Potential CVE-2024-3400 Exploitation - Palo Alto GlobalProtect OS Command Injection - File Creation
Detects suspicious file creations in the Palo Alto Networks PAN-OS' parent telemetry folder, which are processed by the vulnerable 'dt_curl' script if device telemetry is enabled. As said script overrides the shell-subprocess restriction, arbitrary command execution may occur by carefully crafting filenames that are escaped through this function.
Sigma rule (View on GitHub)
1title: Potential CVE-2024-3400 Exploitation - Palo Alto GlobalProtect OS Command Injection - File Creation
2id: bcd95697-e3e7-4c6f-8584-8e3503e6929f
3status: experimental
4description: |
5 Detects suspicious file creations in the Palo Alto Networks PAN-OS' parent telemetry folder, which are processed by the vulnerable 'dt_curl' script if device telemetry is enabled.
6 As said script overrides the shell-subprocess restriction, arbitrary command execution may occur by carefully crafting filenames that are escaped through this function.
7references:
8 - https://labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-cve-2024-3400/
9 - https://nvd.nist.gov/vuln/detail/CVE-2024-3400
10author: Andreas Braathen (mnemonic.io)
11date: 2024-04-25
12tags:
13 - attack.execution
14 - cve.2024-3400
15 - detection.emerging-threats
16logsource:
17 product: paloalto
18 service: globalprotect
19 category: file_event
20 definition: 'Requirements: file creation events need to be ingested from the Palo Alto GlobalProtect appliance'
21detection:
22 selection:
23 TargetFilename|contains:
24 - '{IFS}'
25 - 'base64'
26 - 'bash'
27 - 'curl'
28 - 'http'
29 TargetFilename|startswith: '/opt/panlogs/tmp/device_telemetry/'
30 condition: selection
31falsepositives:
32 - The PAN-OS device telemetry function does not enforce a standard filename convention, but observations are unlikely.
33level: medium
References
Related rules
- APT29 2018 Phishing Campaign CommandLine Indicators
- Adwind RAT / JRAT
- Blue Mockingbird
- CVE-2021-1675 Print Spooler Exploitation
- CVE-2021-1675 Print Spooler Exploitation IPC Access