Prepare for 3.46.0 (#1156)

* converted is_private to not is_global (#1150)

Co-authored-by: Evan Gibler <evan.gibler@panther.com>

* Rework base64 recognition to use python functions rather than regex (#1146)

* base64 rules use python funtions not regex

* better alertcontext for standard_dns_base64

* command line tools as global var

* regex and length checks for edge cases

* new global_helper for is_base64()

* renames .yaml files to .yml (#1151)

* THREAT-240 GCP compute.instance.create AttributeError (#1152)

* Add GCP.IAM.serviceAccounts.getAccessToken.Privilege.Escalation rule (#1149)

* Add GCP.IAM.serviceAccounts.getAccessToken.Privilege.Escalation  rule

* Add GCP.IAM.serviceAccounts.signBlob rule

* Lolbas tuning (#1147)

* lower severity and set disabled false

* lower severity and disable

* Update PAT to 0.43.0 (#1154)

* fix - Several GCP rules with NoneType errors (#1155)

* Fixed IndexOutOfRange error in get_zoom_usergroup_context (#1141)

* Use correct key when retrieving string_set in Okta Stolen Session Rule (#1142)

* Fix key when retrieving string_set in Okta Stolen Session Rule

* fmt

* rolling back changes related to simple_rules dir (#1143)

Co-authored-by: Evan Gibler <evan.gibler@panther.com>

* typo fix: gcp_privilege_escalation_by_deploymants (#1140)

* Update PAT to 0.42.0 (#1145)

Co-authored-by: Evan Gibler <evan.gibler@panther.com>

* converted is_private to not is_global (#1150)

Co-authored-by: Evan Gibler <evan.gibler@panther.com>

* Rework base64 recognition to use python functions rather than regex (#1146)

* base64 rules use python funtions not regex

* better alertcontext for standard_dns_base64

* command line tools as global var

* regex and length checks for edge cases

* new global_helper for is_base64()

* renames .yaml files to .yml (#1151)

* THREAT-241 Several GCP rules with NoneType errors

---------

Co-authored-by: Oleh Melenevskyi <767472+melenevskyi@users.noreply.github.com>
Co-authored-by: Evan Gibler <evan.gibler@panther.com>
Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>
Co-authored-by: kjihso <133820431+kjihso@users.noreply.github.com>
Co-authored-by: darwayne <darwaynelynch@gmail.com>
Co-authored-by: Panos Sakkos <panos.sakkos@panther.com>

---------

Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>
Co-authored-by: Panos Sakkos <panos.sakkos@panther.com>
Co-authored-by: akozlovets098 <95437895+akozlovets098@users.noreply.github.com>
Co-authored-by: Oleh Melenevskyi <767472+melenevskyi@users.noreply.github.com>
Co-authored-by: kjihso <133820431+kjihso@users.noreply.github.com>
Co-authored-by: darwayne <darwaynelynch@gmail.com>

Pipfile

@@ -19,7 +19,7 @@ wrapt = "~=1.15"
 [packages]
 policyuniverse = "==1.5.1.20230817"
 requests = "==2.31.0"
-panther-analysis-tool = "~=0.42"
+panther-analysis-tool = "~=0.43"
 panther-detection-helpers = "==0.2.0"
 
 [requires]

data_models/crowdstrike_fdr_data_model.py

@@ -6,7 +6,7 @@ def get_dns_query(event):
     # Domain Names from Crowdstrike FDR end with a trailing period, such as google.com.
     domain = deep_get(event, "event", "DomainName", default=None)
     if domain:
-        domain = domain.rstrip(".").lower()
+        domain = domain.rstrip(".")
     return domain
 
 

global_helpers/panther_base_helpers.py

@@ -1,5 +1,7 @@
 import json
 import re
+from base64 import b64decode
+from binascii import Error as AsciiError
 from collections import OrderedDict
 from collections.abc import Mapping
 from datetime import datetime
@@ -505,3 +507,19 @@ def golang_nanotime_to_python_datetime(golang_time: str) -> datetime:
     golang_time_micros_rounded = golang_time_micros[0:6]
     golang_time_rounded = re.sub(r"\.\d+Z", f".{golang_time_micros_rounded}Z", golang_time)
     return datetime.strptime(golang_time_rounded, golang_time_format)
+
+
+def is_base64(b64: str) -> str:
+    # if the string is base64 encoded, return the decoded ASCII string
+    # otherwise return an empty string
+    # handle false positives for very short strings
+    if len(b64) < 12:
+        return ""
+    # Check if the matched string can be decoded back into ASCII
+    try:
+        return b64decode(b64).decode("ascii")
+    except AsciiError:
+        pass
+    except UnicodeDecodeError:
+        pass
+    return ""

packs/crowdstrike.yml

@@ -14,7 +14,6 @@ PackDefinition:
     - Crowdstrike.Reverse.Shell.Tool.Executed
     - Crowdstrike.WMI.Query.Detection
     - Crowdstrike.Base64EncodedArgs
-    - Crowdstrike.FDR.LOLBAS
     - Standard.DNSBase64
     - Crowdstrike.Macos.Add.Trusted.Cert
     - Crowdstrike.Macos.Plutil.Usage

packs/gcp_audit.yml

@@ -39,6 +39,10 @@ PackDefinition:
     - GCP.VPC.Flow.Logs.Disabled
     - GCP.Workforce.Pool.Created.or.Updated
     - GCP.Workload.Identity.Pool.Created.or.Updated
+    - GCP.IAM.serviceAccounts.getAccessToken.Privilege.Escalation
+    - GCP.IAM.serviceAccounts.signJwt.Privilege.Escalation
+    - GCP.compute.instances.create.Privilege.Escalation
+    - GCP.IAM.serviceAccounts.signBlob
     # Data model
     - Standard.GCP.AuditLog
     # Globals used in these rules/policies

rules/aws_eks_rules/source_ip_multiple_403.py

@@ -18,7 +18,7 @@ def rule(event):
     if not event.get("requestURI", "").startswith(("/api/", "/apis/")):
         return False
     p_eks = eks_panther_obj_ref(event)
-    if ip_address(p_eks.get("sourceIPs")[0]).is_private:
+    if not ip_address(p_eks.get("sourceIPs")[0]).is_global:
         return False
     return True
 

rules/aws_eks_rules/system_namespace_public_ip.py

@@ -27,7 +27,7 @@ def rule(event):
         return False
     if (
         p_eks.get("actor").startswith("system:") or p_eks.get("actor").startswith("eks:")
-    ) and not ip_address(p_eks.get("sourceIPs")[0]).is_private:
+    ) and ip_address(p_eks.get("sourceIPs")[0]).is_global:
         return True
     return False
 

rules/aws_vpc_flow_rules/aws_vpc_inbound_traffic_port_allowlist.py

@@ -20,13 +20,13 @@ def rule(event):
     # Only monitor for traffic coming from non-private IP space
     #
     # Defaults to True (no alert) if 'srcaddr' key is not present
-    if ip_network(event.get("srcaddr", "0.0.0.0/32")).is_private:
+    if not ip_network(event.get("srcaddr", "0.0.0.0/32")).is_global:
         return False
 
     # Alert if the traffic is destined for internal IP addresses
     #
     # Defaults to False (no alert) if 'dstaddr' key is not present
-    return ip_network(event.get("dstaddr", "1.0.0.0/32")).is_private
+    return not ip_network(event.get("dstaddr", "1.0.0.0/32")).is_global
 
 
 def alert_context(event):

rules/aws_vpc_flow_rules/aws_vpc_inbound_traffic_port_blocklist.py

@@ -18,13 +18,13 @@ def rule(event):
     # Only monitor for traffic coming from non-private IP space
     #
     # Defaults to True (no alert) if 'srcaddr' key is not present
-    if ip_network(event.get("srcaddr", "0.0.0.0/32")).is_private:
+    if not ip_network(event.get("srcaddr", "0.0.0.0/32")).is_global:
         return False
 
     # Alert if the traffic is destined for internal IP addresses
     #
     # Defaults to False(no alert) if 'dstaddr' key is not present
-    return ip_network(event.get("dstaddr", "1.0.0.0/32")).is_private
+    return not ip_network(event.get("dstaddr", "1.0.0.0/32")).is_global
 
 
 def alert_context(event):

rules/aws_vpc_flow_rules/aws_vpc_unapproved_outbound_dns.py

@@ -19,7 +19,7 @@ def rule(event):
     # Only monitor traffic that is originating internally
     #
     # Defaults to True (no alert) if 'srcaddr' key is not present
-    if not ip_network(event.get("srcaddr", "0.0.0.0/32")).is_private:
+    if ip_network(event.get("srcaddr", "0.0.0.0/32")).is_global:
         return False
 
     # No clean way to default to False (no alert), so explicitly check for key