LetsDefend Palo Alto Networks PAN-OS Command Injection Vulnerability Exploitation (CVE-2024-3400)

Welcome back to the blog today we will be investigating a command injection attack. Let's get straight to it. 

To take ownership of this alert, all we have to do is click on the person icon with the little plus on him. Since a SOC is made up of multiple members it is essential to take ownership of the alert so multiple people don't waste time working on the same alert. There are a lot of alerts so we need all hands on deck!! 

Now that we have taken ownership of the event, the first thing we need to do is click on the drop down menu to get a more detailed breakdown of the alert. I recommend copying and pasting this breakdown on a separate word document, so you continue having access to it. Then after that you need to create a case by clicking on the two arrows.

Let's go to Endpoint Security and look for the IP address of the affected device in our network and we see that it is a firewall.

We copy the source IP address into the log management feature to see all the logs that have been coming in from that address. Make sure to pay attention to the date.

The whoami tool is well known for command injection attacks so we know that the traffic is malicious.

The 200 in the raw logs is the indication that the attack is successful. 200 is known for a successful connection.

Don't forget to take notes meanwhile investigating the attack. These notes are necessary for your higher ups tracking your progress, and just incase you make a mistake they can always tell you where you went wrong for your improvement. (In this blog post i made a mistake, just a simple click but my notes will show my higher ups I did the correct thing, just clicked the wrong button.) 

We got all the checkpoints correct, the clicked the wrong button on one occasion. This happens do not beat yourself up about it . Thank you for viewing the blog, until next time.