Merge pull request #1299 from panther-labs/release

Prepare for 3.58

.github/workflows/check-packs.yml

@@ -11,7 +11,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
+      - uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
         with:
           disable-sudo: true
           egress-policy: block

.github/workflows/docker.yml

@@ -11,7 +11,7 @@ jobs:
     name: Build Dockerfile
     runs-on: ubuntu-latest
     steps:
-      - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
+      - uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
         with:
           disable-sudo: true
           egress-policy: block
@@ -28,10 +28,10 @@ jobs:
             www.python.org:443
       - name: Checkout panther-analysis
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 #v4.1.7
-      - uses: docker/setup-qemu-action@5927c834f5b4fdf503fca6f4c7eccda82949e1ee #v3.1.0
+      - uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf #v3.2.0
       - name: Set up Docker Buildx
         id: buildx
-        uses: docker/setup-buildx-action@4fd812986e6c8c2a69e18311145f9371337f27d4 #v3.4.0
+        uses: docker/setup-buildx-action@aa33708b10e362ff993539393ff100fa93ed6a27 #v3.5.0
       - name: Build Image
         run: docker buildx build --load -f Dockerfile -t panther-analysis:latest .
       - name: Test Image

.github/workflows/lint.yml

@@ -10,7 +10,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
+      - uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
         with:
           disable-sudo: true
           egress-policy: block

.github/workflows/release.yml

@@ -15,7 +15,7 @@ jobs:
     env:
       GITHUB_TOKEN: ${{ secrets.PANTHER_BOT_AUTOMATION_TOKEN }}
     steps:
-      - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
+      - uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
         with:
           egress-policy: audit
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 #v4.1.7

.github/workflows/test.yml

@@ -10,7 +10,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
+      - uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
         with:
           disable-sudo: true
           egress-policy: block

.github/workflows/upload.yml

@@ -14,7 +14,7 @@ jobs:
       API_HOST: ${{ secrets.API_HOST }}
       API_TOKEN: ${{ secrets.API_TOKEN }}
     steps:
-      - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
+      - uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
         with:
           egress-policy: audit
       - name: Validate Secrets

global_helpers/panther_base_helpers.py

@@ -521,9 +521,11 @@ def is_base64(b64: str) -> str:
     # handle false positives for very short strings
     if len(b64) < 12:
         return ""
+    # Pad args with "=" to ensure proper decoding
+    b64 = b64.ljust((len(b64) + 3) // 4 * 4, "=")
     # Check if the matched string can be decoded back into ASCII
     try:
-        return b64decode(b64).decode("ascii")
+        return b64decode(b64, validate=True).decode("ascii")
     except AsciiError:
         pass
     except UnicodeDecodeError:

rules/crowdstrike_rules/crowdstrike_base64_encoded_args.py

@@ -25,8 +25,9 @@ def rule(event):
 
     # Split arguments from process path
     command_line_args = event.udm("cmd")
-    command_line_args = command_line_args.replace('"', "")
-    command_line_args = command_line_args.replace("'", "")
+    command_line_args = command_line_args.replace('"', " ")
+    command_line_args = command_line_args.replace("'", " ")
+    command_line_args = command_line_args.replace("=", " ")
     command_line_args = command_line_args.split(" ")[1:]
 
     # Check if Base64 encoded arguments are present in the command line

rules/crowdstrike_rules/crowdstrike_base64_encoded_args.yml

@@ -502,6 +502,67 @@ Tests:
         "timestamp": "2023-04-24 20:33:36.719",
       }
   - Name: Command Line Tool Execution without Base64 Argument (Negative) 6
+    ExpectedResult: false
+    Log:
+      {
+        "ConfigBuild": "1007.3.0016606.11",
+        "ConfigStateHash": "3645117824",
+        "Entitlements": "15",
+        "TreeId": "4295752857",
+        "aid": "877761efa8db44d792ddc2redacted",
+        "aip": "1.1.1.1",
+        "cid": "cfe698690964434083fecdredacted",
+        "event":
+          {
+            "AuthenticationId": "293628",
+            "AuthenticodeHashData": "98a4762f52a",
+            "CommandLine": '"C:\Windows\system32\cmd.exe" /Q /C ""C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\uninstall.cmd" --dir="C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0""',
+            "ConfigBuild": "1007.3.0016606.11",
+            "ConfigStateHash": "3645117824",
+            "EffectiveTransmissionClass": "2",
+            "Entitlements": "15",
+            "ImageFileName": "\\Device\\HarddiskVolume2\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
+            "ImageSubsystem": "3",
+            "IntegrityLevel": "12288",
+            "MD5HashData": "c031e215b8b08c752bf362f6d4c5d3ad",
+            "ParentAuthenticationId": "293628",
+            "ParentBaseFileName": "pwsh.exe",
+            "ParentProcessId": "4370948876",
+            "ProcessCreateFlags": "1024",
+            "ProcessEndTime": "",
+            "ProcessParameterFlags": "24577",
+            "ProcessStartTime": "1682368414.719",
+            "ProcessSxsFlags": "64",
+            "RawProcessId": "3120",
+            "SHA1HashData": "0000000000000000000000000000000000000000",
+            "SHA256HashData": "840e1f9dc5a29bebf01626822d7390251e9cf05bb3560ba7b68bdb8a41cf08e3",
+            "SessionId": "2",
+            "SignInfoFlags": "8683538",
+            "SourceProcessId": "4370948876",
+            "SourceThreadId": "112532918543",
+            "Tags": "25, 27, 40, 151, 874, 924, 12094627905582, 12094627906234, 211106232533012, 263882790666253",
+            "TargetProcessId": "10413665481",
+            "TokenType": "1",
+            "TreeId": "4295752857",
+            "UserSid": "S-1-5-21-239183934-720705223-383019856-500",
+            "aid": "877761efa8db44d792ddc2redacted",
+            "aip": "1.1.1.1",
+            "cid": "cfe698690964434083fecdredacted",
+            "event_platform": "Win",
+            "event_simpleName": "ProcessRollup2",
+            "id": "b0c07877-f288-49f8-8cb3-150149a557b2",
+            "name": "ProcessRollup2V19",
+            "timestamp": "1682368416719",
+          },
+        "event_platform": "Win",
+        "event_simpleName": "ProcessRollup2",
+        "fdr_event_type": "ProcessRollup2",
+        "id": "b0c07877-f288-49f8-8cb3-150149a557b2",
+        "name": "ProcessRollup2V19",
+        "p_log_type": "Crowdstrike.FDREvent",
+        "timestamp": "2023-04-24 20:33:36.719",
+      }
+  - Name: Command Line Tool Execution without Base64 Argument (Negative) 7
     ExpectedResult: false
     Log:
       {
@@ -562,3 +623,125 @@ Tests:
         "p_log_type": "Crowdstrike.FDREvent",
         "timestamp": "2023-04-24 20:33:36.719",
       }
+  - Name: base64 quoted argument
+    ExpectedResult: true
+    Log:
+      {
+        "ConfigBuild": "1007.3.0016606.11",
+        "ConfigStateHash": "3645117824",
+        "Entitlements": "15",
+        "TreeId": "4295752857",
+        "aid": "877761efa8db44d792ddc2redacted",
+        "aip": "1.1.1.1",
+        "cid": "cfe698690964434083fecdredacted",
+        "event":
+          {
+            "AuthenticationId": "293628",
+            "AuthenticodeHashData": "98a4762f52a",
+            "CommandLine": '/usr/bin/somebinary --b64="aGVsbG8taXMtaXQtbWUteW91cmUtbG9va2luZy1mb3IK"',
+            "ConfigBuild": "1007.3.0016606.11",
+            "ConfigStateHash": "3645117824",
+            "EffectiveTransmissionClass": "2",
+            "Entitlements": "15",
+            "ImageFileName": "\\Device\\HarddiskVolume2\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
+            "ImageSubsystem": "3",
+            "IntegrityLevel": "12288",
+            "MD5HashData": "c031e215b8b08c752bf362f6d4c5d3ad",
+            "ParentAuthenticationId": "293628",
+            "ParentBaseFileName": "pwsh.exe",
+            "ParentProcessId": "4370948876",
+            "ProcessCreateFlags": "1024",
+            "ProcessEndTime": "",
+            "ProcessParameterFlags": "24577",
+            "ProcessStartTime": "1682368414.719",
+            "ProcessSxsFlags": "64",
+            "RawProcessId": "3120",
+            "SHA1HashData": "0000000000000000000000000000000000000000",
+            "SHA256HashData": "840e1f9dc5a29bebf01626822d7390251e9cf05bb3560ba7b68bdb8a41cf08e3",
+            "SessionId": "2",
+            "SignInfoFlags": "8683538",
+            "SourceProcessId": "4370948876",
+            "SourceThreadId": "112532918543",
+            "Tags": "25, 27, 40, 151, 874, 924, 12094627905582, 12094627906234, 211106232533012, 263882790666253",
+            "TargetProcessId": "10413665481",
+            "TokenType": "1",
+            "TreeId": "4295752857",
+            "UserSid": "S-1-5-21-239183934-720705223-383019856-500",
+            "aid": "877761efa8db44d792ddc2redacted",
+            "aip": "1.1.1.1",
+            "cid": "cfe698690964434083fecdredacted",
+            "event_platform": "Win",
+            "event_simpleName": "ProcessRollup2",
+            "id": "b0c07877-f288-49f8-8cb3-150149a557b2",
+            "name": "ProcessRollup2V19",
+            "timestamp": "1682368416719",
+          },
+        "event_platform": "Win",
+        "event_simpleName": "ProcessRollup2",
+        "fdr_event_type": "ProcessRollup2",
+        "id": "b0c07877-f288-49f8-8cb3-150149a557b2",
+        "name": "ProcessRollup2V19",
+        "p_log_type": "Crowdstrike.FDREvent",
+        "timestamp": "2023-04-24 20:33:36.719",
+      }
+  - Name: base64 prefixed argument
+    ExpectedResult: true
+    Log:
+      {
+        "ConfigBuild": "1007.3.0016606.11",
+        "ConfigStateHash": "3645117824",
+        "Entitlements": "15",
+        "TreeId": "4295752857",
+        "aid": "877761efa8db44d792ddc2redacted",
+        "aip": "1.1.1.1",
+        "cid": "cfe698690964434083fecdredacted",
+        "event":
+          {
+            "AuthenticationId": "293628",
+            "AuthenticodeHashData": "98a4762f52a",
+            "CommandLine": '/usr/bin/somebinary --b64=aGVsbG8taXMtaXQtbWUteW91cmUtbG9va2luZy1mb3==',
+            "ConfigBuild": "1007.3.0016606.11",
+            "ConfigStateHash": "3645117824",
+            "EffectiveTransmissionClass": "2",
+            "Entitlements": "15",
+            "ImageFileName": "\\Device\\HarddiskVolume2\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
+            "ImageSubsystem": "3",
+            "IntegrityLevel": "12288",
+            "MD5HashData": "c031e215b8b08c752bf362f6d4c5d3ad",
+            "ParentAuthenticationId": "293628",
+            "ParentBaseFileName": "pwsh.exe",
+            "ParentProcessId": "4370948876",
+            "ProcessCreateFlags": "1024",
+            "ProcessEndTime": "",
+            "ProcessParameterFlags": "24577",
+            "ProcessStartTime": "1682368414.719",
+            "ProcessSxsFlags": "64",
+            "RawProcessId": "3120",
+            "SHA1HashData": "0000000000000000000000000000000000000000",
+            "SHA256HashData": "840e1f9dc5a29bebf01626822d7390251e9cf05bb3560ba7b68bdb8a41cf08e3",
+            "SessionId": "2",
+            "SignInfoFlags": "8683538",
+            "SourceProcessId": "4370948876",
+            "SourceThreadId": "112532918543",
+            "Tags": "25, 27, 40, 151, 874, 924, 12094627905582, 12094627906234, 211106232533012, 263882790666253",
+            "TargetProcessId": "10413665481",
+            "TokenType": "1",
+            "TreeId": "4295752857",
+            "UserSid": "S-1-5-21-239183934-720705223-383019856-500",
+            "aid": "877761efa8db44d792ddc2redacted",
+            "aip": "1.1.1.1",
+            "cid": "cfe698690964434083fecdredacted",
+            "event_platform": "Win",
+            "event_simpleName": "ProcessRollup2",
+            "id": "b0c07877-f288-49f8-8cb3-150149a557b2",
+            "name": "ProcessRollup2V19",
+            "timestamp": "1682368416719",
+          },
+        "event_platform": "Win",
+        "event_simpleName": "ProcessRollup2",
+        "fdr_event_type": "ProcessRollup2",
+        "id": "b0c07877-f288-49f8-8cb3-150149a557b2",
+        "name": "ProcessRollup2V19",
+        "p_log_type": "Crowdstrike.FDREvent",
+        "timestamp": "2023-04-24 20:33:36.719",
+      }

rules/gcp_audit_rules/gcp_cloud_run_service_created.py

@@ -6,7 +6,8 @@ def rule(event):
     if deep_get(event, "severity") == "ERROR":
         return False
 
-    if not deep_get(event, "protoPayload", "methodName").endswith("Services.CreateService"):
+    method_name = deep_get(event, "protoPayload", "methodName", default="")
+    if not method_name.endswith("Services.CreateService"):
         return False
 
     authorization_info = deep_walk(event, "protoPayload", "authorizationInfo")

rules/gcp_audit_rules/gcp_cloud_run_service_created.yml

@@ -15,6 +15,47 @@ Severity: Low
 DedupPeriodMinutes: 60
 Threshold: 1
 Tests:
+  - Name: GCP No methodName found
+    ExpectedResult: false
+    Log:
+      {
+        "p_event_time": "2024-07-22 14:20:56.237323088",
+        "p_log_type": "GCP.AuditLog",
+        "insertId": "123456789xyz",
+        "logName": "projects/internal-sentry/logs/cloudaudit.googleapis.com%2Factivity",
+        "protoPayload":
+          {
+            "at_sign_type": "type.googleapis.com/google.cloud.audit.AuditLog",
+            "authenticationInfo":
+              {
+                "principalEmail": "[email protected]",
+              },
+            "authorizationInfo":
+              [
+                {
+                  "granted": true,
+                  "permission": "cloudbuild.builds.create",
+                  "resource": "projects/00000000aaaaaaaa",
+                  "resourceAttributes": {},
+                },
+              ],
+            "requestMetadata":
+              {
+                "destinationAttributes": {},
+                "requestAttributes":
+                  { "auth": {}, "time": "2024-07-22T14:20:55.898367039Z" },
+              },
+          },
+        "receiveTimestamp": "2024-07-22 14:20:56.428021476",
+        "resource":
+          {
+            "labels":
+              { "method": "", "project_id": "some-project", "service": "" },
+            "type": "audited_resource",
+          },
+        "severity": "NOTICE",
+        "timestamp": "2024-07-22 14:20:56.237323088",
+      }
   - Name: GCP Run Service Created
     ExpectedResult: true
     Log:

rules/gcp_audit_rules/gcp_cloud_run_set_iam_policy.py

@@ -6,7 +6,8 @@ def rule(event):
     if deep_get(event, "severity") == "ERROR":
         return False
 
-    if not deep_get(event, "protoPayload", "methodName").endswith("Services.SetIamPolicy"):
+    method_name = deep_get(event, "protoPayload", "methodName", default="")
+    if not method_name.endswith("Services.SetIamPolicy"):
         return False
 
     authorization_info = deep_walk(event, "protoPayload", "authorizationInfo")