Emerging Threathightest

Potential CVE-2024-3400 Exploitation - Palo Alto GlobalProtect OS Command Injection

Detects potential exploitation attempts of CVE-2024-3400 - an OS command injection in Palo Alto GlobalProtect. This detection looks for suspicious strings that indicate a potential directory traversal attempt or command injection.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Nasreddine Bencherchali (Nextron Systems)Created Thu Apr 18Updated Sat Nov 22f130a5f1-73ba-42f0-bf1e-b66a8361cb8f2024

Emerging Threat

Active Threat

Developed to detect an active or emerging threat. Prioritize investigation of any alerts and correlate with threat intelligence.

Log Source

paloaltoapplianceglobalprotect

Productpaloalto← raw: paloalto

Categoryappliance← raw: appliance

Serviceglobalprotect← raw: globalprotect

Definition

Requirements: Palo Alto GlobalProtect "mp-log" and "gpsvc.log" log files need to be ingested

Detection Logic

detection:
    keywords_generic:
        - 'failed to unmarshal session(../'
        - 'failed to unmarshal session(./../'
        - 'failed to unmarshal session(/..'
        - 'failed to unmarshal session(%2E%2E%2F'
        - 'failed to unmarshal session(%2F%2E%2E'
        - 'failed to unmarshal session(%2E%2F%2E%2E%2F'
        - 'failed to unmarshal session(%252E%252E%252F'
        - 'failed to unmarshal session(%252F%252E%252E'
        - 'failed to unmarshal session(%252E%252F%252E%252E%252F'
    keywords_telemetry_exploit:
        - '{IFS}'
        - 'base64'
        - 'bash'
        - 'curl'
        - 'http'
    keywords_telemetry_path:
        - '/opt/panlogs/tmp/device_telemetry/'
    condition: keywords_generic or (keywords_telemetry_exploit and keywords_telemetry_path)