Detect Palo Alto PAN-OS GlobalProtect Command Injection (CVE-2024-3400) in Sumo Logic CSE
CVE-2024-3400 is a critical unauthenticated remote code execution vulnerability (CVSS 10.0) in Palo Alto Networks PAN-OS GlobalProtect gateway. A command injection flaw in the GlobalProtect feature allows an unauthenticated attacker to execute arbitrary OS commands as root by sending specially crafted HTTPS requests. Actively exploited in the wild as part of Operation MidnightEclipse by threat actor UTA0218, attackers have deployed a Python-based backdoor (UPSTYLE) and conducted lateral movement. Affected versions include PAN-OS 10.2.x < 10.2.9-h1, 11.0.x < 11.0.4-h1, and 11.1.x < 11.1.2-h3.
MITRE ATT&CK
Sumo Detection Query
_sourceCategory=network/paloalto OR _sourceCategory=firewall/panos
| parse regex "(?<url>/(?:ssl-vpn|global-protect)[^\s\"]*)"
| where url matches "*/hipreport.esp*" or url matches "*/global-protect/*" or url matches "*/ssl-vpn/*"
| where _raw matches "*python*" or _raw matches "*/bin/sh*" or _raw matches "*wget*" or _raw matches "*curl *" or _raw matches "*base64*" or _raw matches "*chmod*" or _raw matches "*/tmp/*"
| extract field=_raw "src=(?<src_ip>[\d\.]+)"
| extract field=_raw "dst=(?<dst_ip>[\d\.]+)"
| count as hit_count by src_ip, dst_ip, url
| where hit_count > 0
| sort by hit_count descSumo Logic query parsing PAN-OS log streams for GlobalProtect URL patterns combined with command injection indicators in the raw message, then aggregating by source and destination to identify active exploitation of CVE-2024-3400.
Data Sources
Required Tables
False Positives & Tuning
- High-volume vulnerability scanner traffic from authorized security teams
- Syslog forwarder misconfiguration injecting adjacent log lines into PAN-OS category
- PAN-OS HA keepalive messages containing encoded health metadata resembling base64 strings
Other platforms for CVE-2024-3400
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1CVE-2024-3400 SESSID Command Injection Probe
Expected signal: PAN-OS traffic log entry with URI /ssl-vpn/hipreport.esp, HTTP 200 or 500 response; system log entry referencing unexpected file path in SESSID parameter
- Test 2UPSTYLE Backdoor Artifact Simulation
Expected signal: File creation event at /opt/panlogs/tmp/device_telemetry/threading/bootstrap.min.css; Python3 process launch from lab shell
- Test 3GlobalProtect Path Enumeration with Command Keywords
Expected signal: Network flow logs showing HTTPS GET requests to /global-protect/* and /ssl-vpn/* paths from the test host; URL parameters containing base64-encoded strings
- Test 4Post-Exploitation Outbound Beacon Simulation
Expected signal: Process telemetry shows python3 making outbound HTTP connections; network telemetry shows repeated periodic connections to the same destination IP from the firewall management process context
Unlock Pro Content
Get the full detection package for CVE-2024-3400 including response playbook, investigation guide, and atomic red team tests.