Potential CVE-2024-3400 Exploitation - Palo Alto GlobalProtect OS Command Injection - File Creation
Detects suspicious file creations in the Palo Alto Networks PAN-OS' parent telemetry folder, which are processed by the vulnerable 'dt_curl' script if device telemetry is enabled. As said script overrides the shell-subprocess restriction, arbitrary command execution may occur by carefully crafting filenames that are escaped through this function.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Developed to detect an active or emerging threat. Prioritize investigation of any alerts and correlate with threat intelligence.
Events for file system activity including creation, modification, and deletion.
Definition
Requirements: file creation events need to be ingested from the Palo Alto GlobalProtect appliance
detection:
selection:
TargetFilename|contains:
- '{IFS}'
- 'base64'
- 'bash'
- 'curl'
- 'http'
TargetFilename|startswith: '/opt/panlogs/tmp/device_telemetry/'
condition: selectionThe PAN-OS device telemetry function does not enforce a standard filename convention, but observations are unlikely.
Tactics
Other