Skip to content

Commit

Permalink
Crypto DNS rule (#526)
Browse files Browse the repository at this point in the history
  • Loading branch information
@calkim-panther
calkim-panther authored Oct 6, 2022
1 parent 3b27376 commit 218c27f
Show file tree
Hide file tree
Showing 4 changed files with 238 additions and 0 deletions.
3 changes: 3 additions & 0 deletions .gitignore
View file
Original file line number Diff line number Diff line change
Expand Up @@ -66,3 +66,6 @@ dist/

# Jetbrains
.idea

#mac files
.DS_Store
73 changes: 73 additions & 0 deletions global_helpers/panther_iocs.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -90,6 +90,79 @@
"${::-j", # example: ${${::-j}${::-n}di:${::-l}d${::-a}p://example.com:1234/callback}
}

CRYPTO_MINING_DOMAINS = {
"monerohash.com",
"do-dear.com",
"xmrminerpro.com",
"secumine.net",
"xmrpool.com",
"minexmr.org",
"hashanywhere.com",
"xmrget.com",
"mininglottery.eu",
"minergate.com",
"moriaxmr.com",
"multipooler.com",
"moneropools.com",
"xmrpool.eu",
"coolmining.club",
"minexmr.com",
"xmrpool.net",
"crypto-pool.fr",
"xmr.pt",
"miner.rocks",
"walpool.com",
"herominers.com",
"gntl.co.uk",
"semipool.com",
"coinfoundry.org",
"cryptoknight.cc",
"fairhash.org",
"baikalmine.com",
"tubepool.xyz",
"fairpool.xyz",
"asiapool.io",
"coinpoolit.webhop.me",
"nanopool.org",
"moneropool.com",
"miner.center",
"prohash.net",
"poolto.be",
"cryptoescrow.eu",
"monerominers.net",
"cryptonotepool.org",
"extrmepool.org",
"webcoin.me",
"kippo.eu",
"hashinvest.ws",
"monero.farm",
"supportxmr.com",
"linux-repository-updates.com",
"1gh.com",
"dwarfpool.com",
"hash-to-coins.com",
"hashvault.pro",
"pool-proxy.com",
"hashfor.cash",
"fairpool.cloud",
"litecoinpool.org",
"mineshaft.ml",
"abcxyz.stream",
"moneropool.ru",
"cryptonotepool.org.uk",
"extremepool.org",
"extremehash.com",
"hashinvest.net",
"unipool.pro",
"crypto-pools.org",
"monero.net",
"backup-pool.com",
"mooo.com",
"freeyy.me",
"cryptonight.net",
"shscrypto.net",
}

# IOC Helper functions:
def ioc_match(indicators: list, known_iocs: set) -> list:
"""Matches a set of indicators against known Indicators of Compromise
Expand Down
21 changes: 21 additions & 0 deletions rules/aws_vpc_flow_rules/aws_dns_crypto_domain.py
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
from panther_iocs import CRYPTO_MINING_DOMAINS


def rule(event):
query_name = event.get("query_name")
for domain in CRYPTO_MINING_DOMAINS:
if query_name.rstrip(".").endswith(domain):
return True
return False


def title(event):
return (
f"[{event.get('srcaddr')}:{event.get('srcport')}] "
"made a DNS query for crypto mining domain: "
f"[{event.get('query_name')}]."
)


def dedup(event):
return f"{event.get('srcaddr')}"
141 changes: 141 additions & 0 deletions rules/aws_vpc_flow_rules/aws_dns_crypto_domain.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,141 @@
AnalysisType: rule
Description: Identifies clients that may be performing DNS lookups associated with common currency mining pools.
DisplayName: AWS DNS Crypto Domain
Enabled: true
Filename: aws_dns_crypto_domain.py
Reports:
MITRE ATT&CK:
- TA0040:T1496
Severity: High
Tests:
- ExpectedResult: false
Log:
account_id: "0123456789"
answers:
- Class: IN
Rdata: 1.2.3.4
Type: A
query_class: IN
query_name: dynamodb.us-west-2.amazonaws.com
query_timestamp: "2022-06-25 00:27:53"
query_type: A
rcode: NOERROR
region: us-west-2
srcaddr: 5.6.7.8
srcids:
instance: i-0abc234
srcport: "8888"
transport: UDP
version: "1.100000"
vpc_id: vpc-abc123
Name: Non Crypto Query
- ExpectedResult: false
Log:
account_id: "0123456789"
answers:
- Class: IN
Rdata: 1.2.3.4
Type: A
query_class: IN
query_name: dynamodb.us-west-2.amazonaws.com.
query_timestamp: "2022-06-25 00:27:53"
query_type: A
rcode: NOERROR
region: us-west-2
srcaddr: 5.6.7.8
srcids:
instance: i-0abc234
srcport: "8888"
transport: UDP
version: "1.100000"
vpc_id: vpc-abc123
Name: Non Crypto Query Trailing Period
- ExpectedResult: true
Log:
account_id: "0123456789"
answers:
- Class: IN
Rdata: 1.2.3.4
Type: A
query_class: IN
query_name: moneropool.ru
query_timestamp: "2022-06-25 00:27:53"
query_type: A
rcode: NOERROR
region: us-west-2
srcaddr: 5.6.7.8
srcids:
instance: i-0abc234
srcport: "8888"
transport: UDP
version: "1.100000"
vpc_id: vpc-abc123
Name: Crypto Query
- ExpectedResult: true
Log:
account_id: "0123456789"
answers:
- Class: IN
Rdata: 1.2.3.4
Type: A
query_class: IN
query_name: abc.abc.moneropool.ru
query_timestamp: "2022-06-25 00:27:53"
query_type: A
rcode: NOERROR
region: us-west-2
srcaddr: 5.6.7.8
srcids:
instance: i-0abc234
srcport: "8888"
transport: UDP
version: "1.100000"
vpc_id: vpc-abc123
Name: Crypto Query Subdomain
- ExpectedResult: true
Log:
account_id: "0123456789"
answers:
- Class: IN
Rdata: 1.2.3.4
Type: A
query_class: IN
query_name: moneropool.ru.
query_timestamp: "2022-06-25 00:27:53"
query_type: A
rcode: NOERROR
region: us-west-2
srcaddr: 5.6.7.8
srcids:
instance: i-0abc234
srcport: "8888"
transport: UDP
version: "1.100000"
vpc_id: vpc-abc123
Name: Crypto Query Trailing Period
- ExpectedResult: true
Log:
account_id: "0123456789"
answers:
- Class: IN
Rdata: 1.2.3.4
Type: A
query_class: IN
query_name: abc.abc.moneropool.ru.
query_timestamp: "2022-06-25 00:27:53"
query_type: A
rcode: NOERROR
region: us-west-2
srcaddr: 5.6.7.8
srcids:
instance: i-0abc234
srcport: "8888"
transport: UDP
version: "1.100000"
vpc_id: vpc-abc123
Name: Crypto Query Subdomain Trailing Period
DedupPeriodMinutes: 60
LogTypes:
- AWS.VPCDns
RuleID: AWS.DNS.Crypto.Domain
Threshold: 1

0 comments on commit 218c27f

Please sign in to comment.