Potential CVE-2024-3400 Exploitation - Palo Alto GlobalProtect OS Command Injection
Detects potential exploitation attempts of CVE-2024-3400 - an OS command injection in Palo Alto GlobalProtect. This detection looks for suspicious strings that indicate a potential directory traversal attempt or command injection.
Sigma rule (View on GitHub)
1title: Potential CVE-2024-3400 Exploitation - Palo Alto GlobalProtect OS Command Injection
2id: f130a5f1-73ba-42f0-bf1e-b66a8361cb8f
3status: experimental
4description: |
5 Detects potential exploitation attempts of CVE-2024-3400 - an OS command injection in Palo Alto GlobalProtect.
6 This detection looks for suspicious strings that indicate a potential directory traversal attempt or command injection.
7references:
8 - https://security.paloaltonetworks.com/CVE-2024-3400
9 - https://labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-cve-2024-3400/
10 - https://attackerkb.com/topics/SSTk336Tmf/cve-2024-3400/rapid7-analysis
11author: Nasreddine Bencherchali (Nextron Systems)
12date: 2024-04-18
13modified: 2024-04-25
14tags:
15 - attack.initial-access
16 - attack.persistence
17 - attack.privilege-escalation
18 - attack.defense-evasion
19 - cve.2024-3400
20logsource:
21 category: appliance
22 product: paloalto
23 service: globalprotect
24 definition: 'Requirements: Palo Alto GlobalProtect "mp-log" and "gpsvc.log" log files need to be ingested'
25detection:
26 keywords_generic:
27 - 'failed to unmarshal session(../'
28 - 'failed to unmarshal session(./../'
29 - 'failed to unmarshal session(/..'
30 - 'failed to unmarshal session(%2E%2E%2F'
31 - 'failed to unmarshal session(%2F%2E%2E'
32 - 'failed to unmarshal session(%2E%2F%2E%2E%2F'
33 - 'failed to unmarshal session(%252E%252E%252F'
34 - 'failed to unmarshal session(%252F%252E%252E'
35 - 'failed to unmarshal session(%252E%252F%252E%252E%252F'
36 keywords_telemetry_exploit:
37 - '{IFS}'
38 - 'base64'
39 - 'bash'
40 - 'curl'
41 - 'http'
42 keywords_telemetry_path:
43 - '/opt/panlogs/tmp/device_telemetry/'
44 condition: keywords_generic or all of keywords_telemetry_*
45falsepositives:
46 - Unknown
47level: high
References
-
A command injection as a result of arbitrary file creation vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions and distinct feature configurat...
Read More -
Welcome to April 2024, again. We’re back, again. Over the weekend, we were all greeted by now-familiar news—a nation-state was exploiting a “sophisticated” vulnerability for full compromise in yet another enterprise-grade SSLVPN device. We’ve seen all the commentary around the certification process of these devices for certain
Read More -
On April 12, 2024, Palo Alto Networks published an advisory for a critical unauthenticated command injection vulnerability affecting several recent versions of…
Read More
Related rules
- Account Tampering - Suspicious Failed Logon Reasons
- Activity From Anonymous IP Address
- Application Using Device Code Authentication Flow
- Applications That Are Using ROPC Authentication Flow
- Atypical Travel