-
Notifications
You must be signed in to change notification settings - Fork 597
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
add: PaloAlto exploitation CVE-2024-3400
- Loading branch information
Showing
1 changed file
with
91 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,91 @@ | ||
|
|
||
| rule APT_UTA028_ForensicArtefacts_PaloAlto_CVE_2024_3400_Apr24_1 : SCRIPT { | ||
| meta: | ||
| description = "Detects forensic artefacts of APT UTA028 as found in a campaign exploiting the Palo Alto CVE-2024-3400 vulnerability" | ||
| author = "Florian Roth" | ||
| reference = "https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/" | ||
| date = "2024-04-15" | ||
| modified = "2024-04-18" | ||
| score = 70 | ||
| strings: | ||
| $x1 = "cmd = base64.b64decode(rst.group" | ||
| $x2 = "f.write(\"/*\"+output+\"*/\")" | ||
| $x3 = "* * * * * root wget -qO- http://" | ||
| $x4 = "rm -f /var/appweb/sslvpndocs/global-protect/*.css" | ||
| $x5a = "failed to unmarshal session(../" // https://security.paloaltonetworks.com/CVE-2024-3400 | ||
| $x5b = "failed to unmarshal session(./../" // customer data | ||
| $x6 = "rm -rf /opt/panlogs/tmp/device_telemetry/minute/*" base64 | ||
| $x7 = "$(uname -a) > /var/" base64 | ||
| condition: | ||
| 1 of them | ||
| } | ||
|
|
||
| rule EXPL_PaloAlto_CVE_2024_3400_Apr24_1 { | ||
| meta: | ||
| description = "Detects characteristics of the exploit code used in attacks against Palo Alto GlobalProtect CVE-2024-3400" | ||
| author = "Florian Roth" | ||
| reference = "https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/" | ||
| date = "2024-04-15" | ||
| score = 70 | ||
| strings: | ||
| $x1 = "SESSID=../../../../opt/panlogs/" | ||
| $x2 = "SESSID=./../../../../opt/panlogs/" | ||
| $sa1 = "SESSID=../../../../" | ||
| $sa2 = "SESSID=./../../../../" | ||
| $sb2 = "${IFS}" | ||
| condition: | ||
| 1 of ($x*) | ||
| or (1 of ($sa*) and $sb2) | ||
| } | ||
|
|
||
| rule SUSP_LNX_Base64_Download_Exec_Apr24 : SCRIPT { | ||
| meta: | ||
| description = "Detects suspicious base64 encoded shell commands used for downloading and executing further stages" | ||
| author = "Paul Hager" | ||
| date = "2024-04-18" | ||
| reference = "Internal Research" | ||
| score = 75 | ||
| strings: | ||
| $sa1 = "curl http" base64 | ||
| $sa2 = "wget http" base64 | ||
| $sb1 = "chmod 777 " base64 | ||
| $sb2 = "/tmp/" base64 | ||
| condition: | ||
| 1 of ($sa*) | ||
| and all of ($sb*) | ||
| } | ||
|
|
||
| rule SUSP_PY_Import_Statement_Apr24_1 { | ||
| meta: | ||
| description = "Detects suspicious Python import statement and socket usage often found in Python reverse shells" | ||
| author = "Florian Roth" | ||
| reference = "https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/" | ||
| date = "2024-04-15" | ||
| score = 65 | ||
| strings: | ||
| $x1 = "import sys,socket,os,pty;s=socket.socket(" | ||
| condition: | ||
| 1 of them | ||
| } | ||
|
|
||
| rule SUSP_LNX_Base64_Exec_Apr24 : SCRIPT { | ||
| meta: | ||
| description = "Detects suspicious base64 encoded shell commands (as seen in Palo Alto CVE-2024-3400 exploitation)" | ||
| author = "Christian Burkard" | ||
| date = "2024-04-18" | ||
| reference = "Internal Research" | ||
| score = 75 | ||
| strings: | ||
| $s1 = "curl http://" base64 | ||
| $s2 = "wget http://" base64 | ||
| $s3 = ";chmod 777 " base64 | ||
| $s4 = "/tmp/" base64 | ||
| condition: | ||
| all of them | ||
| } |