diff --git a/signatures/tokens_and_credentials/alibaba.yaml b/signatures/tokens_and_credentials/alibaba.yaml new file mode 100644 index 0000000..b74d737 --- /dev/null +++ b/signatures/tokens_and_credentials/alibaba.yaml @@ -0,0 +1,95 @@ +--- +filename: alibaba.yaml +signatures: + - name: Alibaba IAM Access Key ID + status: enabled + author: PaperMtn + date: 2023-12-22 + description: Detects exposed Alibaba IAM access key IDs + severity: "50" + notes: null + references: null + watchman_apps: + slack_std: + category: secrets + scope: + - messages + file_types: null + search_strings: + - LTAI + slack_eg: + scope: + - messages + - drafts + file_types: null + locations: + - public + - private + - connect + search_strings: + - LTAI + gitlab: + scope: + - blobs + - commits + - milestones + - wiki_blobs + - issues + - merge_requests + - notes + - snippet_titles + search_strings: + - LTAI -(svg|png|jpeg) + test_cases: + match_cases: + - accessKeyId=LTAIAAAZ5BhleEv7 + fail_cases: + - accessKeyId=LAAIAAAZ5BhleEv7 + patterns: + - LTAI[0-9a-zA-Z]{12,20} + - name: Alibaba IAM Secret Access Key + status: enabled + author: PaperMtn + date: 2023-12-22 + description: Detects exposed Alibaba IAM secret access key + severity: "90" + notes: null + references: null + watchman_apps: + slack_std: + category: secrets + scope: + - messages + file_types: null + search_strings: + - LTAI + slack_eg: + scope: + - messages + - drafts + file_types: null + locations: + - public + - private + - connect + search_strings: + - LTAI + gitlab: + scope: + - blobs + - commits + - milestones + - wiki_blobs + - issues + - merge_requests + - notes + - snippet_titles + search_strings: + - LTAI -(svg|png|jpeg) + test_cases: + match_cases: + - $accessKeySecret = "6pbpC5bqTJ6aATHAd5434dq13XaEe7"; + fail_cases: + - accessKeyId=LAAIAAAZ5BhleEv7 + patterns: + - "[\\W\\s]{1}([0-9a-zA-Z]{30,48})[\\W\\s]{1}"