Detect Palo Alto PAN-OS GlobalProtect Command Injection (CVE-2024-3400) in Google Chronicle
CVE-2024-3400 is a critical unauthenticated remote code execution vulnerability (CVSS 10.0) in Palo Alto Networks PAN-OS GlobalProtect gateway. A command injection flaw in the GlobalProtect feature allows an unauthenticated attacker to execute arbitrary OS commands as root by sending specially crafted HTTPS requests. Actively exploited in the wild as part of Operation MidnightEclipse by threat actor UTA0218, attackers have deployed a Python-based backdoor (UPSTYLE) and conducted lateral movement. Affected versions include PAN-OS 10.2.x < 10.2.9-h1, 11.0.x < 11.0.4-h1, and 11.1.x < 11.1.2-h3.
MITRE ATT&CK
YARA-L Detection Query
rule cve_2024_3400_globalprotect_rce {
meta:
author = "df00tech Detection Engineering"
description = "Detects CVE-2024-3400 exploitation — PAN-OS GlobalProtect command injection"
severity = "CRITICAL"
priority = "HIGH"
cve = "CVE-2024-3400"
mitre_attack = "T1190"
events:
(
$e1.metadata.event_type = "NETWORK_HTTP"
and re.regex($e1.target.url, `(?i)/(ssl-vpn/hipreport\.esp|global-protect/portal|global-protect/gateway)`)
and $e1.target.port = 443
and $e1.principal.ip = $src_ip
)
and
(
$e2.metadata.event_type = "PROCESS_LAUNCH"
and re.regex($e2.target.process.file.full_path, `(?i)(python3?|/bin/sh|/bin/bash|wget|curl)`)
and $e2.principal.hostname = $host
)
match:
$src_ip, $host over 5m
outcome:
$risk_score = max(95)
$detection_name = "CVE-2024-3400 PAN-OS GlobalProtect RCE"
condition:
$e1 and $e2
}Chronicle YARA-L 2.0 rule correlating inbound HTTPS requests to GlobalProtect paths with subsequent anomalous process launches on the same host within a 5-minute window, detecting CVE-2024-3400 zero-day exploitation.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate GlobalProtect client health report submissions from managed endpoints
- Authorized red team exercises generating matching HTTP and process telemetry
- PAN-OS automated update verification scripts that spawn Python for checksum validation
Other platforms for CVE-2024-3400
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1CVE-2024-3400 SESSID Command Injection Probe
Expected signal: PAN-OS traffic log entry with URI /ssl-vpn/hipreport.esp, HTTP 200 or 500 response; system log entry referencing unexpected file path in SESSID parameter
- Test 2UPSTYLE Backdoor Artifact Simulation
Expected signal: File creation event at /opt/panlogs/tmp/device_telemetry/threading/bootstrap.min.css; Python3 process launch from lab shell
- Test 3GlobalProtect Path Enumeration with Command Keywords
Expected signal: Network flow logs showing HTTPS GET requests to /global-protect/* and /ssl-vpn/* paths from the test host; URL parameters containing base64-encoded strings
- Test 4Post-Exploitation Outbound Beacon Simulation
Expected signal: Process telemetry shows python3 making outbound HTTP connections; network telemetry shows repeated periodic connections to the same destination IP from the firewall management process context
Unlock Pro Content
Get the full detection package for CVE-2024-3400 including response playbook, investigation guide, and atomic red team tests.