From 89a1cd9fa8b86392f7fb6fec6958691f5589d425 Mon Sep 17 00:00:00 2001
From: Evan Gibler <evan.gibler@panther.com>
Date: Tue, 28 Nov 2023 16:07:08 -0600
Subject: [PATCH] Revert "Add rule to alert on known cryptomining ports in VPC
 flow logs (#972)"

This reverts commit 28e3bd779501a26ce9c88382140c2754bd34622b.
---
 global_helpers/panther_iocs.py                | 37 -------------
 packs/aws.yml                                 |  1 -
 .../aws_vpc_crypto_ports.py                   | 31 -----------
 .../aws_vpc_crypto_ports.yml                  | 53 -------------------
 4 files changed, 122 deletions(-)
 delete mode 100644 rules/aws_vpc_flow_rules/aws_vpc_crypto_ports.py
 delete mode 100644 rules/aws_vpc_flow_rules/aws_vpc_crypto_ports.yml

diff --git a/global_helpers/panther_iocs.py b/global_helpers/panther_iocs.py
index 531b48706..10a978550 100644
--- a/global_helpers/panther_iocs.py
+++ b/global_helpers/panther_iocs.py
@@ -348,43 +348,6 @@
     "zer0day.ru",
 }
 
-# https://github.com/falcosecurity/rules/blob/64e2adb309b7e07953691eeb53347d28e361b0e3/rules/falco-sandbox_rules.yaml#L1367-L1374
-CRYPTO_MINING_PORTS = {
-    3333,
-    3334,
-    3335,
-    3336,
-    3357,
-    4444,
-    5555,
-    5556,
-    5588,
-    5730,
-    6099,
-    6641,
-    6642,
-    6666,
-    7777,
-    7778,
-    8000,
-    8001,
-    8008,
-    8080,
-    8118,
-    8333,
-    8888,
-    8899,
-    9332,
-    9999,
-    10300,  # stratum
-    10343,  # stratum ssl
-    14433,
-    14444,
-    18080,  # monero p2p mainnet
-    18081,  # monero rpc mainnet
-    45560,
-    45700,
-}
 
 # IOC Helper functions:
 def ioc_match(indicators: list, known_iocs: set) -> list:
diff --git a/packs/aws.yml b/packs/aws.yml
index f3b6c5939..865d1eaf2 100644
--- a/packs/aws.yml
+++ b/packs/aws.yml
@@ -130,7 +130,6 @@ PackDefinition:
     - AWS.Redshift.Cluster.Logging
     - AWS.Redshift.Cluster.SnapshotRetention
     - AWS.Redshift.Cluster.VersionUpgrade
-    - AWS.VPC.CryptoPorts
     - AWS.VPC.FlowLogs
     # AWS DataModels
     - Standard.AWS.ALB
diff --git a/rules/aws_vpc_flow_rules/aws_vpc_crypto_ports.py b/rules/aws_vpc_flow_rules/aws_vpc_crypto_ports.py
deleted file mode 100644
index 1450ba307..000000000
--- a/rules/aws_vpc_flow_rules/aws_vpc_crypto_ports.py
+++ /dev/null
@@ -1,31 +0,0 @@
-from ipaddress import ip_network
-
-from panther_base_helpers import aws_rule_context
-from panther_iocs import CRYPTO_MINING_PORTS
-
-# List of allowed destination addresses
-# with more commonly-used ports (e.g., 8080)
-ALLOWED_DST_ADDRESSES = {}
-
-
-def rule(event):
-    # Only alert on traffic originating from a private address
-    # and destined for a public address
-    if any(
-        [
-            not ip_network(event.get("srcaddr", "0.0.0.0/0")).is_private,
-            ip_network(event.get("dstaddr", "0.0.0.0/0")).is_private,
-        ]
-    ):
-        return False
-
-    return all(
-        [
-            event.get("dstport") in CRYPTO_MINING_PORTS,
-            event.get("dstaddr") not in ALLOWED_DST_ADDRESSES,
-        ]
-    )
-
-
-def alert_context(event):
-    return aws_rule_context(event)
diff --git a/rules/aws_vpc_flow_rules/aws_vpc_crypto_ports.yml b/rules/aws_vpc_flow_rules/aws_vpc_crypto_ports.yml
deleted file mode 100644
index 33cf73061..000000000
--- a/rules/aws_vpc_flow_rules/aws_vpc_crypto_ports.yml
+++ /dev/null
@@ -1,53 +0,0 @@
-AnalysisType: rule
-Filename: aws_vpc_crypto_ports.py
-RuleID: "AWS.VPC.CryptoPorts"
-DisplayName: "VPC Flow Logs Known Cryotomining Ports"
-Enabled: false
-LogTypes:
-  - AWS.VPCFlow
-Tags:
-  - AWS
-  - Configuration Required
-  - Security Control
-  - Command and Control:Application Layer Protocol
-Reports:
-  MITRE ATT&CK:
-    - TA0040:T1496
-Severity: Low
-Description: >
-  Alerts if a known cryptomining port is detected in outbound traffic.
-Runbook: >
-  Investigate the host sending traffic over the known cryptomining ports for activity or signs of compromise or other malicious activity. Update network configurations appropriately.
-Reference: https://unit42.paloaltonetworks.com/malicious-operations-of-exposed-iam-keys-cryptojacking/
-SummaryAttributes:
-  - srcaddr
-  - dstaddr
-  - dstport
-Tests:
-  -
-    Name: DstPortInKnownList-true
-    ExpectedResult: true
-    Log:
-      {
-        "dstport": 6641,
-        "dstaddr": "106.58.92.8",
-        "srcaddr": "10.0.0.1"
-      }
-  -
-    Name: DstPortTwoInKnownList-true
-    ExpectedResult: true
-    Log:
-      {
-        "dstport": 9332,
-        "dstaddr": "106.58.92.8",
-        "srcaddr": "10.0.0.1"
-      }
-  -
-    Name: DstPortNotInKnownList-true
-    ExpectedResult: false
-    Log:
-      {
-        "dstport": 443,
-        "dstaddr": "100.100.100.100",
-        "srcaddr": "10.0.0.1"
-      }