From dbcb89bd913d452196a2476f5edaa4e33c7fb66e Mon Sep 17 00:00:00 2001 From: Sublime Rule Testing Bot Date: Fri, 17 Nov 2023 19:22:51 +0000 Subject: [PATCH] Sync from PR#990 New Rule: Discovery Credential/Key leakage by @morriscode https://github.com/sublime-security/sublime-rules/pull/990 Source SHA b7556f3c033a09eb45e1374540b8c1ff4aba21e9 Triggered by @morriscode --- .../discovery_credential_leakage.yml | 64 +++++++++++++++++++ 1 file changed, 64 insertions(+) create mode 100644 detection-rules/discovery_credential_leakage.yml diff --git a/detection-rules/discovery_credential_leakage.yml b/detection-rules/discovery_credential_leakage.yml new file mode 100644 index 00000000000..f36e4343352 --- /dev/null +++ b/detection-rules/discovery_credential_leakage.yml @@ -0,0 +1,64 @@ +name: "Discovery - Potential Credential and Key Leakage" +description: "This rule looks for patterns related to Credentials, or Keys in both inbound and outbound message bodies." +type: "rule" +severity: "informational" +source: | + (type.internal or type.outbound) + and regex.contains(body.current_thread.text, + "(xox[pborsa]-[0-9]{12}-[0-9]{12}-[0-9]{12}-[a-z0-9]{32})", + "-----BEGIN RSA PRIVATE KEY-----", + "-----BEGIN DSA PRIVATE KEY-----", + "-----BEGIN EC PRIVATE KEY-----", + "-----BEGIN PGP PRIVATE KEY BLOCK-----", + "((?:A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16})", + "amzn\\.mws\\.[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}", + "AKIA[0-9A-Z]{16}", + "da2-[a-z0-9]{26}", + "EAACEdEose0cBA[0-9A-Za-z]+", + "[fF][aA][cC][eE][bB][oO][oO][kK].*['|\"][0-9a-f]{32}['|\"]", + "[gG][iI][tT][hH][uU][bB].*['|\"][0-9a-zA-Z]{35,40}['|\"]", + "[aA][pP][iI]_?[kK][eE][yY].*['|\"][0-9a-zA-Z]{32,45}['|\"]", + "[sS][eE][cC][rR][eE][tT].*['|\"][0-9a-zA-Z]{32,45}['|\"]", + "AIza[0-9A-Za-z\\-_]{35}", + "AIza[0-9A-Za-z\\-_]{35}", + "[0-9]+-[0-9A-Za-z_]{32}\\.apps\\.googleusercontent\\.com", + "AIza[0-9A-Za-z\\-_]{35}", + "[0-9]+-[0-9A-Za-z_]{32}\\.apps\\.googleusercontent\\.com", + "\"type\": \"service_account\"", + "AIza[0-9A-Za-z\\-_]{35}", + "[0-9]+-[0-9A-Za-z_]{32}\\.apps\\.googleusercontent\\.com", + "ya29\\.[0-9A-Za-z\\-_]+", + "AIza[0-9A-Za-z\\-_]{35}", + "[0-9]+-[0-9A-Za-z_]{32}\\.apps\\.googleusercontent\\.com", + "[hH][eE][rR][oO][kK][uU].*[0-9A-F]{8}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{12}", + "[0-9a-f]{32}-us[0-9]{1,2}", + "key-[0-9a-zA-Z]{32}", + "[a-zA-Z]{3,10}://[^/\\s:@]{3,20}:[^/\\s:@]{3,20}@.{1,100}[\"'\\s]", + "access_token\\$production\\$[0-9a-z]{16}\\$[0-9a-f]{32}", + "sk_live_[0-9a-z]{32}", + "https://hooks\\.slack\\.com/services/T[a-zA-Z0-9_]{8}/B[a-zA-Z0-9_]{8}/[a-zA-Z0-9_]{24}", + "sk_live_[0-9a-zA-Z]{24}", + "rk_live_[0-9a-zA-Z]{24}", + "sq0atp-[0-9A-Za-z\\-_]{22}", + "sq0csp-[0-9A-Za-z\\-_]{43}", + "[0-9]+:AA[0-9A-Za-z\\-_]{33}", + "SK[0-9a-fA-F]{32}", + "[tT][wW][iI][tT][tT][eE][rR].*[1-9][0-9]+-[0-9a-zA-Z]{40}", + "[tT][wW][iI][tT][tT][eE][rR].*['|\"][0-9a-zA-Z]{35,44}['|\"]" + ) + + and not ( + any(body.links, + strings.contains(.href_url.url, ".s3.") + and regex.contains(.href_url.query_params, + "Credential=((?:A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16})" + ) + ) + ) +attack_types: +tactics_and_techniques: +detection_methods: + - "Content analysis" +id: "ab51a8fb-932d-554a-9871-6dbf5c18b79c" +testing_pr: 990 +testing_sha: b7556f3c033a09eb45e1374540b8c1ff4aba21e9