Potential CVE-2024-3400 Exploitation - Palo Alto GlobalProtect OS Command Injection
Detects potential exploitation attempts of CVE-2024-3400 - an OS command injection in Palo Alto GlobalProtect. This detection looks for suspicious strings that indicate a potential directory traversal attempt or command injection.
Sigma rule (View on GitHub)
1title: Potential CVE-2024-3400 Exploitation - Palo Alto GlobalProtect OS Command Injection
2id: f130a5f1-73ba-42f0-bf1e-b66a8361cb8f
3status: test
4description: |
5 Detects potential exploitation attempts of CVE-2024-3400 - an OS command injection in Palo Alto GlobalProtect.
6 This detection looks for suspicious strings that indicate a potential directory traversal attempt or command injection.
7references:
8 - https://security.paloaltonetworks.com/CVE-2024-3400
9 - https://labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-cve-2024-3400/
10 - https://attackerkb.com/topics/SSTk336Tmf/cve-2024-3400/rapid7-analysis
11author: Nasreddine Bencherchali (Nextron Systems)
12date: 2024-04-18
13modified: 2024-04-25
14tags:
15 - attack.initial-access
16 - attack.persistence
17 - attack.privilege-escalation
18 - attack.defense-evasion
19 - cve.2024-3400
20 - detection.emerging-threats
21logsource:
22 category: appliance
23 product: paloalto
24 service: globalprotect
25 definition: 'Requirements: Palo Alto GlobalProtect "mp-log" and "gpsvc.log" log files need to be ingested'
26detection:
27 keywords_generic:
28 - 'failed to unmarshal session(../'
29 - 'failed to unmarshal session(./../'
30 - 'failed to unmarshal session(/..'
31 - 'failed to unmarshal session(%2E%2E%2F'
32 - 'failed to unmarshal session(%2F%2E%2E'
33 - 'failed to unmarshal session(%2E%2F%2E%2E%2F'
34 - 'failed to unmarshal session(%252E%252E%252F'
35 - 'failed to unmarshal session(%252F%252E%252E'
36 - 'failed to unmarshal session(%252E%252F%252E%252E%252F'
37 keywords_telemetry_exploit:
38 - '{IFS}'
39 - 'base64'
40 - 'bash'
41 - 'curl'
42 - 'http'
43 keywords_telemetry_path:
44 - '/opt/panlogs/tmp/device_telemetry/'
45 condition: keywords_generic or all of keywords_telemetry_*
46falsepositives:
47 - Unknown
48level: high
References
-
A command injection as a result of arbitrary file creation vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions and distinct feature configurat...
Read More -
Welcome to April 2024, again. We’re back, again. Over the weekend, we were all greeted by now-familiar news—a nation-state was exploiting a “sophisticated” vulnerability for full compromise in yet another enterprise-grade SSLVPN device. We’ve seen all the commentary around the certification process of these devices for certain
Read More -
On April 12, 2024, Palo Alto Networks published an advisory for a critical unauthenticated command injection vulnerability affecting several recent versions of…
Read More
Related rules
- Account Tampering - Suspicious Failed Logon Reasons
- Activity From Anonymous IP Address
- Application Using Device Code Authentication Flow
- Applications That Are Using ROPC Authentication Flow
- Atypical Travel