CLAassistant
commented
5 months ago
All committers have signed the CLA.
Closed Gaffx closed 2 months ago
CLAassistant
commented
5 months ago
All committers have signed the CLA.
mgreen27
commented
5 months ago @Gaffx This artifact wont run on the live host - you might want to specify that this artifact is an offline analysis only artifact after collecting a disk image in the description?
Secondly, have you tested this to work? This uses old FullPath notation and looks like its using the zip accessor so might not work as you expect. Will need to be changed to OSPath and specify its offline.
Gaffx
commented
5 months ago @mgreen27 Thank you for your feedback. A note to indicate this artifact is designed to run only against offline images was added. Also, OSPath has been fully incorporated. Snippet below is a screenshot of running the artifact for testing. It executed successfully... Let me know if you have any further questions or comments.
Thanks
@Gaffx
mgreen27
commented
4 months ago FYI - I shared our internal one here - https://github.com/rapid7/Rapid7-Labs/blob/main/Vql/CVE-2024-4300.yaml
mgreen27
commented
2 months ago closing as per comment above
This artifact is designed to detect the attempts to exploit the unauthenticated remote code execution vulnerability (CVE-2024-3400) in Palo Alto Networks’ GlobalProtect. It is constructed based on the YARA rules provided by the Volexity team. The following Yara rules (scan_context) target files for scanning. More details can be found on their blog post https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/