From c46016b4e5e4d27443fc5ec518388bd3a36fa894 Mon Sep 17 00:00:00 2001 From: mikiodehartj1 <113941652+mikiodehartj1@users.noreply.github.com> Date: Tue, 10 Sep 2024 15:55:41 -0600 Subject: [PATCH 1/6] adding questions --- .../mitre-attck-execution-attack-paths.json | 258 +++++++++++++++++- 1 file changed, 255 insertions(+), 3 deletions(-) diff --git a/rule-packs/mitre-attck-execution-attack-paths.json b/rule-packs/mitre-attck-execution-attack-paths.json index d315036..cc5d2df 100644 --- a/rule-packs/mitre-attck-execution-attack-paths.json +++ b/rule-packs/mitre-attck-execution-attack-paths.json @@ -1,4 +1,4 @@ - [ +[ { "name": "execution-command-and-scripting-unix-aws-ssm-malicious-binary", "description": "This query will use ssm inventories to return iterations of XZ versions 5.6.0 and 5.6.1 via aws ssm.", @@ -94,5 +94,257 @@ } ], "alertLevel": "HIGH" - } - ] + }, + { + "name": "execution-cloud-administration-command-privileged-account-management-azure", + "description": "M1026 - Limit the number of cloud accounts with permissions to remotely execute commands on virtual machines, and ensure that these are not used for day-to-day operations. In Azure, limit the number of accounts with the roles Azure Virtual Machine Contributer and above, and consider using temporary Just-in-Time (JIT) roles to avoid permanently assigning privileged access to virtual machines.", + "queries": [ + { + "name": "query0", + "query": "FIND azure_subscription THAT RELATES TO (azure_role_definition|azure_role_assignment) WITH actions ~= 'owner' OR actions ~= 'contributor'", + "version": "v1" + } + ], + "alertLevel": "HIGH" + }, + { + "name": "execution-command-and-scripting-interpreter-antivirus", + "description": "M1049 - Anti-virus can be used to automatically quarantine suspicious files.", + "queries": [ + { + "name": "query0", + "query": "FIND HostAgent WITH function = 'anti-malware' THAT !(PROTECTS | MANAGES | ASSIGNED | MONITORS) (Device | Host)", + "version": "v1" + } + ], + "alertLevel": "HIGH" + }, + { + "name": "execution-command-and-scripting-interpreter-execution-prevention-application-control-assessment", + "description": "M1038 - Use application control where appropriate. For example, PowerShell Constrained Language mode can be used to restrict access to sensitive or otherwise dangerous language elements such as those used to execute arbitrary Windows APIs or files (e.g., Add-Type).", + "queries": [ + { + "name": "query0", + "query": "FIND azure_subscription THAT RELATES TO (azure_role_definition|azure_role_assignment) WITH actions ~= 'owner' OR actions ~= 'contributor'", + "version": "v1" + } + ], + "alertLevel": "HIGH" + }, + { + "name": "execution-command-and-scripting-interpreter-execution-prevention-application-control-policy", + "description": "M1038 - Use application control where appropriate. For example, PowerShell Constrained Language mode can be used to restrict access to sensitive or otherwise dangerous language elements such as those used to execute arbitrary Windows APIs or files (e.g., Add-Type).", + "queries": [ + { + "name": "query0", + "query": "FIND azure_subscription THAT HAS azure_policy_assignment THAT USES azure_policy_set_definition THAT !CONTAINS azure_policy_definition WITH displayName ~= /application control/i", + "version": "v1" + } + ], + "alertLevel": "HIGH" + }, + { + "name": "execution-container-administration-command-execution-prevention-read-only-containers", + "description": "M1038 - Use read-only containers, read-only file systems, and minimal images when possible to prevent the execution of commands. Where possible, also consider using application control and software restriction tools (such as those provided by SELinux) to restrict access to files, processes, and system calls in containers.", + "queries": [ + { + "name": "query0", + "query": "FIND Container WITH readOnly != true", + "version": "v1" + } + ], + "alertLevel": "HIGH" + }, + { + "name": "execution-container-administration-command-user-account-management", + "description": "M1018 - Enforce authentication and role-based access control on the container service to restrict users to the least privileges required.", + "queries": [ + { + "name": "query0", + "query": "FIND (kube_cluster|kube_namespace) THAT !CONTAINS (kube_role|kube_role_binding)", + "version": "v1" + } + ], + "alertLevel": "HIGH" + }, + { + "name": "execution-deploy-container-audit", + "description": "M1047 - Scan images before deployment, and block those that are not in compliance with security policies. In Kubernetes environments, the admission controller can be used to validate images after a container deployment request is authenticated but before the container is deployed.", + "queries": [ + { + "name": "query0", + "query": "FIND Image WITH isScanned != true AND state = 'Succeeded'", + "version": "v1" + } + ], + "alertLevel": "HIGH" + }, + { + "name": "execution-scheduled-task-job-user-account-management-gcp-task-restrict", + "description": "M1018 - Limit privileges of Google Cloud user accounts and remediate Privilege Escalation vectors so only authorized administrators can create scheduled tasks on remote systems.", + "queries": [ + { + "name": "query0", + "query": "FIND google_user WITH admin != true THAT ASSIGNED << google_iam_binding WITH permissions ~= /scheduler/i", + "version": "v1" + } + ], + "alertLevel": "HIGH" + }, + { + "name": "execution-scheduled-task-job-user-account-management-aws-task-restrict", + "description": "M1018 - Limit privileges of AWS user accounts and remediate Privilege Escalation vectors so only authorized administrators can create scheduled tasks on remote systems.", + "queries": [ + { + "name": "query0", + "query": "FIND aws_iam_user THAT HAS << aws_iam THAT HAS >> aws_iam_policy WITH arn ~= /AmazonECSTaskExecutionRolePolicy/i OR arn ~= /AmazonECS_FullAccess/i", + "version": "v1" + } + ], + "alertLevel": "HIGH" + }, + { + "name": "execution-serverless-execution-user-account-management-aws-serverless-restrict", + "description": "M1018 - Remove permissions to create, modify, or run lambda resources from users that do not explicitly require them.", + "queries": [ + { + "name": "query0", + "query": "FIND aws_iam_user THAT HAS << aws_iam THAT HAS >> aws_iam_role with arn ~= /AWSLambdaBasicExecutionRole/i or arn ~= /AWSLambda_FullAccess/i", + "version": "v1" + } + ], + "alertLevel": "HIGH" + }, + { + "name": "execution-serverless-execution-user-account-management-gcp-serverless-restrict", + "description": "M1018 - Remove permissions to create, modify, or run cloudrun resources from users that do not explicitly require them.", + "queries": [ + { + "name": "query0", + "query": "FIND (google_iam_role|google_iam_binding) WITH permissions ~= /run./i", + "version": "v1" + } + ], + "alertLevel": "HIGH" + }, + { + "name": "execution-software-deployment-tools-mfa", + "description": "M1032 - Ensure proper system and access isolation for critical network systems through use of multi-factor authentication.", + "queries": [ + { + "name": "query0", + "query": "FIND User WITH mfaEnabled != true THAT !(ASSIGNED|USES|HAS) mfa_device", + "version": "v1" + } + ], + "alertLevel": "HIGH" + }, + { + "name": "execution-software-deployment-tools-network-segmentation-aws", + "description": "M1030 - Ensure proper system isolation for critical network systems through use of firewalls in AWS.", + "queries": [ + { + "name": "query0", + "query": "FIND aws_instance THAT !PROTECTS << Firewall THAT ALLOWS << (Internet|Host|Network)", + "version": "v1" + } + ], + "alertLevel": "HIGH" + }, + { + "name": "execution-software-deployment-tools-network-segmentation-gcp", + "description": "M1030 - Ensure proper system isolation for critical network systems through use of firewalls in Google Cloud.", + "queries": [ + { + "name": "query0", + "query": "FIND google_compute_network THAT !PROTECTS << google_compute_firewall THAT ALLOWS << (Internet|Host|Network)", + "version": "v1" + } + ], + "alertLevel": "HIGH" + }, + { + "name": "execution-software-deployment-tools-password-policies", + "description": "M1027 - Verify that account credentials that may be used to access deployment systems are unique and not used throughout the enterprise network.", + "queries": [ + { + "name": "query0", + "query": "FIND PasswordPolicy WITH historyCount < 10 OR historyCount=undefined", + "version": "v1" + } + ], + "alertLevel": "HIGH" + }, + { + "name": "execution-software-deployment-tools-update-software", + "description": "M1051 - Patch deployment systems regularly to prevent potential remote access through Exploitation for Privilege Escalation.", + "queries": [ + { + "name": "query0", + "query": "FIND aws_patch_group THAT HAS aws_instance", + "version": "v1" + } + ], + "alertLevel": "HIGH" + }, + { + "name": "execution-user-execution-malicious-link-user-training", + "description": "M1017 - Use user training as a way to bring awareness to common phishing and spearphishing techniques and how to raise suspicion for potentially malicious events.", + "queries": [ + { + "name": "query0", + "query": "FIND (Person|User) THAT !COMPELTED Training WITH required = true", + "version": "v1" + } + ], + "alertLevel": "HIGH" + }, + { + "name": "execution-user-execution-malicious-file-execution-prevention", + "description": "M1038 - Application control may be able to prevent the running of executables masquerading as other files.", + "queries": [ + { + "name": "query0", + "query": "FIND azure_subscription THAT !PERFORMED Assessment WITH displayName ~= /application control/i", + "version": "v1" + } + ], + "alertLevel": "HIGH" + }, + { + "name": "execution-user-execution-malicious-file-user-training", + "description": "M1017 - Use user training as a way to bring awareness to common phishing and spearphishing techniques and how to raise suspicion for potentially malicious events.", + "queries": [ + { + "name": "query0", + "query": "FIND (Person|User) THAT !COMPELTED Training WITH required = true", + "version": "v1" + } + ], + "alertLevel": "HIGH" + }, + { + "name": "execution-user-execution-malicious-image-approved-image", + "description": "M1047 - Audit images deployed within the environment to ensure they do not contain any malicious components.", + "queries": [ + { + "name": "query0", + "query": "Find (aws_instance|docker_container|server) THAT USES Image WITH approved!=true", + "version": "v1" + } + ], + "alertLevel": "HIGH" + }, + { + "name": "execution-user-execution-malicious-image-audit-image", + "description": "M1047 - Audit images deployed within the environment to ensure they do not contain any malicious components.", + "queries": [ + { + "name": "query0", + "query": "FIND Container THAT !HAS Assessment", + "version": "v1" + } + ], + "alertLevel": "HIGH" + }, +] From 036faa65bc39f011a9d8fbf5024277d29c796b1c Mon Sep 17 00:00:00 2001 From: mikiodehartj1 <113941652+mikiodehartj1@users.noreply.github.com> Date: Tue, 10 Sep 2024 15:56:36 -0600 Subject: [PATCH 2/6] bumping package.json --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index 49ab3d9..fae222e 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "@jupiterone/jupiterone-alert-rules", - "version": "0.35.0", + "version": "0.36.0", "description": "Alert rule packages for the JupiterOne platform", "scripts": { "validate": "tsx ./scripts/validate.ts" From c7f14831d679d58fb22dfbba7c88c5b4dea04974 Mon Sep 17 00:00:00 2001 From: mikiodehartj1 <113941652+mikiodehartj1@users.noreply.github.com> Date: Tue, 10 Sep 2024 15:57:49 -0600 Subject: [PATCH 3/6] remove , --- rule-packs/mitre-attck-execution-attack-paths.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rule-packs/mitre-attck-execution-attack-paths.json b/rule-packs/mitre-attck-execution-attack-paths.json index cc5d2df..c94074a 100644 --- a/rule-packs/mitre-attck-execution-attack-paths.json +++ b/rule-packs/mitre-attck-execution-attack-paths.json @@ -346,5 +346,5 @@ } ], "alertLevel": "HIGH" - }, + } ] From ffc3a3fdd5c1a1c5a7c1a6f7f385a37d9c83c1bb Mon Sep 17 00:00:00 2001 From: mikiodehartj1 <113941652+mikiodehartj1@users.noreply.github.com> Date: Thu, 12 Sep 2024 16:52:14 -0600 Subject: [PATCH 4/6] adjusting queries to be correct --- rule-packs/mitre-attck-execution-attack-paths.json | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/rule-packs/mitre-attck-execution-attack-paths.json b/rule-packs/mitre-attck-execution-attack-paths.json index c94074a..d2e7dd9 100644 --- a/rule-packs/mitre-attck-execution-attack-paths.json +++ b/rule-packs/mitre-attck-execution-attack-paths.json @@ -120,7 +120,7 @@ "alertLevel": "HIGH" }, { - "name": "execution-command-and-scripting-interpreter-execution-prevention-application-control-assessment", + "name": "execution-command-and-scripting-interpreter-execution-prevention-application-control-assessment-azure", "description": "M1038 - Use application control where appropriate. For example, PowerShell Constrained Language mode can be used to restrict access to sensitive or otherwise dangerous language elements such as those used to execute arbitrary Windows APIs or files (e.g., Add-Type).", "queries": [ { @@ -132,7 +132,7 @@ "alertLevel": "HIGH" }, { - "name": "execution-command-and-scripting-interpreter-execution-prevention-application-control-policy", + "name": "execution-command-and-scripting-interpreter-execution-prevention-application-control-policy-azure", "description": "M1038 - Use application control where appropriate. For example, PowerShell Constrained Language mode can be used to restrict access to sensitive or otherwise dangerous language elements such as those used to execute arbitrary Windows APIs or files (e.g., Add-Type).", "queries": [ { @@ -197,7 +197,7 @@ "queries": [ { "name": "query0", - "query": "FIND aws_iam_user THAT HAS << aws_iam THAT HAS >> aws_iam_policy WITH arn ~= /AmazonECSTaskExecutionRolePolicy/i OR arn ~= /AmazonECS_FullAccess/i", + "query": "FIND aws_iam_user (THAT RELATES TO aws_iam_role)? THAT ASSIGNED aws_iam_policy THAT RELATES TO as rel (aws_ecs|aws_ecs_task) WHERE rel.actions ~= ('ecs:*' or 'ecs:RunTask' or 'ecs:Run*' or 'ecs:CreateService' or 'ecs:UpdateService')", "version": "v1" } ], @@ -209,7 +209,7 @@ "queries": [ { "name": "query0", - "query": "FIND aws_iam_user THAT HAS << aws_iam THAT HAS >> aws_iam_role with arn ~= /AWSLambdaBasicExecutionRole/i or arn ~= /AWSLambda_FullAccess/i", + "query": "FIND aws_iam_user (THAT RELATES TO aws_iam_role)? THAT ASSIGNED aws_iam_policy THAT RELATES TO as rel (aws_lambda_function|aws_lambda) WHERE rel.actions ~= ('lambda:CreateFunction' or 'lambda:DeleteFunction' or 'lambda:UpdateFunctionCode' or 'lambda:UpdateFunctionConfiguration')", "version": "v1" } ], From 26626b62b931efbfb8f831faaa90adc7d25f7a1f Mon Sep 17 00:00:00 2001 From: mikiodehartj1 <113941652+mikiodehartj1@users.noreply.github.com> Date: Fri, 13 Sep 2024 11:15:35 -0600 Subject: [PATCH 5/6] fixing a few things --- .../mitre-attck-execution-attack-paths.json | 18 +++--------------- 1 file changed, 3 insertions(+), 15 deletions(-) diff --git a/rule-packs/mitre-attck-execution-attack-paths.json b/rule-packs/mitre-attck-execution-attack-paths.json index d2e7dd9..8dde4cc 100644 --- a/rule-packs/mitre-attck-execution-attack-paths.json +++ b/rule-packs/mitre-attck-execution-attack-paths.json @@ -285,7 +285,7 @@ "version": "v1" } ], - "alertLevel": "HIGH" + "alertLevel": "INFO" }, { "name": "execution-user-execution-malicious-link-user-training", @@ -293,7 +293,7 @@ "queries": [ { "name": "query0", - "query": "FIND (Person|User) THAT !COMPELTED Training WITH required = true", + "query": "FIND (Person|User) THAT !COMPLETED Training WITH required = true", "version": "v1" } ], @@ -317,7 +317,7 @@ "queries": [ { "name": "query0", - "query": "FIND (Person|User) THAT !COMPELTED Training WITH required = true", + "query": "FIND (Person|User) THAT !COMPLETED Training WITH required = true", "version": "v1" } ], @@ -334,17 +334,5 @@ } ], "alertLevel": "HIGH" - }, - { - "name": "execution-user-execution-malicious-image-audit-image", - "description": "M1047 - Audit images deployed within the environment to ensure they do not contain any malicious components.", - "queries": [ - { - "name": "query0", - "query": "FIND Container THAT !HAS Assessment", - "version": "v1" - } - ], - "alertLevel": "HIGH" } ] From 1c941b9a5a64702170b84aa9859aaafd6e89024d Mon Sep 17 00:00:00 2001 From: mikiodehartj1 <113941652+mikiodehartj1@users.noreply.github.com> Date: Fri, 13 Sep 2024 11:22:02 -0600 Subject: [PATCH 6/6] adding lambda:* --- rule-packs/mitre-attck-execution-attack-paths.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rule-packs/mitre-attck-execution-attack-paths.json b/rule-packs/mitre-attck-execution-attack-paths.json index 8dde4cc..6885761 100644 --- a/rule-packs/mitre-attck-execution-attack-paths.json +++ b/rule-packs/mitre-attck-execution-attack-paths.json @@ -209,7 +209,7 @@ "queries": [ { "name": "query0", - "query": "FIND aws_iam_user (THAT RELATES TO aws_iam_role)? THAT ASSIGNED aws_iam_policy THAT RELATES TO as rel (aws_lambda_function|aws_lambda) WHERE rel.actions ~= ('lambda:CreateFunction' or 'lambda:DeleteFunction' or 'lambda:UpdateFunctionCode' or 'lambda:UpdateFunctionConfiguration')", + "query": "FIND aws_iam_user (THAT RELATES TO aws_iam_role)? THAT ASSIGNED aws_iam_policy THAT RELATES TO as rel (aws_lambda_function|aws_lambda) WHERE rel.actions ~= ('lambda:CreateFunction' or 'lambda:DeleteFunction' or 'lambda:UpdateFunctionCode' or 'lambda:UpdateFunctionConfiguration' or 'lambda:*')", "version": "v1" } ],