/rules/aws_vpc_flow_rules/aws_vpc_crypto_ports.py
new file mode 100644
index 000000000..1450ba307
--- /dev/null
+++ b/rules/aws_vpc_flow_rules/aws_vpc_crypto_ports.py
@@ -0,0 +1,31 @@
+from ipaddress import ip_network
+
+from panther_base_helpers import aws_rule_context
+from panther_iocs import CRYPTO_MINING_PORTS
+
+# List of allowed destination addresses
+# with more commonly-used ports (e.g., 8080)
+ALLOWED_DST_ADDRESSES = {}
+
+
+def rule(event):
+    # Only alert on traffic originating from a private address
+    # and destined for a public address
+    if any(
+        [
+            not ip_network(event.get("srcaddr", "0.0.0.0/0")).is_private,
+            ip_network(event.get("dstaddr", "0.0.0.0/0")).is_private,
+        ]
+    ):
+        return False
+
+    return all(
+        [
+            event.get("dstport") in CRYPTO_MINING_PORTS,
+            event.get("dstaddr") not in ALLOWED_DST_ADDRESSES,
+        ]
+    )
+
+
+def alert_context(event):
+    return aws_rule_context(event)
diff --git a/rules/aws_vpc_flow_rules/aws_vpc_crypto_ports.yml b/rules/aws_vpc_flow_rules/aws_vpc_crypto_ports.yml
new file mode 100644
index 000000000..999e1f294
--- /dev/null
+++ b/rules/aws_vpc_flow_rules/aws_vpc_crypto_ports.yml
@@ -0,0 +1,53 @@
+AnalysisType: rule
+Filename: aws_vpc_crypto_ports.py
+RuleID: "AWS.VPC.CryptoPorts"
+DisplayName: "VPC Flow Logs Known Cryotomining Ports"
+Enabled: true
+LogTypes:
+  - AWS.VPCFlow
+Tags:
+  - AWS
+  - Configuration Required
+  - Security Control
+  - Command and Control:Application Layer Protocol
+Reports:
+  MITRE ATT&CK:
+    - TA0040:T1496
+Severity: High
+Description: >
+  Alerts if a known cryptomining port is detected in outbound traffic.
+Runbook: >
+  Investigate the host sending traffic over the known cryptomining ports for activity or signs of compromise or other malicious activity. Update network configurations appropriately.
+Reference: https://unit42.paloaltonetworks.com/malicious-operations-of-exposed-iam-keys-cryptojacking/
+SummaryAttributes:
+  - srcaddr
+  - dstaddr
+  - dstport
+Tests:
+  -
+    Name: DstPortInKnownList-true
+    ExpectedResult: true
+    Log:
+      {
+        "dstport": 6641,
+        "dstaddr": "106.58.92.8",
+        "srcaddr": "10.0.0.1"
+      }
+  -
+    Name: DstPortTwoInKnownList-true
+    ExpectedResult: true
+    Log:
+      {
+        "dstport": 9332,
+        "dstaddr": "106.58.92.8",
+        "srcaddr": "10.0.0.1"
+      }
+  -
+    Name: DstPortNotInKnownList-true
+    ExpectedResult: false
+    Log:
+      {
+        "dstport": 443,
+        "dstaddr": "100.100.100.100",
+        "srcaddr": "10.0.0.1"
+      }

From 4ae52a42f22bcdadbf8f250e200db59648d0c48f Mon Sep 17 00:00:00 2001
From: egibs <keybase@egibs.xyz>
Date: Mon, 27 Nov 2023 11:44:33 -0600
Subject: [PATCH 2/6] Lower severity; turn off by default

---
 rules/aws_vpc_flow_rules/aws_vpc_crypto_ports.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/rules/aws_vpc_flow_rules/aws_vpc_crypto_ports.yml b/rules/aws_vpc_flow_rules/aws_vpc_crypto_ports.yml
index 999e1f294..33cf73061 100644
--- a/rules/aws_vpc_flow_rules/aws_vpc_crypto_ports.yml
+++ b/rules/aws_vpc_flow_rules/aws_vpc_crypto_ports.yml
@@ -2,7 +2,7 @@ AnalysisType: rule
 Filename: aws_vpc_crypto_ports.py
 RuleID: "AWS.VPC.CryptoPorts"
 DisplayName: "VPC Flow Logs Known Cryotomining Ports"
-Enabled: true
+Enabled: false
 LogTypes:
   - AWS.VPCFlow
 Tags:
@@ -13,7 +13,7 @@ Tags:
 Reports:
   MITRE ATT&CK:
     - TA0040:T1496
-Severity: High
+Severity: Low
 Description: >
   Alerts if a known cryptomining port is detected in outbound traffic.
 Runbook: >

From cf3d5b0fa06e06e24c8b56742012a8ea741726bc Mon Sep 17 00:00:00 2001
From: egibs <keybase@egibs.xyz>
Date: Mon, 27 Nov 2023 14:28:00 -0600
Subject: [PATCH 3/6] Add to pack

---
 packs/aws.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/packs/aws.yml b/packs/aws.yml
index 8a4632bc6..b1571a424 100644
--- a/packs/aws.yml
+++ b/packs/aws.yml
@@ -129,6 +129,7 @@ PackDefinition:
     - AWS.Redshift.Cluster.Logging
     - AWS.Redshift.Cluster.SnapshotRetention
     - AWS.Redshift.Cluster.VersionUpgrade
+    - AWS.VPC.CryptoPorts
     - AWS.VPC.FlowLogs
     # AWS DataModels
     - Standard.AWS.ALB

From cada7ed5a06610058328e58012826d8eccf39c1a Mon Sep 17 00:00:00 2001
From: egibs <keybase@egibs.xyz>
Date: Tue, 28 Nov 2023 11:17:20 -0600
Subject: [PATCH 4/6] Remove SMTP; add reference

---
 global_helpers/panther_iocs.py | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/global_helpers/panther_iocs.py b/global_helpers/panther_iocs.py
index 24721dbb5..1bfb3e349 100644
--- a/global_helpers/panther_iocs.py
+++ b/global_helpers/panther_iocs.py
@@ -163,8 +163,8 @@
     "shscrypto.net",
 }
 
+# https://github.com/falcosecurity/rules/blob/64e2adb309b7e07953691eeb53347d28e361b0e3/rules/falco-sandbox_rules.yaml#L1367-L1374
 CRYPTO_MINING_PORTS = {
-    25,
     3333,
     3334,
     3335,
@@ -191,6 +191,8 @@
     8899,
     9332,
     9999,
+    10300, # stratum
+    10343, # stratum ssl
     14433,
     14444,
     45560,

From 4c14493cadec85efce7fd84b02e327b63b1f7b40 Mon Sep 17 00:00:00 2001
From: egibs <keybase@egibs.xyz>
Date: Tue, 28 Nov 2023 11:19:54 -0600
Subject: [PATCH 5/6] fmt

---
 global_helpers/panther_iocs.py                                | 4 ++--
 .../gravitational_teleport_rules/teleport_long_lived_certs.py | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/global_helpers/panther_iocs.py b/global_helpers/panther_iocs.py
index 1bfb3e349..64845261b 100644
--- a/global_helpers/panther_iocs.py
+++ b/global_helpers/panther_iocs.py
@@ -191,8 +191,8 @@
     8899,
     9332,
     9999,
-    10300, # stratum
-    10343, # stratum ssl
+    10300,  # stratum
+    10343,  # stratum ssl
     14433,
     14444,
     45560,
diff --git a/rules/gravitational_teleport_rules/teleport_long_lived_certs.py b/rules/gravitational_teleport_rules/teleport_long_lived_certs.py
index 7056c4482..2c26b0678 100644
--- a/rules/gravitational_teleport_rules/teleport_long_lived_certs.py
+++ b/rules/gravitational_teleport_rules/teleport_long_lived_certs.py
@@ -1,4 +1,4 @@
-from datetime import timedelta, datetime
+from datetime import datetime, timedelta
 from typing import Dict, Tuple
 
 from panther_base_helpers import (

From d200b80cfd670b0be1664c8a57953ed3dd44a3b6 Mon Sep 17 00:00:00 2001
From: egibs <keybase@egibs.xyz>
Date: Tue, 28 Nov 2023 11:25:50 -0600
Subject: [PATCH 6/6] Add monero ports

---
 global_helpers/panther_iocs.py | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/global_helpers/panther_iocs.py b/global_helpers/panther_iocs.py
index 64845261b..b0d2b7f9d 100644
--- a/global_helpers/panther_iocs.py
+++ b/global_helpers/panther_iocs.py
@@ -195,6 +195,8 @@
     10343,  # stratum ssl
     14433,
     14444,
+    18080,  # monero p2p mainnet
+    18081,  # monero rpc mainnet
     45560,
     45700,
 }