Merge pull request #7 from PaperMtn/develop

Develop
PaperMtn · Dec 23, 2023 · adcd951 · adcd951
2 parents e61fd85 + 6b55e9d
commit adcd951
Show file tree

Hide file tree

Showing 3 changed files with 151 additions and 0 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -0,0 +1,5 @@
+## 2023-12-22
+### Added
+- Added signatures for:
+  - Alibaba
+  - Akamai
diff --git a/signatures/tokens_and_credentials/akamai.yaml b/signatures/tokens_and_credentials/akamai.yaml
@@ -0,0 +1,51 @@
+---
+filename: akamai.yaml
+signatures:
+
+  - name: Akamai API Access Tokens
+    status: enabled
+    author: PaperMtn
+    date: "2023-12-22"
+    description: Detects exposed Akamai API Access tokens
+    severity: "90"
+    notes:
+    references:
+    watchman_apps:
+      slack_std:
+        category: secrets
+        scope:
+          - messages
+        file_types:
+        search_strings:
+          - akab-
+      slack_eg:
+        scope:
+          - messages
+          - drafts
+        file_types:
+        locations:
+          - public
+          - private
+          - connect
+        search_strings:
+          - akab-
+      gitlab:
+        scope:
+          - blobs
+          - commits
+          - milestones
+          - wiki_blobs
+          - issues
+          - merge_requests
+          - notes
+          - snippet_titles
+        search_strings:
+          - akab- -(svg|png|jpeg)
+    test_cases:
+      match_cases:
+        - "client_token: akab-rWdcwwASNbe9fcGk-00qwecOueticOXxA"
+      fail_cases:
+        - "host: akab-fakehost.akamaiapis.net"
+    patterns:
+      - "akab-[0-9a-zA-Z]{16}-[0-9a-zA-Z]{16}"
+
diff --git a/signatures/tokens_and_credentials/alibaba.yaml b/signatures/tokens_and_credentials/alibaba.yaml
@@ -0,0 +1,95 @@
+---
+filename: alibaba.yaml
+signatures:
+  - name: Alibaba IAM Access Key ID
+    status: enabled
+    author: PaperMtn
+    date: 2023-12-22
+    description: Detects exposed Alibaba IAM access key IDs
+    severity: "50"
+    notes: null
+    references: null
+    watchman_apps:
+      slack_std:
+        category: secrets
+        scope:
+          - messages
+        file_types: null
+        search_strings:
+          - LTAI
+      slack_eg:
+        scope:
+          - messages
+          - drafts
+        file_types: null
+        locations:
+          - public
+          - private
+          - connect
+        search_strings:
+          - LTAI
+      gitlab:
+        scope:
+          - blobs
+          - commits
+          - milestones
+          - wiki_blobs
+          - issues
+          - merge_requests
+          - notes
+          - snippet_titles
+        search_strings:
+          - LTAI -(svg|png|jpeg)
+    test_cases:
+      match_cases:
+        - accessKeyId=LTAIAAAZ5BhleEv7
+      fail_cases:
+        - accessKeyId=LAAIAAAZ5BhleEv7
+    patterns:
+      - LTAI[0-9a-zA-Z]{12,20}
+  - name: Alibaba IAM Secret Access Key
+    status: enabled
+    author: PaperMtn
+    date: 2023-12-22
+    description: Detects exposed Alibaba IAM secret access key
+    severity: "90"
+    notes: null
+    references: null
+    watchman_apps:
+      slack_std:
+        category: secrets
+        scope:
+          - messages
+        file_types: null
+        search_strings:
+          - LTAI
+      slack_eg:
+        scope:
+          - messages
+          - drafts
+        file_types: null
+        locations:
+          - public
+          - private
+          - connect
+        search_strings:
+          - LTAI
+      gitlab:
+        scope:
+          - blobs
+          - commits
+          - milestones
+          - wiki_blobs
+          - issues
+          - merge_requests
+          - notes
+          - snippet_titles
+        search_strings:
+          - LTAI -(svg|png|jpeg)
+    test_cases:
+      match_cases:
+        - $accessKeySecret = "6pbpC5bqTJ6aATHAd5434dq13XaEe7";
+      fail_cases:
+        - accessKeyId=LAAIAAAZ5BhleEv7
+    patterns:
+      - "[\\W\\s]{1}([0-9a-zA-Z]{30,48})[\\W\\s]{1}"