Skip to content

Commit

Permalink
Merge pull request #1299 from panther-labs/release
Browse files Browse the repository at this point in the history
Prepare for 3.58
  • Loading branch information
ben-githubs authored Jul 23, 2024
2 parents 8ddde32 + c952bf2 commit 52a7c63
Show file tree
Hide file tree
Showing 15 changed files with 316 additions and 30 deletions.
2 changes: 1 addition & 1 deletion .github/workflows/check-packs.yml
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ jobs:
runs-on: ubuntu-latest

steps:
- uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
- uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
with:
disable-sudo: true
egress-policy: block
Expand Down
6 changes: 3 additions & 3 deletions .github/workflows/docker.yml
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ jobs:
name: Build Dockerfile
runs-on: ubuntu-latest
steps:
- uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
- uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
with:
disable-sudo: true
egress-policy: block
Expand All @@ -28,10 +28,10 @@ jobs:
www.python.org:443
- name: Checkout panther-analysis
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 #v4.1.7
- uses: docker/setup-qemu-action@5927c834f5b4fdf503fca6f4c7eccda82949e1ee #v3.1.0
- uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf #v3.2.0
- name: Set up Docker Buildx
id: buildx
uses: docker/setup-buildx-action@4fd812986e6c8c2a69e18311145f9371337f27d4 #v3.4.0
uses: docker/setup-buildx-action@aa33708b10e362ff993539393ff100fa93ed6a27 #v3.5.0
- name: Build Image
run: docker buildx build --load -f Dockerfile -t panther-analysis:latest .
- name: Test Image
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/lint.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ jobs:
runs-on: ubuntu-latest

steps:
- uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
- uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
with:
disable-sudo: true
egress-policy: block
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ jobs:
env:
GITHUB_TOKEN: ${{ secrets.PANTHER_BOT_AUTOMATION_TOKEN }}
steps:
- uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
- uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
with:
egress-policy: audit
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 #v4.1.7
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/test.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ jobs:
runs-on: ubuntu-latest

steps:
- uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
- uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
with:
disable-sudo: true
egress-policy: block
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/upload.yml
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ jobs:
API_HOST: ${{ secrets.API_HOST }}
API_TOKEN: ${{ secrets.API_TOKEN }}
steps:
- uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
- uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
with:
egress-policy: audit
- name: Validate Secrets
Expand Down
4 changes: 3 additions & 1 deletion global_helpers/panther_base_helpers.py
Original file line number Diff line number Diff line change
Expand Up @@ -521,9 +521,11 @@ def is_base64(b64: str) -> str:
# handle false positives for very short strings
if len(b64) < 12:
return ""
# Pad args with "=" to ensure proper decoding
b64 = b64.ljust((len(b64) + 3) // 4 * 4, "=")
# Check if the matched string can be decoded back into ASCII
try:
return b64decode(b64).decode("ascii")
return b64decode(b64, validate=True).decode("ascii")
except AsciiError:
pass
except UnicodeDecodeError:
Expand Down
5 changes: 3 additions & 2 deletions rules/crowdstrike_rules/crowdstrike_base64_encoded_args.py
Original file line number Diff line number Diff line change
Expand Up @@ -25,8 +25,9 @@ def rule(event):

# Split arguments from process path
command_line_args = event.udm("cmd")
command_line_args = command_line_args.replace('"', "")
command_line_args = command_line_args.replace("'", "")
command_line_args = command_line_args.replace('"', " ")
command_line_args = command_line_args.replace("'", " ")
command_line_args = command_line_args.replace("=", " ")
command_line_args = command_line_args.split(" ")[1:]

# Check if Base64 encoded arguments are present in the command line
Expand Down
183 changes: 183 additions & 0 deletions rules/crowdstrike_rules/crowdstrike_base64_encoded_args.yml
Original file line number Diff line number Diff line change
Expand Up @@ -502,6 +502,67 @@ Tests:
"timestamp": "2023-04-24 20:33:36.719",
}
- Name: Command Line Tool Execution without Base64 Argument (Negative) 6
ExpectedResult: false
Log:
{
"ConfigBuild": "1007.3.0016606.11",
"ConfigStateHash": "3645117824",
"Entitlements": "15",
"TreeId": "4295752857",
"aid": "877761efa8db44d792ddc2redacted",
"aip": "1.1.1.1",
"cid": "cfe698690964434083fecdredacted",
"event":
{
"AuthenticationId": "293628",
"AuthenticodeHashData": "98a4762f52a",
"CommandLine": '"C:\Windows\system32\cmd.exe" /Q /C ""C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\uninstall.cmd" --dir="C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0""',
"ConfigBuild": "1007.3.0016606.11",
"ConfigStateHash": "3645117824",
"EffectiveTransmissionClass": "2",
"Entitlements": "15",
"ImageFileName": "\\Device\\HarddiskVolume2\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"ImageSubsystem": "3",
"IntegrityLevel": "12288",
"MD5HashData": "c031e215b8b08c752bf362f6d4c5d3ad",
"ParentAuthenticationId": "293628",
"ParentBaseFileName": "pwsh.exe",
"ParentProcessId": "4370948876",
"ProcessCreateFlags": "1024",
"ProcessEndTime": "",
"ProcessParameterFlags": "24577",
"ProcessStartTime": "1682368414.719",
"ProcessSxsFlags": "64",
"RawProcessId": "3120",
"SHA1HashData": "0000000000000000000000000000000000000000",
"SHA256HashData": "840e1f9dc5a29bebf01626822d7390251e9cf05bb3560ba7b68bdb8a41cf08e3",
"SessionId": "2",
"SignInfoFlags": "8683538",
"SourceProcessId": "4370948876",
"SourceThreadId": "112532918543",
"Tags": "25, 27, 40, 151, 874, 924, 12094627905582, 12094627906234, 211106232533012, 263882790666253",
"TargetProcessId": "10413665481",
"TokenType": "1",
"TreeId": "4295752857",
"UserSid": "S-1-5-21-239183934-720705223-383019856-500",
"aid": "877761efa8db44d792ddc2redacted",
"aip": "1.1.1.1",
"cid": "cfe698690964434083fecdredacted",
"event_platform": "Win",
"event_simpleName": "ProcessRollup2",
"id": "b0c07877-f288-49f8-8cb3-150149a557b2",
"name": "ProcessRollup2V19",
"timestamp": "1682368416719",
},
"event_platform": "Win",
"event_simpleName": "ProcessRollup2",
"fdr_event_type": "ProcessRollup2",
"id": "b0c07877-f288-49f8-8cb3-150149a557b2",
"name": "ProcessRollup2V19",
"p_log_type": "Crowdstrike.FDREvent",
"timestamp": "2023-04-24 20:33:36.719",
}
- Name: Command Line Tool Execution without Base64 Argument (Negative) 7
ExpectedResult: false
Log:
{
Expand Down Expand Up @@ -562,3 +623,125 @@ Tests:
"p_log_type": "Crowdstrike.FDREvent",
"timestamp": "2023-04-24 20:33:36.719",
}
- Name: base64 quoted argument
ExpectedResult: true
Log:
{
"ConfigBuild": "1007.3.0016606.11",
"ConfigStateHash": "3645117824",
"Entitlements": "15",
"TreeId": "4295752857",
"aid": "877761efa8db44d792ddc2redacted",
"aip": "1.1.1.1",
"cid": "cfe698690964434083fecdredacted",
"event":
{
"AuthenticationId": "293628",
"AuthenticodeHashData": "98a4762f52a",
"CommandLine": '/usr/bin/somebinary --b64="aGVsbG8taXMtaXQtbWUteW91cmUtbG9va2luZy1mb3IK"',
"ConfigBuild": "1007.3.0016606.11",
"ConfigStateHash": "3645117824",
"EffectiveTransmissionClass": "2",
"Entitlements": "15",
"ImageFileName": "\\Device\\HarddiskVolume2\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"ImageSubsystem": "3",
"IntegrityLevel": "12288",
"MD5HashData": "c031e215b8b08c752bf362f6d4c5d3ad",
"ParentAuthenticationId": "293628",
"ParentBaseFileName": "pwsh.exe",
"ParentProcessId": "4370948876",
"ProcessCreateFlags": "1024",
"ProcessEndTime": "",
"ProcessParameterFlags": "24577",
"ProcessStartTime": "1682368414.719",
"ProcessSxsFlags": "64",
"RawProcessId": "3120",
"SHA1HashData": "0000000000000000000000000000000000000000",
"SHA256HashData": "840e1f9dc5a29bebf01626822d7390251e9cf05bb3560ba7b68bdb8a41cf08e3",
"SessionId": "2",
"SignInfoFlags": "8683538",
"SourceProcessId": "4370948876",
"SourceThreadId": "112532918543",
"Tags": "25, 27, 40, 151, 874, 924, 12094627905582, 12094627906234, 211106232533012, 263882790666253",
"TargetProcessId": "10413665481",
"TokenType": "1",
"TreeId": "4295752857",
"UserSid": "S-1-5-21-239183934-720705223-383019856-500",
"aid": "877761efa8db44d792ddc2redacted",
"aip": "1.1.1.1",
"cid": "cfe698690964434083fecdredacted",
"event_platform": "Win",
"event_simpleName": "ProcessRollup2",
"id": "b0c07877-f288-49f8-8cb3-150149a557b2",
"name": "ProcessRollup2V19",
"timestamp": "1682368416719",
},
"event_platform": "Win",
"event_simpleName": "ProcessRollup2",
"fdr_event_type": "ProcessRollup2",
"id": "b0c07877-f288-49f8-8cb3-150149a557b2",
"name": "ProcessRollup2V19",
"p_log_type": "Crowdstrike.FDREvent",
"timestamp": "2023-04-24 20:33:36.719",
}
- Name: base64 prefixed argument
ExpectedResult: true
Log:
{
"ConfigBuild": "1007.3.0016606.11",
"ConfigStateHash": "3645117824",
"Entitlements": "15",
"TreeId": "4295752857",
"aid": "877761efa8db44d792ddc2redacted",
"aip": "1.1.1.1",
"cid": "cfe698690964434083fecdredacted",
"event":
{
"AuthenticationId": "293628",
"AuthenticodeHashData": "98a4762f52a",
"CommandLine": '/usr/bin/somebinary --b64=aGVsbG8taXMtaXQtbWUteW91cmUtbG9va2luZy1mb3==',
"ConfigBuild": "1007.3.0016606.11",
"ConfigStateHash": "3645117824",
"EffectiveTransmissionClass": "2",
"Entitlements": "15",
"ImageFileName": "\\Device\\HarddiskVolume2\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"ImageSubsystem": "3",
"IntegrityLevel": "12288",
"MD5HashData": "c031e215b8b08c752bf362f6d4c5d3ad",
"ParentAuthenticationId": "293628",
"ParentBaseFileName": "pwsh.exe",
"ParentProcessId": "4370948876",
"ProcessCreateFlags": "1024",
"ProcessEndTime": "",
"ProcessParameterFlags": "24577",
"ProcessStartTime": "1682368414.719",
"ProcessSxsFlags": "64",
"RawProcessId": "3120",
"SHA1HashData": "0000000000000000000000000000000000000000",
"SHA256HashData": "840e1f9dc5a29bebf01626822d7390251e9cf05bb3560ba7b68bdb8a41cf08e3",
"SessionId": "2",
"SignInfoFlags": "8683538",
"SourceProcessId": "4370948876",
"SourceThreadId": "112532918543",
"Tags": "25, 27, 40, 151, 874, 924, 12094627905582, 12094627906234, 211106232533012, 263882790666253",
"TargetProcessId": "10413665481",
"TokenType": "1",
"TreeId": "4295752857",
"UserSid": "S-1-5-21-239183934-720705223-383019856-500",
"aid": "877761efa8db44d792ddc2redacted",
"aip": "1.1.1.1",
"cid": "cfe698690964434083fecdredacted",
"event_platform": "Win",
"event_simpleName": "ProcessRollup2",
"id": "b0c07877-f288-49f8-8cb3-150149a557b2",
"name": "ProcessRollup2V19",
"timestamp": "1682368416719",
},
"event_platform": "Win",
"event_simpleName": "ProcessRollup2",
"fdr_event_type": "ProcessRollup2",
"id": "b0c07877-f288-49f8-8cb3-150149a557b2",
"name": "ProcessRollup2V19",
"p_log_type": "Crowdstrike.FDREvent",
"timestamp": "2023-04-24 20:33:36.719",
}
3 changes: 2 additions & 1 deletion rules/gcp_audit_rules/gcp_cloud_run_service_created.py
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,8 @@ def rule(event):
if deep_get(event, "severity") == "ERROR":
return False

if not deep_get(event, "protoPayload", "methodName").endswith("Services.CreateService"):
method_name = deep_get(event, "protoPayload", "methodName", default="")
if not method_name.endswith("Services.CreateService"):
return False

authorization_info = deep_walk(event, "protoPayload", "authorizationInfo")
Expand Down
41 changes: 41 additions & 0 deletions rules/gcp_audit_rules/gcp_cloud_run_service_created.yml
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,47 @@ Severity: Low
DedupPeriodMinutes: 60
Threshold: 1
Tests:
- Name: GCP No methodName found
ExpectedResult: false
Log:
{
"p_event_time": "2024-07-22 14:20:56.237323088",
"p_log_type": "GCP.AuditLog",
"insertId": "123456789xyz",
"logName": "projects/internal-sentry/logs/cloudaudit.googleapis.com%2Factivity",
"protoPayload":
{
"at_sign_type": "type.googleapis.com/google.cloud.audit.AuditLog",
"authenticationInfo":
{
"principalEmail": "0000000000000@cloudbuild.gserviceaccount.com",
},
"authorizationInfo":
[
{
"granted": true,
"permission": "cloudbuild.builds.create",
"resource": "projects/00000000aaaaaaaa",
"resourceAttributes": {},
},
],
"requestMetadata":
{
"destinationAttributes": {},
"requestAttributes":
{ "auth": {}, "time": "2024-07-22T14:20:55.898367039Z" },
},
},
"receiveTimestamp": "2024-07-22 14:20:56.428021476",
"resource":
{
"labels":
{ "method": "", "project_id": "some-project", "service": "" },
"type": "audited_resource",
},
"severity": "NOTICE",
"timestamp": "2024-07-22 14:20:56.237323088",
}
- Name: GCP Run Service Created
ExpectedResult: true
Log:
Expand Down
3 changes: 2 additions & 1 deletion rules/gcp_audit_rules/gcp_cloud_run_set_iam_policy.py
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,8 @@ def rule(event):
if deep_get(event, "severity") == "ERROR":
return False

if not deep_get(event, "protoPayload", "methodName").endswith("Services.SetIamPolicy"):
method_name = deep_get(event, "protoPayload", "methodName", default="")
if not method_name.endswith("Services.SetIamPolicy"):
return False

authorization_info = deep_walk(event, "protoPayload", "authorizationInfo")
Expand Down
Loading

0 comments on commit 52a7c63

Please sign in to comment.