Merge PR SigmaHQ#4826 from @nasbench - Add coverage for CVE-2024-3400

new: Potential CVE-2024-3400 Exploitation - Palo Alto GlobalProtect OS Command Injection --------- Co-authored-by: phantinuss <[email protected]>
SavinSpring · Apr 24, 2024 · b349447 · b349447
1 parent 8f8ce06
commit b349447
Show file tree

Hide file tree

Showing 3 changed files with 49 additions and 0 deletions.
diff --git a/...rging-threats/2024/Exploits/CVE-2024-3400/paloalto_globalprotect_os_command_injection.yml b/...rging-threats/2024/Exploits/CVE-2024-3400/paloalto_globalprotect_os_command_injection.yml
@@ -0,0 +1,37 @@
+title: Potential CVE-2024-3400 Exploitation - Palo Alto GlobalProtect OS Command Injection
+id: f130a5f1-73ba-42f0-bf1e-b66a8361cb8f
+status: experimental
+description: |
+    Detects potential exploitation attempts of CVE-2024-3400 - an OS command injection in Palo Alto GlobalProtect.
+    This detection looks for suspicious strings that indicate a potential directory traversal attempt.
+references:
+    - https://security.paloaltonetworks.com/CVE-2024-3400
+    - https://labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-cve-2024-3400/
+author: Nasreddine Bencherchali (Nextron Systems)
+date: 2024/04/18
+tags:
+    - attack.initial_access
+    - attack.persistence
+    - attack.privilege_escalation
+    - attack.defense_evasion
+    - cve.2024.3400
+logsource:
+    category: appliance
+    product: paloalto
+    service: globalprotect
+    definition: 'Requirements: Palo Alto GlobalProtect "mp-log" and "gpsvc.log" need to be ingested'
+detection:
+    keywords:
+        - 'failed to unmarshal session(../'
+        - 'failed to unmarshal session(./../'
+        - 'failed to unmarshal session(/..'
+        - 'failed to unmarshal session(%2E%2E%2F'
+        - 'failed to unmarshal session(%2F%2E%2E'
+        - 'failed to unmarshal session(%2E%2F%2E%2E%2F'
+        - 'failed to unmarshal session(%252E%252E%252F'
+        - 'failed to unmarshal session(%252F%252E%252E'
+        - 'failed to unmarshal session(%252E%252F%252E%252E%252F'
+    condition: keywords
+falsepositives:
+    - Unknown
+level: high
diff --git a/tests/logsource.json b/tests/logsource.json
@@ -187,6 +187,14 @@
                 "sslvpnd": []
             }
         },
+        "paloalto":{
+            "commun": [],
+            "empty": [],
+            "category":{},
+            "service":{
+                "globalprotect": []
+            }
+        },
         "django":{
             "commun": [],
             "empty": [],

diff --git a/tests/thor.yml b/tests/thor.yml
@@ -575,3 +575,7 @@ logsources:
         category: logfile
         sources:
             - "File:*.log"
+    logfiles-appliances:
+        category: appliance
+        sources:
+            - "File:*.log"