Detect Palo Alto PAN-OS GlobalProtect Command Injection (Operation MidnightEclipse) in Splunk
CVE-2024-3400 is a maximum-severity (CVSS 10.0) command injection vulnerability in Palo Alto Networks PAN-OS, specifically in the GlobalProtect feature. The flaw allows unauthenticated remote attackers to execute arbitrary code with root privileges on the firewall by exploiting improper input validation in the GlobalProtect service, which creates arbitrary files that are then executed. Affected versions include PAN-OS 10.2.x (through 10.2.7), 11.0.x, and 11.1.x with GlobalProtect gateway or portal enabled. Cloud NGFW, Panorama, and Prisma Access are not affected. The vulnerability was exploited as a zero-day by the threat actor UTA0218 in Operation MidnightEclipse to deploy the UPSTYLE backdoor. CISA added this to the KEV catalog with active in-the-wild exploitation confirmed. As Palo Alto firewalls are widely deployed by SMBs and enterprises as perimeter security, this is a critical priority.
MITRE ATT&CK
SPL Detection Query
index=network sourcetype IN ("pan:log", "pan:system", "pan:threat", "pan:traffic",
"pan:config", "pan:globalprotect", "cisco:asa", "syslog")
(
(vendor="Palo Alto Networks" OR product IN ("PAN-OS", "GlobalProtect"))
OR sourcetype IN ("pan:log", "pan:system", "pan:globalprotect")
)
AND (
(
(log_subtype="system" OR subtype="system")
AND (
match(_raw, "(?i)(wget|curl|bash|sh\s|/tmp/|/var/appweb|base64|eval|exec)")
OR match(description, "(?i)(command|inject|exploit|shell|root|system)")
)
)
OR
(
(log_subtype="globalprotect" OR type="GLOBALPROTECT")
AND (action IN ("connect", "disconnect", "tunnel-reject"))
AND match(_raw, "(?i)(\.sh|wget|curl|/tmp|\.py|\.pl)")
)
)
| eval CVE="CVE-2024-3400"
| eval ThreatType="PAN-OS-GlobalProtect-CommandInjection"
| stats count AS SuspiciousEvents,
values(src_ip) AS SourceIPs,
values(description) AS Descriptions,
values(cmd) AS Commands
BY host, CVE, ThreatType, _time span=1h
| where SuspiciousEvents >= 1
| table _time, host, SourceIPs, Descriptions, Commands, SuspiciousEvents, CVE, ThreatType
| sort - SuspiciousEventsDetects CVE-2024-3400 exploitation indicators in Palo Alto PAN-OS syslog data, specifically looking for command injection signatures (wget, curl, bash, /tmp/ paths, base64-encoded commands) in system and GlobalProtect log entries. These patterns correspond to the UPSTYLE backdoor installation observed in UTA0218 Operation MidnightEclipse.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Legitimate PAN-OS system operations referencing /tmp/ paths in normal log output
- Authorized firewall management scripts using wget/curl for content updates
Other platforms for CVE-2024-3400
Testing Methodology
Validate this detection against 1 adversary technique from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Test CVE-2024-3400 detection via crafted GlobalProtect request
Expected signal: PAN-OS system log entry showing file creation command execution; pan:system log with anomalous path references.
References (6)
- https://nvd.nist.gov/vuln/detail/CVE-2024-3400
- https://security.paloaltonetworks.com/CVE-2024-3400
- https://unit42.paloaltonetworks.com/cve-2024-3400/
- https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog
- https://attack.mitre.org/techniques/T1190/
Unlock Pro Content
Get the full detection package for CVE-2024-3400 including response playbook, investigation guide, and atomic red team tests.