Merge pull request #1338 from panther-labs/release

Prepare for `v3.62.0`

Pipfile

@@ -19,7 +19,7 @@ wrapt = "~=1.15"
 [packages]
 policyuniverse = "==1.5.1.20230817"
 requests = "==2.31.0"
-panther-analysis-tool = "~=0.51"
+panther-analysis-tool = "~=0.52.1"
 panther-detection-helpers = "==0.4.0"
 
 [requires]

correlation_rules/aws_potentially_compromised_service_role_cr.yml

@@ -8,7 +8,7 @@ Tags:
 Severity: Info
 Reports:
  MITRE ATT&CK:
- - T1528 # Steal Application Access Token
+ - TA0006:T1528 # Steal Application Access Token
 Description: A role was assumed by an AWS service, followed by a user within 24 hours. This could indicate a stolen or compromised AWS service role.
 Detection:
  - Sequence:

correlation_rules/aws_privilege_escalation_via_user_compromise.yml

@@ -5,7 +5,7 @@ Enabled: true
 Severity: Medium
 Reports:
  MITRE ATT&CK:
- - T1098.001 # Additional Cloud Credentials
+ - TA0004:T1098.001 # Additional Cloud Credentials
 Detection:
  - Sequence:
  - ID: User Backdoored

correlation_rules/aws_user_takeover_via_password_reset.yml

@@ -5,7 +5,7 @@ Enabled: true
 Severity: High
 Reports:
  MITRE ATT&CK:
- - T1098.001 # Additional Cloud Credentials
+ - TA0004:T1098.001 # Additional Cloud Credentials
 Detection:
  - Sequence:
  - ID: Password Reset

correlation_rules/okta_login_without_push.yml

@@ -7,8 +7,8 @@ Tags:
  - Configuration Required
 Reports:
  MITRE ATT&CK:
- - T1212 # Exploitation for Credential Access
- - T1539 # Steal Web Session Cookie
+ - TA0006:T1212 # Exploitation for Credential Access
+ - TA0006:T1539 # Steal Web Session Cookie
 Severity: Critical
 Detection:
  - Sequence:

correlation_rules/potential_compromised_okta_credentials.yml

@@ -7,8 +7,8 @@ Tags:
  - Configuration Required
 Reports:
  MITRE ATT&CK:
- - T1212 # Exploitation for Credential Access
- - T1539 # Steal Web Session Cookie
+ - TA0006:T1212 # Exploitation for Credential Access
+ - TA0006:T1539 # Steal Web Session Cookie
 Severity: Critical
 Detection:
  - Sequence:

correlation_rules/secret_exposed_and_not_quarantined.yml

@@ -7,7 +7,7 @@ Tags:
 Severity: High
 Reports:
  MITRE ATT&CK:
- - T1552.001
+ - TA0006:T1552.001
 Description: The rule detects when a GitHub Secret Scan detects an exposed secret, which is not followed by the expected quarantine operation in AWS. When you make a repository public, or push changes to a public repository, GitHub always scans the code for secrets that match partner patterns. Public packages on the npm registry are also scanned. If secret scanning detects a potential secret, we notify the service provider who issued the secret. The service provider validates the string and then decides whether they should revoke the secret, issue a new secret, or contact you directly. Their action will depend on the associated risks to you or them.
 Reference: https://docs.github.com/en/code-security/secret-scanning/about-secret-scanning
 Detection:

global_helpers/crowdstrike_event_streams_helpers.py

@@ -2,6 +2,22 @@
 
 
 def cs_alert_context(event):
+ return audit_keys_dict(event)
+
+
+def audit_keys_dict(event):
  return key_value_list_to_dict(
  event.deep_get("event", "AuditKeyValues", default=[]), "Key", "ValueString"
  )
+
+
+def str_to_list(liststr: str) -> list[str]:
+ """Several crowdstrike values are returned as a list like "[x y z]". This function convetrs
+ such entries to Python list of strings, like: ["x", "y", "z"]."""
+ # Return empty list for empty string
+ if not liststr:
+ return []
+ # Validate
+ if liststr[0] != "[" or liststr[-1] != "]":
+ raise ValueError(f"Invalid list string: {liststr}")
+ return [x.strip() for x in liststr[1:-1].split(" ")]

global_helpers/panther_iocs.py

@@ -1,71 +1,5 @@
 # pylint: disable=line-too-long
 
-# 2022-06-02 Confluence 0-Day IOCs:
-# https://github.com/volexity/threat-intel/blob/main/2022/2022-06-02%20Active%20Exploitation%20Of%20Confluence%200-day/indicators/indicators.csv
-VOLEXITY_CONFLUENCE_IP_IOCS = {
- "156.146.34.46",
- "156.146.34.9",
- "156.146.56.136",
- "198.147.22.148",
- "45.43.19.91",
- "66.115.182.102",
- "66.115.182.111",
- "67.149.61.16",
- "154.16.105.147",
- "64.64.228.239",
- "156.146.34.52",
- "154.146.34.145",
- "221.178.126.244",
- "59.163.248.170",
- "98.32.230.38",
-}
-
-# SUNBURST IOCs:
-# https://github.com/fireeye/sunburst_countermeasures/blob/main/indicator_release/Indicator_Release_NBIs.csv
-# Last accessed: 2021-11-17
-SUNBURST_FQDN_IOCS = {
- "databasegalore.com",
- "deftsecurity.com",
- "freescanonline.com",
- "highdatabase.com",
- "incomeupdate.com",
- "panhardware.com",
- "thedoccloud.com",
- "websitetheme.com",
- "zupertech.com",
- "6a57jk2ba1d9keg15cbg.appsync-api.eu-west-1.avsvmcloud.com",
- "7sbvaemscs0mc925tb99.appsync-api.us-west-2.avsvmcloud.com",
- "gq1h856599gqh538acqn.appsync-api.us-west-2.avsvmcloud.com",
- "ihvpgv9psvq02ffo77et.appsync-api.us-east-2.avsvmcloud.com",
- "k5kcubuassl3alrf7gm3.appsync-api.eu-west-1.avsvmcloud.com",
- "mhdosoksaccf9sni9icp.appsync-api.eu-west-1.avsvmcloud.com",
-}
-
-SUNBURST_IP_IOCS = {"0.0.0.1"}
-
-# https://github.com/mandiant/sunburst_countermeasures/blob/main/indicator_release/Indicator_Release_Hashes.csv
-# Last accessed: 2021-11-17
-SUNBURST_SHA256_IOCS = {
- "019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134",
- "292327e5c94afa352cc5a02ca273df543f2020d0e76368ff96c84f4e90778712",
- "32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77",
- "53f8dfc65169ccda021b72a62e0c22a4db7c4077f002fa742717d41b3c40f2c7",
- "abe22cf0d78836c3ea072daeaf4c5eeaf9c29b6feb597741651979fc8fbd2417",
- "ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6",
- "d0d626deb3f9484e649294a8dfa814c5568f846d5aa02d4cdad5d041a29d5600",
-}
-
-# LOG4J IOCs:
-# IPs Pulled from the following sources, deduped and compiled here.
-# https://gist.github.com/gnremy/c546c7911d5f876f263309d7161a7217
-# https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Log4j_IOC_List.csv
-# https://raw.githubusercontent.com/Malwar3Ninja/Exploitation-of-Log4j2-CVE-2021-44228/main/Threatview.io-log4j2-IOC-list
-# Created 12-13-21
-
-LOG4J_IP_IOCS = {
- # The rule using this set has been deprecated and disabled by default
- "0.0.0.1"
-}
 
 # Example sources:
 # - https://www.fastly.com/blog/new-data-and-insights-into-log4shell-attacks-cve-2021-44228

packs/crowdstrike_event_streams.yml

@@ -3,7 +3,17 @@ PackID: PantherManaged.CrowdstrikeEventStreams
 Description: Group of all Crowdstrike Event Stream detections
 PackDefinition:
  IDs:
+ - crowdstrike_event_streams_helpers
+ - panther_base_helpers
+
+ - Crowdstrike.AdminRoleAssigned
+ - Crowdstrike.AllowlistRemoved
  - Crowdstrike.API.Key.Created
  - Crowdstrike.API.Key.Deleted
- - panther_base_helpers
- - crowdstrike_event_streams_helpers
+ - Crowdstrike.EphemeralUserAccount
+ - Crowdstrike.IpAllowlistChanged
+ - Crowdstrike.NewAdminUserCreated
+ - Crowdstrike.NewUserCreated
+ - Crowdstrike.SingleIpAllowlisted
+ - Crowdstrike.UserDeleted
+ - Crowdstrike.UserPasswordChange

packs/github.yml

@@ -14,11 +14,12 @@ PackDefinition:
  - GitHub.Org.Modified
  - Github.Repo.CollaboratorChange
  - Github.Repo.Created
- - GitHub.Repo.HookModified
+ #- GitHub.Repo.HookModified
  - GitHub.Repo.InitialAccess
  - Github.Repo.VisibilityChange
  - GitHub.Secret.Scanning.Alert.Created
  - GitHub.Team.Modified
+ - GitHub.Webhook.Modified
  - GitHub.User.AccessKeyCreated
  - GitHub.User.RoleUpdated
  - Github.Organization.App.Integration.Installed

queries/aws_queries/aws_potentially_compromised_service_role.yml

@@ -7,7 +7,7 @@ Tags:
 Severity: High
 Reports:
  MITRE ATT&CK:
- - T1528 # Steal Application Access Token
+ - TA0006:T1528 # Steal Application Access Token
 Description: A role was assumed by an AWS service, followed by a user within 24 hours. This could indicate a stolen or compromised AWS service role.
 Filename: scheduled_rule_default.py
 ScheduledQueries:

rules/auth0_rules/auth0_user_invitation_created.yml

@@ -4,6 +4,7 @@ Enabled: true
 Filename: auth0_user_invitation_created.py
 Reference: https://auth0.com/docs/manage-users/organizations/configure-organizations/invite-members
 Severity: Info
+CreateAlert: false
 Tests:
  - ExpectedResult: true
  Log:

rules/auth0_rules/auth0_user_joined_tenant.yml

@@ -6,6 +6,7 @@ Filename: auth0_user_joined_tenant.py
 RuleID: Auth0.User.Joined.Tenant
 Reference: https://auth0.com/docs/manage-users/organizations/configure-organizations/invite-members#send-membership-invitations:~:text=.-,Send%20membership%20invitations,-You%20can
 Severity: Info
+CreateAlert: false
 LogTypes:
  - Auth0.Events
 Tests:

rules/aws_cloudtrail_rules/aws_cloudtrail_account_discovery.yml

@@ -8,6 +8,7 @@ Reports:
  MITRE ATT&CK:
  - TA0007:T1087
 Severity: Info
+CreateAlert: false
 Tests:
  - ExpectedResult: true
  Log:

rules/aws_cloudtrail_rules/aws_ec2_traffic_mirroring.py

@@ -12,9 +12,9 @@ def rule(event):
  "DeleteTrafficMirrorFilterRule",
  "DeleteTrafficMirrorSession",
  "DeleteTrafficMirrorTarget",
- "DescribeTrafficMirrorFilters",
- "DescribeTrafficMirrorSessions",
- "DescribeTrafficMirrorTargets",
+ # "DescribeTrafficMirrorFilters",
+ # "DescribeTrafficMirrorSessions",
+ # "DescribeTrafficMirrorTargets",
  "ModifyTrafficMirrorFilterNetworkServices",
  "ModifyTrafficMirrorFilterRule",
  "ModifyTrafficMirrorSession",
@@ -28,9 +28,6 @@ def rule(event):
 
 
 def title(event):
- # (Optional) Return a string which will be shown as the alert title.
- # If no 'dedup' function is defined, the return value of this method will
- # act as deduplication string.
  return (
  f"{event.get('userIdentity',{}).get('arn','no-type')} ec2 activity found for "
  f"{event.get('eventName')} in account {event.get('recipientAccountId')} "
@@ -39,12 +36,8 @@ def title(event):
 
 
 def dedup(event):
- # (Optional) Return a string which will be used to deduplicate similar alerts.
- # Dedupe based on user identity, to not include multiple events from the same identity.
  return f"{event.get('userIdentity',{}).get('arn','no-user-identity-provided')}"
 
 
 def alert_context(event):
- # (Optional) Return a dictionary with additional data to be included
- # in the alert sent to the SNS/SQS/Webhook destination
  return aws_rule_context(event)

rules/aws_cloudtrail_rules/aws_ec2_traffic_mirroring.yml

@@ -10,6 +10,13 @@ Tags:
  - AWS
  - Cloudtrail
  - MITRE
+DedupPeriodMinutes: 1440
+LogTypes:
+ - AWS.CloudTrail
+RuleID: "AWS.EC2.Traffic.Mirroring"
+SummaryAttributes:
+ - userIdentity.type
+Threshold: 1
 Tests:
  - ExpectedResult: true
  Log:
@@ -341,7 +348,7 @@ Tests:
  webIdFederationData: {}
  type: AssumedRole
  Name: DeleteTrafficMirrorTarget
- - ExpectedResult: true
+ - ExpectedResult: false
  Log:
  awsRegion: us-east-1
  eventCategory: Management
@@ -553,10 +560,3 @@ Tests:
  "type": "AssumedRole",
  },
  }
-DedupPeriodMinutes: 60
-LogTypes:
- - AWS.CloudTrail
-RuleID: "AWS.EC2.Traffic.Mirroring"
-SummaryAttributes:
- - userIdentity.type
-Threshold: 1

rules/aws_cloudtrail_rules/aws_ecr_crud.yml

@@ -14,7 +14,8 @@ Reports:
  - 3.12
  MITRE ATT&CK:
  - TA0005:T1525
-Severity: High
+Severity: Info
+CreateAlert: false
 Description: Unauthorized ECR Create, Read, Update, or Delete event occurred.
 Runbook: https://docs.aws.amazon.com/AmazonECR/latest/userguide/logging-using-cloudtrail.html
 Reference: https://docs.aws.amazon.com/AmazonECR/latest/userguide/security-iam.html#security_iam_authentication

rules/aws_cloudtrail_rules/aws_ecr_events.yml

@@ -12,7 +12,8 @@ Tags:
 Reports:
  MITRE ATT&CK:
  - TA0005:T1535
-Severity: Medium
+Severity: Info
+CreateAlert: false
 Description: An ECR event occurred outside of an expected account or region
 Runbook: https://docs.aws.amazon.com/AmazonECR/latest/userguide/logging-using-cloudtrail.html
 Reference: https://aws.amazon.com/blogs/containers/amazon-ecr-in-multi-account-and-multi-region-architectures/

rules/aws_cloudtrail_rules/aws_iam_group_read_only_events.yml

@@ -6,6 +6,7 @@ Filename: aws_iam_group_read_only_events.py
 Reference: https://attack.mitre.org/techniques/T1069/
 Runbook: Examine other activities done by this user to determine whether or not activity is suspicious.
 Severity: Info
+CreateAlert: false
 Tags:
  - AWS
  - Cloudtrail

rules/aws_cloudtrail_rules/aws_s3_activity_greynoise.yml

@@ -8,7 +8,8 @@ Reports:
  MITRE ATT&CK:
  - TA0009:T1530
 Runbook: Investigate all actions taken and validate that the ARN conducting the acitivty was not compromised
-Severity: High
+Severity: Info
+CreateAlert: false
 DedupPeriodMinutes: 60
 Threshold: 1
 SummaryAttributes:

rules/aws_cloudtrail_rules/aws_snapshot_made_public.py

@@ -3,6 +3,8 @@
 from panther_base_helpers import aws_rule_context, deep_get
 from panther_default import aws_cloudtrail_success
 
+IS_SINGLE_USER_SHARE = False # Used to adjust severity
+
 
 def rule(event):
  if not aws_cloudtrail_success(event):
@@ -19,11 +21,20 @@ def rule(event):
  if not isinstance(item, (Mapping, dict)):
  continue
  if item.get("userId") or item.get("group") == "all":
+ global IS_SINGLE_USER_SHARE # pylint: disable=global-statement
+ IS_SINGLE_USER_SHARE = "userId" in item # Used for dynamic severity
  return True
  return False
 
  return False
 
 
+def severity(_):
+ # Set severity to INFO if only shared with a single user
+ if IS_SINGLE_USER_SHARE:
+ return "INFO"
+ return "DEFAULT"
+
+
 def alert_context(event):
  return aws_rule_context(event)