CVE-2024-21887 Microsoft Sentinel · KQL

Detect Ivanti Connect Secure Authenticated Command Injection (Chained with CVE-2023-46805) in Microsoft Sentinel

CVE-2024-21887 is a critical (CVSS 9.1) command injection vulnerability in Ivanti Connect Secure (formerly Pulse Secure) and Policy Secure web components. An authenticated administrator can send specially crafted requests to web endpoints to execute arbitrary commands on the appliance. When chained with CVE-2023-46805 (authentication bypass, CVSS 8.2), the combination allows fully unauthenticated remote code execution. The combined exploit chain was used extensively by the China-nexus threat actor UNC5221 as a zero-day, targeting defence, government, financial, and telecom organisations globally. CISA required mitigation by January 22, 2024. Ivanti Connect Secure VPN appliances are widely deployed by SMBs and enterprises as remote access infrastructure, making this a high-priority detection target.

MITRE ATT&CK

Tactic
Initial Access Execution Persistence

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
// CVE-2024-21887 — Ivanti Connect Secure Command Injection
// Detect suspicious web requests to Ivanti ICS endpoints that could indicate exploitation
// Key signals: anomalous URI patterns in ICS proxy/access logs, post-exploitation C2 traffic
let IvantiSuspiciousRequests =
W3CIISLog
| where TimeGenerated > ago(24h)
| where csHost has_any ("ivanti", "pulse", "pulsesecure", "connectsecure")
    or csUriStem has_any ("/dana-na/", "/dana/", "/api/v1/auth", "/api/v1/totp")
| where csUriStem has_any (
    "/../", "cmd", "exec", "shell", "wget", "curl", "/tmp",
    "base64", "python", "||", "&&"
  )
| extend ThreatIndicator = "CVE-2024-21887-Suspicious-ICS-Request";
let IvantiAnomalousAuth =
CommonSecurityLog
| where TimeGenerated > ago(24h)
| where DeviceVendor has_any ("Ivanti", "Pulse Secure", "PulseSecure")
| where Activity has_any ("login", "auth", "session", "system", "exec")
| where Message has_any (
    "command", "inject", "exec", "shell", "root", "/tmp", "wget", "curl"
  )
| extend ThreatIndicator = "CVE-2024-21887-ICS-CommandInjection";
let PostExploitLateralMovement =
DeviceNetworkEvents
| where TimeGenerated > ago(24h)
| where RemotePort in (445, 3389, 22, 5985, 5986) // SMB, RDP, SSH, WinRM
| where RemoteIPType == "Private" // Post-exploit lateral movement to internal hosts
| summarize Connections=count(), Targets=make_set(RemoteIP)
  by DeviceName, InitiatingProcessAccountName, bin(TimeGenerated, 1h)
| where Connections > 10 and array_length(Targets) > 5
| extend ThreatIndicator = "CVE-2024-21887-Post-Exploit-Lateral";
IvantiSuspiciousRequests
| union IvantiAnomalousAuth
| union PostExploitLateralMovement
| sort by TimeGenerated desc
critical severity medium confidence

Detects CVE-2024-21887 exploitation via three signals: (1) anomalous request patterns in Ivanti ICS web logs containing command injection indicators, (2) Ivanti CommonSecurityLog entries with command execution keywords, and (3) post-exploitation lateral movement patterns from ICS device IP ranges. Correlate all signals for high confidence.

Data Sources

CommonSecurityLog (Ivanti Connect Secure syslog integration)W3CIISLog (if ICS web logs are forwarded)Microsoft Defender for Endpoint (DeviceNetworkEvents for post-exploitation)Azure Network Analytics

Required Tables

CommonSecurityLogW3CIISLog

False Positives & Tuning

  • Legitimate ICS administrative operations logged with system-level context
  • Authorised security scanning of Ivanti appliances generating anomalous-looking web requests
  • Internal monitoring systems polling ICS API endpoints
Download portable Sigma rule (.yml)

Other platforms for CVE-2024-21887

Splunk (SPL) All platforms (combined) →

Testing Methodology

Validate this detection against 1 adversary technique from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate CVE-2024-21887 command injection request

    Expected signal: ICS web access log entry for /api/v1/totp/ with command injection payload; syslog entry showing command execution output.

Last updated: 2026-04-22 Research depth: standard
References (6)

Unlock Pro Content

Get the full detection package for CVE-2024-21887 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1190Exploit Public-Facing Application

Related Techniques

T1190Exploit Public-Facing ApplicationT1505.003Web ShellT1556Modify Authentication ProcessT1133External Remote ServicesT1078Valid Accounts

Same Tactic: Initial Access

Popular Detections