cartography 0.116.1__py3-none-any.whl → 0.118.0__py3-none-any.whl

cartography/rules/data/frameworks/mitre_attack/requirements/t1098_account_manipulation/__init__.py

@@ -0,0 +1,317 @@
+from cartography.rules.spec.model import Fact
+from cartography.rules.spec.model import Module
+from cartography.rules.spec.model import Requirement
+
+# AWS
+_aws_account_manipulation_permissions = Fact(
+    id="aws_account_manipulation_permissions",
+    name="IAM Principals with Account Creation and Modification Permissions",
+    description=(
+        "AWS IAM users and roles with permissions to create, modify, or delete IAM "
+        "accounts and their associated policies."
+    ),
+    cypher_query="""
+        MATCH (a:AWSAccount)-[:RESOURCE]->(principal:AWSPrincipal)
+        MATCH (principal)-[:POLICY]->(:AWSPolicy)-[:STATEMENT]->(stmt:AWSPolicyStatement)
+        WHERE NOT principal.name STARTS WITH 'AWSServiceRole'
+        AND NOT principal.name CONTAINS 'QuickSetup'
+        AND principal.name <> 'OrganizationAccountAccessRole'
+        AND stmt.effect = 'Allow'
+        WITH a, principal, stmt,
+            // Return labels that are not the general "AWSPrincipal" label
+            [label IN labels(principal) WHERE label <> 'AWSPrincipal'][0] AS principal_type,
+            // Define the list of IAM actions to match on
+            [p IN ['iam:Create','iam:Attach','iam:Put','iam:Update','iam:Add'] |
+                p] AS patterns
+        WITH a, principal, principal_type, stmt,
+            // Filter on the desired IAM actions
+            [action IN stmt.action
+                WHERE ANY(prefix IN patterns WHERE action STARTS WITH prefix)
+                OR action = 'iam:*'
+                OR action = '*'
+            ] AS matched_actions
+        // Return only statement actions that we matched on
+        WHERE size(matched_actions) > 0
+        UNWIND matched_actions AS action
+        RETURN DISTINCT a.name AS account,
+            principal.name AS principal_name,
+            principal.arn AS principal_arn,
+            principal_type,
+            collect(action) as action,
+            stmt.resource AS resource
+        ORDER BY account, principal_name
+    """,
+    cypher_visual_query="""
+        MATCH p = (a:AWSAccount)-[:RESOURCE]->(principal:AWSPrincipal)
+        MATCH p1 = (principal)-[:POLICY]->(policy:AWSPolicy)-[:STATEMENT]->(stmt:AWSPolicyStatement)
+        WHERE NOT principal.name STARTS WITH 'AWSServiceRole'
+        AND NOT principal.name CONTAINS 'QuickSetup'
+        AND NOT principal.name = 'OrganizationAccountAccessRole'
+        AND stmt.effect = 'Allow'
+        AND ANY(action IN stmt.action WHERE
+            action STARTS WITH 'iam:Create'
+            OR action STARTS WITH 'iam:Attach'
+            OR action STARTS WITH 'iam:Put'
+            OR action STARTS WITH 'iam:Update'
+            OR action STARTS WITH 'iam:Add'
+            OR action = 'iam:*'
+            OR action = '*'
+        )
+        RETURN *
+    """,
+    module=Module.AWS,
+)
+
+_aws_trust_relationship_manipulation = Fact(
+    id="aws_trust_relationship_manipulation",
+    name="Roles with Cross-Account Trust Relationship Modification Capabilities",
+    description=(
+        "AWS IAM principals with permissions to modify role trust policies "
+        "(specifically AssumeRolePolicyDocuments)."
+    ),
+    cypher_query="""
+        MATCH (a:AWSAccount)-[:RESOURCE]->(principal:AWSPrincipal)
+        MATCH (principal)-[:POLICY]->(:AWSPolicy)-[:STATEMENT]->(stmt:AWSPolicyStatement)
+        OPTIONAL MATCH (groupmember:AWSUser)
+        WHERE NOT principal.name STARTS WITH 'AWSServiceRole'
+        AND NOT principal.name CONTAINS 'QuickSetup'
+        AND principal.name <> 'OrganizationAccountAccessRole'
+        AND stmt.effect = 'Allow'
+        WITH a, principal, stmt,
+            [label IN labels(principal) WHERE label <> 'AWSPrincipal'][0] AS principal_type,
+            ['iam:UpdateAssumeRolePolicy','iam:CreateRole'] AS patterns
+        WITH a, principal, principal_type, stmt,
+            [action IN stmt.action
+                WHERE ANY(p IN patterns WHERE action = p)
+                OR action = 'iam:*' OR action = '*'
+            ] AS matched_actions
+        WHERE size(matched_actions) > 0
+        UNWIND matched_actions AS action
+        RETURN DISTINCT a.name AS account,
+            principal.name AS principal_name,
+            principal.arn AS principal_arn,
+            principal_type,
+            collect(distinct action) as action,
+            stmt.resource AS resource
+        ORDER BY account, principal_name
+    """,
+    cypher_visual_query="""
+        MATCH p = (a:AWSAccount)-[:RESOURCE]->(principal:AWSPrincipal)
+        MATCH p1 = (principal)-[:POLICY]->(policy:AWSPolicy)-[:STATEMENT]->(stmt:AWSPolicyStatement)
+        MATCH (principal)-[:POLICY]->(:AWSPolicy)-[:STATEMENT]->(stmt:AWSPolicyStatement)
+        WHERE NOT principal.name STARTS WITH 'AWSServiceRole'
+        AND principal.name <> 'OrganizationAccountAccessRole'
+        AND stmt.effect = 'Allow'
+        RETURN *
+    """,
+    module=Module.AWS,
+)
+
+_aws_service_account_manipulation_via_ec2 = Fact(
+    id="aws_service_account_manipulation_via_ec2",
+    name="Service Resources with Account Manipulation Through Instance Profiles",
+    description=(
+        "AWS EC2 instances with attached IAM roles that can manipulate other AWS accounts. "
+        "Also indicates whether the instance is internet-exposed."
+    ),
+    cypher_query="""
+        MATCH (a:AWSAccount)-[:RESOURCE]->(ec2:EC2Instance)
+        MATCH (ec2)-[:INSTANCE_PROFILE]->(profile:AWSInstanceProfile)
+        MATCH (profile)-[:ASSOCIATED_WITH]->(role:AWSRole)
+        MATCH (role)-[:POLICY]->(:AWSPolicy)-[:STATEMENT]->(stmt:AWSPolicyStatement)
+        WHERE stmt.effect = 'Allow'
+        WITH a, ec2, role,
+            // Define the list of IAM actions to match on
+            ['iam:Create', 'iam:Attach', 'iam:Put', 'iam:Update'] AS patterns,
+            // Filter on the desired IAM actions
+            [action IN stmt.action
+                WHERE ANY(p IN ['iam:Create','iam:Attach','iam:Put','iam:Update', 'iam:Add'] WHERE action STARTS WITH p)
+                OR action = 'iam:*'
+                OR action = '*'
+            ] AS actions
+        // For the instances that are internet open, include the SG and rules
+        OPTIONAL MATCH (ec2{exposed_internet:True})-[:MEMBER_OF_EC2_SECURITY_GROUP]->(sg:EC2SecurityGroup)<-[:MEMBER_OF_EC2_SECURITY_GROUP]-(ip:IpPermissionInbound)
+        // Return only statement actions that we matched on
+        WHERE size(actions) > 0
+        UNWIND actions AS flat_action
+        WITH a, ec2, role, sg, ip,
+            collect(DISTINCT flat_action) AS actions
+        RETURN DISTINCT a.name AS account,
+            a.id as account_id,
+            ec2.instanceid AS instance_id,
+            ec2.exposed_internet AS internet_accessible,
+            ec2.publicipaddress as public_ip_address,
+            role.name AS role_name,
+            collect(actions) as action,
+            ip.fromport as from_port,
+            ip.toport as to_port
+        ORDER BY account, instance_id, internet_accessible, from_port
+    """,
+    cypher_visual_query="""
+        MATCH p = (a:AWSAccount)-[:RESOURCE]->(ec2:EC2Instance)
+        MATCH p1 = (ec2)-[:INSTANCE_PROFILE]->(profile:AWSInstanceProfile)
+        MATCH p2 = (profile)-[:ASSOCIATED_WITH]->(role:AWSRole)
+        MATCH p3 = (role)-[:POLICY]->(:AWSPolicy)-[:STATEMENT]->(stmt:AWSPolicyStatement)
+        WHERE stmt.effect = 'Allow'
+        AND ANY(action IN stmt.action WHERE
+            action STARTS WITH 'iam:Create'
+            OR action STARTS WITH 'iam:Attach'
+            OR action STARTS WITH 'iam:Put'
+            OR action STARTS WITH 'iam:Update'
+            OR action STARTS WITH 'iam:Add'
+            OR action = 'iam:*'
+            OR action = '*'
+        )
+        WITH p, p1, p2, p3, ec2
+        // Include the SG and rules for the instances that are internet open
+        MATCH p4=(ec2{exposed_internet: true})-[:MEMBER_OF_EC2_SECURITY_GROUP]->(sg:EC2SecurityGroup)<-[:MEMBER_OF_EC2_SECURITY_GROUP]-(ip:IpPermissionInbound)
+        RETURN *
+    """,
+    module=Module.AWS,
+)
+
+_aws_service_account_manipulation_via_lambda = Fact(
+    id="aws_service_account_manipulation",
+    name="Service Resources with Account Manipulation Through Lambda Roles",
+    description=(
+        "AWS Lambda functions with IAM roles that can manipulate other AWS accounts."
+    ),
+    cypher_query="""
+        // Find Lambda functions with account manipulation capabilities
+        MATCH (a:AWSAccount)-[:RESOURCE]->(lambda:AWSLambda)
+        MATCH (lambda)-[:STS_ASSUMEROLE_ALLOW]->(role:AWSRole)
+        MATCH (role)-[:POLICY]->(policy:AWSPolicy)-[:STATEMENT]->(stmt:AWSPolicyStatement)
+        WHERE stmt.effect = 'Allow'
+        WITH a, lambda, role, stmt,
+            // Define the list of IAM actions to match on
+            ['iam:Create', 'iam:Attach', 'iam:Put', 'iam:Update'] AS patterns,
+            // Filter on the desired IAM actions
+            [action IN stmt.action
+                WHERE ANY(p IN ['iam:Create', 'iam:Attach', 'iam:Put', 'iam:Update', 'iam:Add'] WHERE action STARTS WITH p)
+                OR action = 'iam:*'
+                OR action = '*'
+            ] AS actions
+        // Return only statement actions that we matched on
+        WHERE size(actions) > 0
+        UNWIND actions AS flat_action
+        WITH a, lambda, role, stmt,
+            collect(DISTINCT flat_action) AS actions
+        RETURN DISTINCT a.name AS account,
+            a.id as account_id,
+            lambda.arn AS arn,
+            lambda.description AS description,
+            lambda.anonymous_access AS internet_accessible,
+            role.name AS role_name,
+            actions
+        ORDER BY account, arn, internet_accessible
+    """,
+    cypher_visual_query="""
+        MATCH p = (a:AWSAccount)-[:RESOURCE]->(lambda:AWSLambda)
+        MATCH p1 = (lambda)-[:STS_ASSUMEROLE_ALLOW]->(role:AWSRole)
+        MATCH p2 = (role)-[:POLICY]->(policy:AWSPolicy)-[:STATEMENT]->(stmt:AWSPolicyStatement)
+        WHERE stmt.effect = 'Allow'
+        AND ANY(action IN stmt.action WHERE
+            action STARTS WITH 'iam:Create'
+            OR action STARTS WITH 'iam:Attach'
+            OR action STARTS WITH 'iam:Put'
+            OR action STARTS WITH 'iam:Update'
+            OR action STARTS WITH 'iam:Add'
+            OR action = 'iam:*'
+            OR action = '*'
+        )
+        RETURN *
+    """,
+    module=Module.AWS,
+)
+
+_aws_policy_manipulation_capabilities = Fact(
+    id="aws_policy_manipulation_capabilities",
+    name="Principals with IAM Policy Creation and Modification Capabilities",
+    description=(
+        "AWS IAM principals that can create, modify, or attach IAM policies to other principals. "
+    ),
+    cypher_query="""
+        MATCH (a:AWSAccount)-[:RESOURCE]->(principal:AWSPrincipal)
+        MATCH (principal)-[:POLICY]->(policy:AWSPolicy)-[:STATEMENT]->(stmt:AWSPolicyStatement)
+        WHERE NOT principal.name STARTS WITH 'AWSServiceRole'
+        AND NOT principal.name CONTAINS 'QuickSetup'
+        AND principal.name <> 'OrganizationAccountAccessRole'
+        AND stmt.effect = 'Allow'
+
+        WITH a, principal, stmt,
+            // Return labels that are not the general "AWSPrincipal" label
+            [label IN labels(principal) WHERE label <> 'AWSPrincipal'][0] AS principal_type,
+            // Define the list of IAM actions to match on
+            [p IN
+            ['iam:CreatePolicy', 'iam:CreatePolicyVersion', 'iam:AttachUserPolicy', 'iam:AttachRolePolicy', 'iam:AttachGroupPolicy',
+            'iam:AttachRolePolicy', 'iam:AttachGroupPolicy', 'iam:DetachUserPolicy', 'iam:DetachRolePolicy', 'iam:DetachGroupPolicy',
+            'iam:PutUserPolicy', 'iam:PutRolePolicy', 'iam:PutGroupPolicy'] |
+                p] AS patterns
+
+        // Return only statement actions that we matched on
+        WITH a, principal, principal_type, stmt,
+            [action IN stmt.action
+                WHERE ANY(p IN patterns WHERE action = p)
+                OR action = 'iam:*' OR action = '*'
+            ] AS matched_actions
+        WHERE size(matched_actions) > 0
+        UNWIND matched_actions AS action
+        RETURN DISTINCT a.name AS account,
+            principal.name AS principal_name,
+            principal.arn AS principal_arn,
+            principal_type,
+            collect(action) as action,
+            stmt.resource AS resource
+        ORDER BY account, principal_name
+    """,
+    cypher_visual_query="""
+    MATCH p1=(a:AWSAccount)-[:RESOURCE]->(principal:AWSPrincipal)
+    MATCH p2=(principal)-[:POLICY]->(policy:AWSPolicy)-[:STATEMENT]->(stmt:AWSPolicyStatement)
+    WHERE NOT principal.name STARTS WITH 'AWSServiceRole'
+    AND NOT principal.name CONTAINS 'QuickSetup'
+    AND principal.name <> 'OrganizationAccountAccessRole'
+    AND stmt.effect = 'Allow'
+    AND ANY(action IN stmt.action WHERE
+        action CONTAINS 'iam:CreatePolicy' OR action CONTAINS 'iam:CreatePolicyVersion'
+        OR action CONTAINS 'iam:AttachUserPolicy' OR action CONTAINS 'iam:AttachRolePolicy'
+        OR action CONTAINS 'iam:AttachGroupPolicy' OR action CONTAINS 'iam:DetachUserPolicy'
+        OR action CONTAINS 'iam:DetachRolePolicy' OR action CONTAINS 'iam:DetachGroupPolicy'
+        OR action CONTAINS 'iam:PutUserPolicy' OR action CONTAINS 'iam:PutRolePolicy'
+        OR action CONTAINS 'iam:PutGroupPolicy' OR action = 'iam:*' OR action = '*'
+    )
+    RETURN *
+    """,
+    module=Module.AWS,
+)
+
+
+t1098 = Requirement(
+    id="t1098",
+    name="Account Manipulation",
+    description=(
+        "Adversaries may manipulate accounts to maintain or elevate access to victim systems. "
+        "Activity that subverts security policies. For example in cloud this is "
+        "updating IAM policies or adding new global admins."
+    ),
+    target_assets="Identities that can manipulate other identities",
+    facts=(
+        # AWS
+        _aws_account_manipulation_permissions,
+        _aws_trust_relationship_manipulation,
+        _aws_service_account_manipulation_via_ec2,
+        _aws_service_account_manipulation_via_lambda,
+        _aws_policy_manipulation_capabilities,
+    ),
+    requirement_url="https://attack.mitre.org/techniques/T1098/",
+    attributes={
+        "tactic": "persistence,privilege_escalation",
+        "technique_id": "T1098",
+        "services": [
+            "iam",
+            "sts",
+            "ec2",
+            "lambda",
+        ],
+        "providers": ["AWS"],
+    },
+)

cartography/rules/data/frameworks/mitre_attack/requirements/t1190_exploit_public_facing_application/__init__.py

@@ -116,6 +116,7 @@ t1190 = Requirement(
     id="t1190",
     name="Exploit Public-Facing Application",
     description="Adversaries may attempt to take advantage of a weakness in an Internet-facing computer or program using software, data, or commands in order to cause unintended or unanticipated behavior.",
+    target_assets="Compute and storage resources that are accessible from the public internet",
     facts=(
         # AWS
         _aws_ec2_instance_internet_exposed,

cartography/rules/spec/model.py

@@ -58,9 +58,21 @@ class Requirement:
     """
 
     id: str
+    """A unique identifier for the requirement, e.g. T1098 in MITRE ATT&CK."""
     name: str
+    """A brief name for the requirement, e.g. "Account Manipulation"."""
     description: str
+    """A brief description of the requirement."""
+    target_assets: str
+    """
+    A short description of the assets that this requirement is related to. E.g. "Cloud
+    identities that can manipulate other identities". This field is used as
+    documentation: `description` tells us information about the requirement;
+    `target_assets` tells us what specific objects in cartography we will search for to
+    find Facts related to the requirement.
+    """
     facts: tuple[Fact, ...]
+    """The facts that are related to this requirement."""
     attributes: dict[str, Any] | None = None
     """
     Metadata attributes for the requirement. Example:
@@ -74,6 +86,7 @@ class Requirement:
     ```
     """
     requirement_url: str | None = None
+    """A URL reference to the requirement in the framework, e.g. https://attack.mitre.org/techniques/T1098/"""
 
 
 @dataclass(frozen=True)

cartography/sync.py

@@ -52,7 +52,7 @@ from cartography.util import STATUS_SUCCESS
 logger = logging.getLogger(__name__)
 
 
-TOP_LEVEL_MODULES = OrderedDict(
+TOP_LEVEL_MODULES: OrderedDict[str, Callable[..., None]] = OrderedDict(
     {  # preserve order so that the default sync always runs `analysis` at the very end
         "create-indexes": cartography.intel.create_indexes.run,
         "airbyte": cartography.intel.airbyte.start_airbyte_ingestion,

cartography/util.py

@@ -153,6 +153,9 @@ def merge_module_sync_metadata(
     :param synced_type: The sub-module's type
     :param update_tag: Timestamp used to determine data freshness
     """
+    # Import here to avoid circular import with cartography.client.core.tx
+    from cartography.client.core.tx import run_write_query
+
     template = Template(
         """
         MERGE (n:ModuleSyncMetadata{id:'${group_type}_${group_id}_${synced_type}'})
@@ -164,7 +167,8 @@ def merge_module_sync_metadata(
             n.lastupdated=$UPDATE_TAG
     """,
     )
-    neo4j_session.run(
+    run_write_query(
+        neo4j_session,
         template.safe_substitute(
             group_type=group_type,
             group_id=group_id,

{cartography-0.116.1.dist-info → cartography-0.118.0.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: cartography
-Version: 0.116.1
+Version: 0.118.0
 Summary: Explore assets and their relationships across your technical infrastructure.
 Maintainer: Cartography Contributors
 License-Expression: Apache-2.0
@@ -42,6 +42,7 @@ Requires-Dist: python-digitalocean>=1.16.0
 Requires-Dist: adal>=1.2.4
 Requires-Dist: azure-cli-core>=2.26.0
 Requires-Dist: azure-mgmt-compute>=5.0.0
+Requires-Dist: azure-mgmt-containerinstance>=10.0.0
 Requires-Dist: azure-mgmt-resource>=10.2.0
 Requires-Dist: azure-mgmt-cosmosdb>=6.0.0
 Requires-Dist: azure-mgmt-web>=7.0.0
@@ -58,7 +59,7 @@ Requires-Dist: python-dateutil
 Requires-Dist: xmltodict
 Requires-Dist: duo-client
 Requires-Dist: cloudflare<5.0.0,>=4.1.0
-Requires-Dist: scaleway>=2.9.0
+Requires-Dist: scaleway>=2.10.0
 Requires-Dist: google-cloud-resource-manager>=1.14.2
 Requires-Dist: types-aiobotocore-ecr
 Requires-Dist: typer>=0.9.0
@@ -88,7 +89,7 @@ You can learn more about the story behind Cartography in our [presentation at BS
 
 ## Supported platforms
 - [Airbyte](https://cartography-cncf.github.io/cartography/modules/airbyte/index.html) - Organization, Workspace, User, Source, Destination, Connection, Tag, Stream
-- [Amazon Web Services](https://cartography-cncf.github.io/cartography/modules/aws/index.html) - ACM, API Gateway, CloudWatch, CodeBuild, Config, Cognito, EC2, ECS, ECR (including image layers), EFS, Elasticsearch, Elastic Kubernetes Service (EKS), DynamoDB, Glue,  GuardDuty, IAM, Inspector, KMS, Lambda, RDS, Redshift, Route53, S3, Secrets Manager(Secret Versions), Security Hub, SNS, SQS, SSM, STS, Tags
+- [Amazon Web Services](https://cartography-cncf.github.io/cartography/modules/aws/index.html) - ACM, API Gateway, CloudWatch, CodeBuild, Config, Cognito, EC2, ECS, ECR (including multi-arch images, image layers, and attestations), EFS, Elasticsearch, Elastic Kubernetes Service (EKS), DynamoDB, Glue,  GuardDuty, IAM, Inspector, KMS, Lambda, RDS, Redshift, Route53, S3, Secrets Manager(Secret Versions), Security Hub, SNS, SQS, SSM, STS, Tags
 - [Anthropic](https://cartography-cncf.github.io/cartography/modules/anthropic/index.html) - Organization, ApiKey, User, Workspace
 - [BigFix](https://cartography-cncf.github.io/cartography/modules/bigfix/index.html) - Computers
 - [Cloudflare](https://cartography-cncf.github.io/cartography/modules/cloudflare/index.html) - Account, Role, Member, Zone, DNSRecord
@@ -102,7 +103,7 @@ You can learn more about the story behind Cartography in our [presentation at BS
 - [Keycloak](https://cartography-cncf.github.io/cartography/modules/keycloak/index.html) - Realms, Users, Groups, Roles, Scopes, Clients, IdentityProviders, Authentication Flows, Authentication Executions, Organizations, Organization Domains
 - [Kubernetes](https://cartography-cncf.github.io/cartography/modules/kubernetes/index.html) - Cluster, Namespace, Service, Pod, Container, ServiceAccount, Role, RoleBinding, ClusterRole, ClusterRoleBinding, OIDCProvider
 - [Lastpass](https://cartography-cncf.github.io/cartography/modules/lastpass/index.html) - users
-- [Microsoft Azure](https://cartography-cncf.github.io/cartography/modules/azure/index.html) - App Service, CosmosDB, Functions, Logic Apps, Resource Group, SQL, Storage, Virtual Machine
+- [Microsoft Azure](https://cartography-cncf.github.io/cartography/modules/azure/index.html) - App Service, Container Instance, CosmosDB, Functions, Logic Apps, Resource Group, SQL, Storage, Virtual Machine
 - [Microsoft Entra ID](https://cartography-cncf.github.io/cartography/modules/entra/index.html) -  Users, Groups, Applications, OUs, App Roles, federation to AWS Identity Center
 - [NIST CVE](https://cartography-cncf.github.io/cartography/modules/cve/index.html) - Common Vulnerabilities and Exposures (CVE) data from NIST database
 - [Okta](https://cartography-cncf.github.io/cartography/modules/okta/index.html) - users, groups, organizations, roles, applications, factors, trusted origins, reply URIs, federation to AWS roles, federation to AWS Identity Center