Detect Palo Alto PAN-OS GlobalProtect Command Injection (CVE-2024-3400) in IBM QRadar
CVE-2024-3400 is a critical unauthenticated remote code execution vulnerability (CVSS 10.0) in Palo Alto Networks PAN-OS GlobalProtect gateway. A command injection flaw in the GlobalProtect feature allows an unauthenticated attacker to execute arbitrary OS commands as root by sending specially crafted HTTPS requests. Actively exploited in the wild as part of Operation MidnightEclipse by threat actor UTA0218, attackers have deployed a Python-based backdoor (UPSTYLE) and conducted lateral movement. Affected versions include PAN-OS 10.2.x < 10.2.9-h1, 11.0.x < 11.0.4-h1, and 11.1.x < 11.1.2-h3.
MITRE ATT&CK
QRadar Detection Query
SELECT
DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
sourceip,
destinationip,
URL,
"USERNAME",
QIDNAME(qid) AS event_name,
logsourcename(logsourceid) AS log_source,
"devicetype",
magnitude
FROM events
WHERE logsourcetypename(devicetype) ILIKE '%Palo Alto%'
AND (
URL ILIKE '%hipreport.esp%'
OR URL ILIKE '%/global-protect/%'
OR URL ILIKE '%/ssl-vpn/%'
)
AND (
utf8(payload) ILIKE '%python%'
OR utf8(payload) ILIKE '%/bin/sh%'
OR utf8(payload) ILIKE '%wget%'
OR utf8(payload) ILIKE '%curl%'
OR utf8(payload) ILIKE '%base64%'
OR utf8(payload) ILIKE '%chmod%'
OR utf8(payload) ILIKE '%/tmp/%'
)
AND LOGSOURCETIME(starttime) > NOW() - 1 HOURS
ORDER BY magnitude DESC
LAST 3600 SECONDSQRadar AQL query identifying Palo Alto log source events where GlobalProtect-associated URLs coincide with shell command or interpreter keywords in the raw payload, surfacing likely CVE-2024-3400 exploitation attempts.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate administrator CLI sessions that pass base64-encoded configuration blobs
- Vulnerability scanners sending crafted payloads during authorized pen tests
- Syslog relay parsers that partially decode GlobalProtect health report XML into payload fields
Other platforms for CVE-2024-3400
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1CVE-2024-3400 SESSID Command Injection Probe
Expected signal: PAN-OS traffic log entry with URI /ssl-vpn/hipreport.esp, HTTP 200 or 500 response; system log entry referencing unexpected file path in SESSID parameter
- Test 2UPSTYLE Backdoor Artifact Simulation
Expected signal: File creation event at /opt/panlogs/tmp/device_telemetry/threading/bootstrap.min.css; Python3 process launch from lab shell
- Test 3GlobalProtect Path Enumeration with Command Keywords
Expected signal: Network flow logs showing HTTPS GET requests to /global-protect/* and /ssl-vpn/* paths from the test host; URL parameters containing base64-encoded strings
- Test 4Post-Exploitation Outbound Beacon Simulation
Expected signal: Process telemetry shows python3 making outbound HTTP connections; network telemetry shows repeated periodic connections to the same destination IP from the firewall management process context
Unlock Pro Content
Get the full detection package for CVE-2024-3400 including response playbook, investigation guide, and atomic red team tests.