Detect Palo Alto PAN-OS GlobalProtect Command Injection (CVE-2024-3400) in CrowdStrike LogScale
CVE-2024-3400 is a critical unauthenticated remote code execution vulnerability (CVSS 10.0) in Palo Alto Networks PAN-OS GlobalProtect gateway. A command injection flaw in the GlobalProtect feature allows an unauthenticated attacker to execute arbitrary OS commands as root by sending specially crafted HTTPS requests. Actively exploited in the wild as part of Operation MidnightEclipse by threat actor UTA0218, attackers have deployed a Python-based backdoor (UPSTYLE) and conducted lateral movement. Affected versions include PAN-OS 10.2.x < 10.2.9-h1, 11.0.x < 11.0.4-h1, and 11.1.x < 11.1.2-h3.
MITRE ATT&CK
LogScale Detection Query
#repo=base_activity
| event_type=NetworkConnect
| LocalPort=443
| RemoteAddressIP4=*
| ImageFileName=/(?i)(pangps|gpd|sslmgr|pan_gp)/
| join(
event_type=ProcessRollup2
| ImageFileName=/(?i)(python3?|wget|curl|\/bin\/sh|\/bin\/bash)/
| ParentImageFileName=/(?i)(pangps|gpd|sslmgr)/
, field=[aid, cid]
, include=[ImageFileName, CommandLine, ParentImageFileName, UserName]
)
| eval ThreatLabel="CVE-2024-3400 GlobalProtect RCE"
| groupBy([aid, ComputerName, ThreatLabel], function=[count(ImageFileName, as=process_count), collect(CommandLine)])
| where process_count > 0
| sort(process_count, order=desc)CrowdStrike Falcon LogScale (CQL) query joining network connection events from GlobalProtect service processes with child process execution of shells and interpreters, surfacing CVE-2024-3400 post-exploitation activity on managed hosts.
Data Sources
Required Tables
False Positives & Tuning
- Falcon sensor self-updates that invoke Python scripts under GlobalProtect daemon ancestry
- Third-party endpoint management agents that attach to the GlobalProtect process tree
- Legitimate network diagnostic flows initiated by IT operations through the GP VPN tunnel
Other platforms for CVE-2024-3400
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1CVE-2024-3400 SESSID Command Injection Probe
Expected signal: PAN-OS traffic log entry with URI /ssl-vpn/hipreport.esp, HTTP 200 or 500 response; system log entry referencing unexpected file path in SESSID parameter
- Test 2UPSTYLE Backdoor Artifact Simulation
Expected signal: File creation event at /opt/panlogs/tmp/device_telemetry/threading/bootstrap.min.css; Python3 process launch from lab shell
- Test 3GlobalProtect Path Enumeration with Command Keywords
Expected signal: Network flow logs showing HTTPS GET requests to /global-protect/* and /ssl-vpn/* paths from the test host; URL parameters containing base64-encoded strings
- Test 4Post-Exploitation Outbound Beacon Simulation
Expected signal: Process telemetry shows python3 making outbound HTTP connections; network telemetry shows repeated periodic connections to the same destination IP from the firewall management process context
Unlock Pro Content
Get the full detection package for CVE-2024-3400 including response playbook, investigation guide, and atomic red team tests.