A very simple bash script to check for evidence of compromise related to CVE-2024-3400 on Palo Alto Firewalls.
Designed to provide a quick initial triage of potentially impacted devices by checking for the existence of artefacts outlined in the Volexity writeup and deFroggy's blog post.
Usage: ./cve-2024-3400_checker.sh
For more detailed information regarding the vulnerability itself and the IOCs this script checks for, please check out the respective publications below:
- https://security.paloaltonetworks.com/CVE-2024-3400
- https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/
- https://github.com/deFr0ggy/deFr0ggy.github.io/blob/29806acfdab0b850b8e53542116c6098f498be97/_posts/2024-04-13-Palo%20Alto%20Exploit%20Analysis%20of%20CVE-2024-3400.md#L4
Disclaimer: As public exploits become availabe, the scope of activity is likely to increase and TTPs will almost certainly change. This script may not provide complete detection for all malicious activity and was made with best intentions to allow first responders to perform an initial triage of potentially impacted devices. Further investigation is highly recommended with reference to the technical blog posts above. Please test before running on production systems. The scripts provided here are offered as-is, without warranty of any kind, express or implied. The author assumes no responsibility or liability for any damages or problems resulting from the use of these scripts. Use these scripts at your own risk. By using these scripts, you agree to these terms and conditions.