-
Notifications
You must be signed in to change notification settings - Fork 176
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
AWS Honeypot Detections threat-306 #1252
Conversation
AWS Security Finding rules on decoy AWS resources: https://aws.amazon.com/blogs/security/how-to-detect-suspicious-activity-in-your-aws-account-by-using-private-decoy-resources/
😱 [INFO][root]: ignoring file dependabot.yml |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
shortened descriptions and added final newline
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
more shortening lol
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
removed final newline
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
added multi line string
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM!
* Prepare for `3.53.0` (#1232) * Replace panther_analysis_tool import with updated import (#1230) * Update Action versions; use SHAs (#1231) * Update Action versions; use SHAs * Add dependabot.yml to keep Actions updated * Update PAT to 0.49.0 * auth0-cic-credential-stuffing rule and query (#1246) * Add saved queries for ongoing Snowflake threats (#1248) * Add saved queries for ongoing Snowflake threats * Add limits Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> * snowflake pack * Add scheduled queries and rules Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> * pack update * ruleID fix * make fmt Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> * Fix merge conflicts Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> * Turn off by default Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> --------- Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> Co-authored-by: Ariel Ropek <ariel.ropek@panther.com> * Update panther-core to 0.10.1 via PAT (#1249) Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> * Tweak Snowflake queries (#1250) * Tweak Snowflake queries Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> * Remove configuration drift query from Pack Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> * Threat Hunting queries are okay Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> * Fix comment Workflow Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> * 12 hours -> 1 day Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> * Update queries/snowflake_queries/snowflake_0108977_configuration_drift.yml --------- Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com> * Fixed typo in README.md (#1253) fixed 'unintall' typo to 'npm uninstall prettier' * build(deps): bump step-security/harden-runner from 2.8.0 to 2.8.1 (#1254) Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 2.8.0 to 2.8.1. - [Release notes](https://github.com/step-security/harden-runner/releases) - [Commits](step-security/harden-runner@f086349...17d0e2b) --- updated-dependencies: - dependency-name: step-security/harden-runner dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Using GITHUB_OUTPUT env var instead of old ::set-output shorthand (#1255) * OCSF data model, VPC/DNS (#1214) * Deprecate GreyNoise detections (#1205) * Deprecate GreyNoise detections * Update rules/aws_cloudtrail_rules/aws_s3_activity_greynoise.yml * Update rules/cloudflare_rules/cloudflare_firewall_suspicious_event_greynoise.yml * Update cloudflare_httpreq_bot_high_volume_greynoise.yml --------- Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com> * fix - Notion Login From New Location - NoneType error (#1206) * fix - Notion Login From New Location - NoneType error * fix - Notion Login From New Location - NoneType error - linter fix * remove codeowners (#1208) * fix - GCP rules - AttributeError (#1210) * fix - GCP rules - AttributeError * fix - GCP rules - AttributeError - linter fix * MITRE ATT&CK Mappings for MS Rules (#1209) * added MITRE mappings for microsoft rules * fixed formatting on some helper files --------- Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com> * traildiscover enrichment with managed schema (#1177) * traildiscover enrichment with managed schema * Add npm install in dockerfile (#1172) * add npm install in dockerfile * Remove Python optimizations; add prettier to PATH --------- Co-authored-by: egibs <keybase@egibs.xyz> * schema name: TrailDiscover.CloudTrail * Fix Dockerfile; add Workflow to test image * updated data set * Add MongoDB.2FA.Disabled rule (#1190) Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com> * lint and fmt * fmt * add OCSF selector * additional OCSF mappings * Fix Pipfile * Rebase changes --------- Co-authored-by: Panos Sakkos <panos.sakkos@panther.com> Co-authored-by: egibs <keybase@egibs.xyz> Co-authored-by: Oleh Melenevskyi <767472+melenevskyi@users.noreply.github.com> * Update PAT to 0.46.0 (#1216) * THREAT-278 OCSF data model, VPC --------- Co-authored-by: Oleh Melenevskyi <767472+melenevskyi@users.noreply.github.com> Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com> Co-authored-by: Panos Sakkos <panos.sakkos@panther.com> Co-authored-by: ben-githubs <38414634+ben-githubs@users.noreply.github.com> Co-authored-by: egibs <keybase@egibs.xyz> Co-authored-by: Evan Gibler <evan.gibler@panther.com> * fix: consider deny rules for ssh network acl policy (#1236) * fix: consider deny rules for ssh network acl policy * Update policies/aws_vpc_policies/aws_network_acl_restricted_ssh.py * Update policies/aws_vpc_policies/aws_network_acl_restricted_ssh.py --------- Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com> * AWS Honeypot Detections threat-306 (#1252) * AWS Honeypot Detections threat-306 AWS Security Finding rules on decoy AWS resources: https://aws.amazon.com/blogs/security/how-to-detect-suspicious-activity-in-your-aws-account-by-using-private-decoy-resources/ * Update decoy_dynamodb_accessed.py * Update decoy_iam_assumed.py * Update decoy_s3_accessed.py * Update decoy_secret_accessed.py * Update decoy_systems_manager_parameter_accessed.py * Update decoy_dynamodb_accessed.py * Update decoy_iam_assumed.py * Update decoy_s3_accessed.py * Update decoy_secret_accessed.py * Update decoy_systems_manager_parameter_accessed.py * Update decoy_systems_manager_parameter_accessed.py * Update decoy_systems_manager_parameter_accessed.py * Update decoy_secret_accessed.py * Update decoy_s3_accessed.py * Update decoy_iam_assumed.py * Update decoy_dynamodb_accessed.py * Update decoy_systems_manager_parameter_accessed.py * reformatted and linted * removed unused methods * fixed trailing lines * add decoy rules as a pack --------- Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com> --------- Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Evan Gibler <evan.gibler@panther.com> Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com> Co-authored-by: Evan Gibler <20933572+egibs@users.noreply.github.com> Co-authored-by: Ariel Ropek <ariel.ropek@panther.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: BJ Maldonado <bj.maldonado-miranda@panther.com> Co-authored-by: akozlovets098 <95437895+akozlovets098@users.noreply.github.com> Co-authored-by: Oleh Melenevskyi <767472+melenevskyi@users.noreply.github.com> Co-authored-by: Panos Sakkos <panos.sakkos@panther.com> Co-authored-by: ben-githubs <38414634+ben-githubs@users.noreply.github.com> Co-authored-by: egibs <keybase@egibs.xyz> Co-authored-by: Eli Skeggs <1348991+skeggse@users.noreply.github.com>
* Update aws_console_login_without_mfa.py is_new_account has been checking with only recipientAccountId but our new aws account indicator creation rule has been checking for "new_account - recipientAccountId" * Update aws_console_login_without_mfa.py Casted str to account for NoneType * Update new_user_account_logging.py Added an alternative string in the case udm user is empty * Update new_user_account_logging.yml add mock test * Standard user creation fixes (#1256) * Prepare for `3.53.0` (#1232) * Replace panther_analysis_tool import with updated import (#1230) * Update Action versions; use SHAs (#1231) * Update Action versions; use SHAs * Add dependabot.yml to keep Actions updated * Update PAT to 0.49.0 * auth0-cic-credential-stuffing rule and query (#1246) * Add saved queries for ongoing Snowflake threats (#1248) * Add saved queries for ongoing Snowflake threats * Add limits Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> * snowflake pack * Add scheduled queries and rules Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> * pack update * ruleID fix * make fmt Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> * Fix merge conflicts Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> * Turn off by default Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> --------- Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> Co-authored-by: Ariel Ropek <ariel.ropek@panther.com> * Update panther-core to 0.10.1 via PAT (#1249) Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> * Tweak Snowflake queries (#1250) * Tweak Snowflake queries Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> * Remove configuration drift query from Pack Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> * Threat Hunting queries are okay Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> * Fix comment Workflow Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> * 12 hours -> 1 day Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> * Update queries/snowflake_queries/snowflake_0108977_configuration_drift.yml --------- Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com> * Fixed typo in README.md (#1253) fixed 'unintall' typo to 'npm uninstall prettier' * build(deps): bump step-security/harden-runner from 2.8.0 to 2.8.1 (#1254) Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 2.8.0 to 2.8.1. - [Release notes](https://github.com/step-security/harden-runner/releases) - [Commits](step-security/harden-runner@f086349...17d0e2b) --- updated-dependencies: - dependency-name: step-security/harden-runner dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Using GITHUB_OUTPUT env var instead of old ::set-output shorthand (#1255) * OCSF data model, VPC/DNS (#1214) * Deprecate GreyNoise detections (#1205) * Deprecate GreyNoise detections * Update rules/aws_cloudtrail_rules/aws_s3_activity_greynoise.yml * Update rules/cloudflare_rules/cloudflare_firewall_suspicious_event_greynoise.yml * Update cloudflare_httpreq_bot_high_volume_greynoise.yml --------- Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com> * fix - Notion Login From New Location - NoneType error (#1206) * fix - Notion Login From New Location - NoneType error * fix - Notion Login From New Location - NoneType error - linter fix * remove codeowners (#1208) * fix - GCP rules - AttributeError (#1210) * fix - GCP rules - AttributeError * fix - GCP rules - AttributeError - linter fix * MITRE ATT&CK Mappings for MS Rules (#1209) * added MITRE mappings for microsoft rules * fixed formatting on some helper files --------- Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com> * traildiscover enrichment with managed schema (#1177) * traildiscover enrichment with managed schema * Add npm install in dockerfile (#1172) * add npm install in dockerfile * Remove Python optimizations; add prettier to PATH --------- Co-authored-by: egibs <keybase@egibs.xyz> * schema name: TrailDiscover.CloudTrail * Fix Dockerfile; add Workflow to test image * updated data set * Add MongoDB.2FA.Disabled rule (#1190) Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com> * lint and fmt * fmt * add OCSF selector * additional OCSF mappings * Fix Pipfile * Rebase changes --------- Co-authored-by: Panos Sakkos <panos.sakkos@panther.com> Co-authored-by: egibs <keybase@egibs.xyz> Co-authored-by: Oleh Melenevskyi <767472+melenevskyi@users.noreply.github.com> * Update PAT to 0.46.0 (#1216) * THREAT-278 OCSF data model, VPC --------- Co-authored-by: Oleh Melenevskyi <767472+melenevskyi@users.noreply.github.com> Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com> Co-authored-by: Panos Sakkos <panos.sakkos@panther.com> Co-authored-by: ben-githubs <38414634+ben-githubs@users.noreply.github.com> Co-authored-by: egibs <keybase@egibs.xyz> Co-authored-by: Evan Gibler <evan.gibler@panther.com> * fix: consider deny rules for ssh network acl policy (#1236) * fix: consider deny rules for ssh network acl policy * Update policies/aws_vpc_policies/aws_network_acl_restricted_ssh.py * Update policies/aws_vpc_policies/aws_network_acl_restricted_ssh.py --------- Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com> * AWS Honeypot Detections threat-306 (#1252) * AWS Honeypot Detections threat-306 AWS Security Finding rules on decoy AWS resources: https://aws.amazon.com/blogs/security/how-to-detect-suspicious-activity-in-your-aws-account-by-using-private-decoy-resources/ * Update decoy_dynamodb_accessed.py * Update decoy_iam_assumed.py * Update decoy_s3_accessed.py * Update decoy_secret_accessed.py * Update decoy_systems_manager_parameter_accessed.py * Update decoy_dynamodb_accessed.py * Update decoy_iam_assumed.py * Update decoy_s3_accessed.py * Update decoy_secret_accessed.py * Update decoy_systems_manager_parameter_accessed.py * Update decoy_systems_manager_parameter_accessed.py * Update decoy_systems_manager_parameter_accessed.py * Update decoy_secret_accessed.py * Update decoy_s3_accessed.py * Update decoy_iam_assumed.py * Update decoy_dynamodb_accessed.py * Update decoy_systems_manager_parameter_accessed.py * reformatted and linted * removed unused methods * fixed trailing lines * add decoy rules as a pack --------- Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com> --------- Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Evan Gibler <evan.gibler@panther.com> Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com> Co-authored-by: Evan Gibler <20933572+egibs@users.noreply.github.com> Co-authored-by: Ariel Ropek <ariel.ropek@panther.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: BJ Maldonado <bj.maldonado-miranda@panther.com> Co-authored-by: akozlovets098 <95437895+akozlovets098@users.noreply.github.com> Co-authored-by: Oleh Melenevskyi <767472+melenevskyi@users.noreply.github.com> Co-authored-by: Panos Sakkos <panos.sakkos@panther.com> Co-authored-by: ben-githubs <38414634+ben-githubs@users.noreply.github.com> Co-authored-by: egibs <keybase@egibs.xyz> Co-authored-by: Eli Skeggs <1348991+skeggse@users.noreply.github.com> --------- Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Evan Gibler <evan.gibler@panther.com> Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com> Co-authored-by: Evan Gibler <20933572+egibs@users.noreply.github.com> Co-authored-by: Ariel Ropek <ariel.ropek@panther.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: BJ Maldonado <bj.maldonado-miranda@panther.com> Co-authored-by: akozlovets098 <95437895+akozlovets098@users.noreply.github.com> Co-authored-by: Oleh Melenevskyi <767472+melenevskyi@users.noreply.github.com> Co-authored-by: Panos Sakkos <panos.sakkos@panther.com> Co-authored-by: ben-githubs <38414634+ben-githubs@users.noreply.github.com> Co-authored-by: egibs <keybase@egibs.xyz> Co-authored-by: Eli Skeggs <1348991+skeggse@users.noreply.github.com>
* AWS Honeypot Detections threat-306 AWS Security Finding rules on decoy AWS resources: https://aws.amazon.com/blogs/security/how-to-detect-suspicious-activity-in-your-aws-account-by-using-private-decoy-resources/ * Update decoy_dynamodb_accessed.py * Update decoy_iam_assumed.py * Update decoy_s3_accessed.py * Update decoy_secret_accessed.py * Update decoy_systems_manager_parameter_accessed.py * Update decoy_dynamodb_accessed.py * Update decoy_iam_assumed.py * Update decoy_s3_accessed.py * Update decoy_secret_accessed.py * Update decoy_systems_manager_parameter_accessed.py * Update decoy_systems_manager_parameter_accessed.py * Update decoy_systems_manager_parameter_accessed.py * Update decoy_secret_accessed.py * Update decoy_s3_accessed.py * Update decoy_iam_assumed.py * Update decoy_dynamodb_accessed.py * Update decoy_systems_manager_parameter_accessed.py * reformatted and linted * removed unused methods * fixed trailing lines * add decoy rules as a pack --------- Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>
* Update aws_console_login_without_mfa.py is_new_account has been checking with only recipientAccountId but our new aws account indicator creation rule has been checking for "new_account - recipientAccountId" * Update aws_console_login_without_mfa.py Casted str to account for NoneType * Update new_user_account_logging.py Added an alternative string in the case udm user is empty * Update new_user_account_logging.yml add mock test * Standard user creation fixes (#1256) * Prepare for `3.53.0` (#1232) * Replace panther_analysis_tool import with updated import (#1230) * Update Action versions; use SHAs (#1231) * Update Action versions; use SHAs * Add dependabot.yml to keep Actions updated * Update PAT to 0.49.0 * auth0-cic-credential-stuffing rule and query (#1246) * Add saved queries for ongoing Snowflake threats (#1248) * Add saved queries for ongoing Snowflake threats * Add limits Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> * snowflake pack * Add scheduled queries and rules Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> * pack update * ruleID fix * make fmt Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> * Fix merge conflicts Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> * Turn off by default Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> --------- Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> Co-authored-by: Ariel Ropek <ariel.ropek@panther.com> * Update panther-core to 0.10.1 via PAT (#1249) Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> * Tweak Snowflake queries (#1250) * Tweak Snowflake queries Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> * Remove configuration drift query from Pack Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> * Threat Hunting queries are okay Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> * Fix comment Workflow Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> * 12 hours -> 1 day Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> * Update queries/snowflake_queries/snowflake_0108977_configuration_drift.yml --------- Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com> * Fixed typo in README.md (#1253) fixed 'unintall' typo to 'npm uninstall prettier' * build(deps): bump step-security/harden-runner from 2.8.0 to 2.8.1 (#1254) Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 2.8.0 to 2.8.1. - [Release notes](https://github.com/step-security/harden-runner/releases) - [Commits](step-security/harden-runner@f086349...17d0e2b) --- updated-dependencies: - dependency-name: step-security/harden-runner dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Using GITHUB_OUTPUT env var instead of old ::set-output shorthand (#1255) * OCSF data model, VPC/DNS (#1214) * Deprecate GreyNoise detections (#1205) * Deprecate GreyNoise detections * Update rules/aws_cloudtrail_rules/aws_s3_activity_greynoise.yml * Update rules/cloudflare_rules/cloudflare_firewall_suspicious_event_greynoise.yml * Update cloudflare_httpreq_bot_high_volume_greynoise.yml --------- Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com> * fix - Notion Login From New Location - NoneType error (#1206) * fix - Notion Login From New Location - NoneType error * fix - Notion Login From New Location - NoneType error - linter fix * remove codeowners (#1208) * fix - GCP rules - AttributeError (#1210) * fix - GCP rules - AttributeError * fix - GCP rules - AttributeError - linter fix * MITRE ATT&CK Mappings for MS Rules (#1209) * added MITRE mappings for microsoft rules * fixed formatting on some helper files --------- Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com> * traildiscover enrichment with managed schema (#1177) * traildiscover enrichment with managed schema * Add npm install in dockerfile (#1172) * add npm install in dockerfile * Remove Python optimizations; add prettier to PATH --------- Co-authored-by: egibs <keybase@egibs.xyz> * schema name: TrailDiscover.CloudTrail * Fix Dockerfile; add Workflow to test image * updated data set * Add MongoDB.2FA.Disabled rule (#1190) Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com> * lint and fmt * fmt * add OCSF selector * additional OCSF mappings * Fix Pipfile * Rebase changes --------- Co-authored-by: Panos Sakkos <panos.sakkos@panther.com> Co-authored-by: egibs <keybase@egibs.xyz> Co-authored-by: Oleh Melenevskyi <767472+melenevskyi@users.noreply.github.com> * Update PAT to 0.46.0 (#1216) * THREAT-278 OCSF data model, VPC --------- Co-authored-by: Oleh Melenevskyi <767472+melenevskyi@users.noreply.github.com> Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com> Co-authored-by: Panos Sakkos <panos.sakkos@panther.com> Co-authored-by: ben-githubs <38414634+ben-githubs@users.noreply.github.com> Co-authored-by: egibs <keybase@egibs.xyz> Co-authored-by: Evan Gibler <evan.gibler@panther.com> * fix: consider deny rules for ssh network acl policy (#1236) * fix: consider deny rules for ssh network acl policy * Update policies/aws_vpc_policies/aws_network_acl_restricted_ssh.py * Update policies/aws_vpc_policies/aws_network_acl_restricted_ssh.py --------- Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com> * AWS Honeypot Detections threat-306 (#1252) * AWS Honeypot Detections threat-306 AWS Security Finding rules on decoy AWS resources: https://aws.amazon.com/blogs/security/how-to-detect-suspicious-activity-in-your-aws-account-by-using-private-decoy-resources/ * Update decoy_dynamodb_accessed.py * Update decoy_iam_assumed.py * Update decoy_s3_accessed.py * Update decoy_secret_accessed.py * Update decoy_systems_manager_parameter_accessed.py * Update decoy_dynamodb_accessed.py * Update decoy_iam_assumed.py * Update decoy_s3_accessed.py * Update decoy_secret_accessed.py * Update decoy_systems_manager_parameter_accessed.py * Update decoy_systems_manager_parameter_accessed.py * Update decoy_systems_manager_parameter_accessed.py * Update decoy_secret_accessed.py * Update decoy_s3_accessed.py * Update decoy_iam_assumed.py * Update decoy_dynamodb_accessed.py * Update decoy_systems_manager_parameter_accessed.py * reformatted and linted * removed unused methods * fixed trailing lines * add decoy rules as a pack --------- Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com> --------- Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Evan Gibler <evan.gibler@panther.com> Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com> Co-authored-by: Evan Gibler <20933572+egibs@users.noreply.github.com> Co-authored-by: Ariel Ropek <ariel.ropek@panther.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: BJ Maldonado <bj.maldonado-miranda@panther.com> Co-authored-by: akozlovets098 <95437895+akozlovets098@users.noreply.github.com> Co-authored-by: Oleh Melenevskyi <767472+melenevskyi@users.noreply.github.com> Co-authored-by: Panos Sakkos <panos.sakkos@panther.com> Co-authored-by: ben-githubs <38414634+ben-githubs@users.noreply.github.com> Co-authored-by: egibs <keybase@egibs.xyz> Co-authored-by: Eli Skeggs <1348991+skeggse@users.noreply.github.com> --------- Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Evan Gibler <evan.gibler@panther.com> Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com> Co-authored-by: Evan Gibler <20933572+egibs@users.noreply.github.com> Co-authored-by: Ariel Ropek <ariel.ropek@panther.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: BJ Maldonado <bj.maldonado-miranda@panther.com> Co-authored-by: akozlovets098 <95437895+akozlovets098@users.noreply.github.com> Co-authored-by: Oleh Melenevskyi <767472+melenevskyi@users.noreply.github.com> Co-authored-by: Panos Sakkos <panos.sakkos@panther.com> Co-authored-by: ben-githubs <38414634+ben-githubs@users.noreply.github.com> Co-authored-by: egibs <keybase@egibs.xyz> Co-authored-by: Eli Skeggs <1348991+skeggse@users.noreply.github.com>
Goal
Detect access to AWS honeypot resources
Categorization
Honeypots, Deception
Strategy Abstract
This post focuses on another approach of creating private decoy resources in your account that are intended to look legitimate, but don’t have any useful or sensitive data and are not exposed publicly. These decoys are designed to alert you about suspicious activities that could indicate AWS credentials exposure or account compromise. You can use the decoys in conjunction with other techniques, such as creating deception environments and public and private honeypots to better detect suspicious activity in your accounts and applications.
Technical Context
Technical Context provides detailed information and background needed for a responder to understand all components of the alert. This should appropriately link to any platform or tooling knowledge and should include information about the direct aspects of the alert. The goal of the Technical Context section is to provide a self-contained reference for a responder to make a judgement call on any potential alert, even if they do not have direct subject matter expertise on the ADS itself.
Blind Spots and Assumptions
You must have created a CloudTrail trail to log management events for the AWS account in the Region where you deploy the private decoys. This trail can be created locally in the account or can be an organization trail. Ensure that you have enabled both read and write events, and enabled all AWS KMS events in the trail (this is the default configuration).
False Positives
You should ensure that your monitoring services and tools are configured to query the configuration of resources and not the data stored in resources. Otherwise, you might get a large volume of false positives because every time a resource is accessed, a custom finding is created in Security Hub. For example, consider a service like Security Hub Security Standards checks, or a cloud security posture management (CSPM) tool that monitors your S3 buckets by describing the properties of all buckets in your account. Such tools will find the decoy S3 bucket and will interrogate its configuration by making calls such as GetBucketPolicy and GetBucketLogging. However, as long as these tools don’t try to read data in the bucket through calls such as GetObject, the EventBridge rules that are configured as described in this post won’t generate a finding.
Validation
S3 object access
aws s3 cp s3://<bucket_name/object_name> /tmp
aws s3 cp s3://<bucket_name/object_name> s3://<any_existing_bucket>
IAM role assumption
aws sts assume-role –role-arn <role_name> –role-session-name BlogTestRole
Secrets Manager access
aws secretsmanager get-secret-value –secret-id <secret_name>
Parameter Store access
aws ssm get-parameters –names <ssm_parameter> –with-decryption
DynamoDB table scan
aws dynamodb scan –table-name <table_name>
Priority
High
Response
Imagine that an unauthorized user has obtained credentials for your account. This could also be an insider, malicious or careless, using their valid credentials inappropriately. The unauthorized user might use these credentials to invoke AWS API calls to list resources in your account. As the next step, they might try to access resources that are commonly used to store sensitive data—such as objects in Amazon Simple Storage Service (Amazon S3) buckets, secrets in AWS Secrets Manager, or items in Amazon DynamoDB. They might also try to elevate their privileges by assuming other Identity and Access Management (IAM) roles in your account. In your role as a security professional, your task is to detect this suspicious behaviour and take actions in response.
Additional Resources
https://aws.amazon.com/blogs/security/how-to-detect-suspicious-activity-in-your-aws-account-by-using-private-decoy-resources/
https://github.com/aws-samples/aws-private-decoy-resources