CVE-2024-3400 Elastic Security · Elastic

Detect Palo Alto PAN-OS GlobalProtect Command Injection (CVE-2024-3400) in Elastic Security

CVE-2024-3400 is a critical unauthenticated remote code execution vulnerability (CVSS 10.0) in Palo Alto Networks PAN-OS GlobalProtect gateway. A command injection flaw in the GlobalProtect feature allows an unauthenticated attacker to execute arbitrary OS commands as root by sending specially crafted HTTPS requests. Actively exploited in the wild as part of Operation MidnightEclipse by threat actor UTA0218, attackers have deployed a Python-based backdoor (UPSTYLE) and conducted lateral movement. Affected versions include PAN-OS 10.2.x < 10.2.9-h1, 11.0.x < 11.0.4-h1, and 11.1.x < 11.1.2-h3.

MITRE ATT&CK

Tactic
Initial Access Execution Persistence Lateral Movement

Elastic Detection Query

Elastic Security (Elastic)
eql 
sequence by host.name with maxspan=2m
  [network where network.protocol == "https"
   and url.path : ("/ssl-vpn/hipreport.esp", "/global-protect/*", "/ssl-vpn/*")
   and http.request.method : ("POST", "GET")
  ]
  [process where event.type == "start"
   and process.parent.name : ("pangps", "gpd", "pan_gp", "sslmgr")
   and process.name : ("sh", "bash", "python3", "python", "wget", "curl", "perl")
  ]
critical severity high confidence

EQL sequence rule correlating inbound HTTPS requests to known GlobalProtect paths followed within 2 minutes by anomalous process execution from a GlobalProtect parent process, indicative of CVE-2024-3400 post-exploitation.

Data Sources

Elastic Agent Network EventsElastic Endpoint Process Events

Required Tables

logs-endpoint.events.network-*logs-endpoint.events.process-*

False Positives & Tuning

  • Diagnostic utilities launched by PAN-OS administrators during troubleshooting sessions
  • Automated backup or configuration scripts invoked from the GP daemon
  • Third-party monitoring agents that fork shell processes for health checks

Other platforms for CVE-2024-3400

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1CVE-2024-3400 SESSID Command Injection Probe

    Expected signal: PAN-OS traffic log entry with URI /ssl-vpn/hipreport.esp, HTTP 200 or 500 response; system log entry referencing unexpected file path in SESSID parameter

  2. Test 2UPSTYLE Backdoor Artifact Simulation

    Expected signal: File creation event at /opt/panlogs/tmp/device_telemetry/threading/bootstrap.min.css; Python3 process launch from lab shell

  3. Test 3GlobalProtect Path Enumeration with Command Keywords

    Expected signal: Network flow logs showing HTTPS GET requests to /global-protect/* and /ssl-vpn/* paths from the test host; URL parameters containing base64-encoded strings

  4. Test 4Post-Exploitation Outbound Beacon Simulation

    Expected signal: Process telemetry shows python3 making outbound HTTP connections; network telemetry shows repeated periodic connections to the same destination IP from the firewall management process context

Last updated: 2026-06-20 Research depth: standard
References (4)

Unlock Pro Content

Get the full detection package for CVE-2024-3400 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0002ExecutionTA0003PersistenceTA0008Lateral Movement

Related Techniques

T1190Exploit Public-Facing ApplicationT1505.003Web ShellT1059.006PythonT1021Remote Services

Same Tactic: Initial Access

Popular Detections