https://live.paloaltonetworks.com/t5/general-topics/how-can-i-see-if-my-fw-has-already-been-exploited-by-the-cve/m-p/583780#M116658 <P>I have not seen anything yet for IoC in the logs as the exploit package apparently deletes related log entries. If you are syslogging then you may be able to search for something in your external log repository. I suspect there is probably a CLI debug command to show the Python packages loaded, but you would probably have to ask PA support for that. I have been running a script from an external server all weekend, constantly querying and validating the GlobalProtect CSS file, to look for any sign of an installed package.</P> Mon, 15 Apr 2024 19:36:57 GMT Adrian_Jensen 2024-04-15T19:36:57Z https://live.paloaltonetworks.com/t5/general-topics/how-can-i-see-if-my-fw-has-already-been-exploited-by-the-cve/m-p/583729#M116651 <P>Hello team</P> <P>How can we determine if your device logs match the known indicators of compromise (IoC) for this vulnerability?</P> <P>I have already fixed the vulnerability and I have the TSF of my device and I want to see if I have been exploited before applying the WK,</P> <P>Can anyone help me?</P> <P>Greetings.</P> Mon, 15 Apr 2024 13:59:27 GMT https://live.paloaltonetworks.com/t5/general-topics/how-can-i-see-if-my-fw-has-already-been-exploited-by-the-cve/m-p/583729#M116651 Alpalo 2024-04-15T13:59:27Z https://live.paloaltonetworks.com/t5/general-topics/how-can-i-see-if-my-fw-has-already-been-exploited-by-the-cve/m-p/583780#M116658 <P>I have not seen anything yet for IoC in the logs as the exploit package apparently deletes related log entries. If you are syslogging then you may be able to search for something in your external log repository. I suspect there is probably a CLI debug command to show the Python packages loaded, but you would probably have to ask PA support for that. I have been running a script from an external server all weekend, constantly querying and validating the GlobalProtect CSS file, to look for any sign of an installed package.</P> Mon, 15 Apr 2024 19:36:57 GMT https://live.paloaltonetworks.com/t5/general-topics/how-can-i-see-if-my-fw-has-already-been-exploited-by-the-cve/m-p/583780#M116658 Adrian_Jensen 2024-04-15T19:36:57Z https://live.paloaltonetworks.com/t5/general-topics/how-can-i-see-if-my-fw-has-already-been-exploited-by-the-cve/m-p/584070#M116692 <P>If you haven't seen it the command from the CLI that can give indicators is in the advisory here:&nbsp;<A href="https://security.paloaltonetworks.com/CVE-2024-3400" target="_blank">https://security.paloaltonetworks.com/CVE-2024-3400</A></P> <P>From the advisory though it states this isn't definitive just could indicate a thwarted attempt and not necessarily a breach. We've uploaded tech support logs to Palo and are waiting for their analysis.</P> Wed, 17 Apr 2024 16:41:34 GMT https://live.paloaltonetworks.com/t5/general-topics/how-can-i-see-if-my-fw-has-already-been-exploited-by-the-cve/m-p/584070#M116692 TonyDeHart 2024-04-17T16:41:34Z https://live.paloaltonetworks.com/t5/general-topics/how-can-i-see-if-my-fw-has-already-been-exploited-by-the-cve/m-p/584073#M116693 <P>Also when you say FIXED be aware that disabling telemetry is NOT enough now and Palo's Guidance has changed on this as of late yesterday (4/16).</P> Wed, 17 Apr 2024 16:42:29 GMT https://live.paloaltonetworks.com/t5/general-topics/how-can-i-see-if-my-fw-has-already-been-exploited-by-the-cve/m-p/584073#M116693 TonyDeHart 2024-04-17T16:42:29Z https://live.paloaltonetworks.com/t5/general-topics/how-can-i-see-if-my-fw-has-already-been-exploited-by-the-cve/m-p/584272#M116717 <P>Hello All,</P> <P>Here is the best writeup I have seen so far.</P> <P><A href="https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/" target="_blank">https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/</A></P> <P>&nbsp;</P> <P>Regards,</P> Thu, 18 Apr 2024 21:59:53 GMT https://live.paloaltonetworks.com/t5/general-topics/how-can-i-see-if-my-fw-has-already-been-exploited-by-the-cve/m-p/584272#M116717 OtakarKlier 2024-04-18T21:59:53Z https://live.paloaltonetworks.com/t5/general-topics/how-can-i-see-if-my-fw-has-already-been-exploited-by-the-cve/m-p/584345#M116722 <P>IOC's posted i made a new thread for it.</P> <P><A href="https://live.paloaltonetworks.com/t5/general-topics/cve-2024-3400-ioc-s/td-p/584343" target="_blank">https://live.paloaltonetworks.com/t5/general-topics/cve-2024-3400-ioc-s/td-p/584343</A></P> <P>&nbsp;</P> Fri, 19 Apr 2024 14:47:10 GMT https://live.paloaltonetworks.com/t5/general-topics/how-can-i-see-if-my-fw-has-already-been-exploited-by-the-cve/m-p/584345#M116722 OtakarKlier 2024-04-19T14:47:10Z https://live.paloaltonetworks.com/t5/general-topics/how-can-i-see-if-my-fw-has-already-been-exploited-by-the-cve/m-p/584346#M116723 <P>Also PAN updated their Faq's with a search query.</P> <P>&nbsp;</P> <P><A href="https://security.paloaltonetworks.com/CVE-2024-3400#:~:text=Q.Are%20there%20any%20checks%20I%20can%20run%20on%20my%20device%20to%20look%20for%20evidence%20of%20attempted%20exploit%20activity%3F" target="_blank">https://security.paloaltonetworks.com/CVE-2024-3400#:~:text=Q.Are%20there%20any%20checks%20I%20can%20run%20on%20my%20device%20to%20look%20for%20evidence%20of%20attempted%20exploit%20activity%3F</A></P> <P>&nbsp;</P> Fri, 19 Apr 2024 14:58:33 GMT https://live.paloaltonetworks.com/t5/general-topics/how-can-i-see-if-my-fw-has-already-been-exploited-by-the-cve/m-p/584346#M116723 OtakarKlier 2024-04-19T14:58:33Z