https://live.paloaltonetworks.com/t5/general-topics/cve-2024-3400-ioc-s/m-p/584578#M116763 <P>Thanks for sharing&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/27580">@OtakarKlier</a>&nbsp;!</P> Tue, 23 Apr 2024 00:56:36 GMT JayGolf 2024-04-23T00:56:36Z https://live.paloaltonetworks.com/t5/general-topics/cve-2024-3400-ioc-s/m-p/584343#M116721 <P>Hello All,</P> <P>Its a twitter link but will try and summarize the process.&nbsp;</P> <P><A href="https://twitter.com/cyb3rops/status/1781294529586331650" target="_blank" rel="noopener">https://twitter.com/cyb3rops/status/1781294529586331650</A></P> <DIV class="css-175oi2r r-1awozwy r-18u37iz r-1wbh5a2 r-dnmrzs"> <DIV class="css-175oi2r r-1wbh5a2 r-dnmrzs"> <DIV class="css-175oi2r r-1awozwy r-18u37iz r-1wbh5a2 r-dnmrzs"> <DIV class="css-1rynq56 r-bcqeeo r-qvutc0 r-37j5jr r-a023e6 r-rjixqe r-b88u0q r-1awozwy r-6koalj r-1udh08x r-3s2u2q r-1ddef8g" dir="ltr"><SPAN class="css-1qaijid r-dnmrzs r-1udh08x r-3s2u2q r-bcqeeo r-qvutc0 r-poiln3"><SPAN class="css-1qaijid r-bcqeeo r-qvutc0 r-poiln3">Credit to:</SPAN></SPAN></DIV> <DIV class="css-1rynq56 r-bcqeeo r-qvutc0 r-37j5jr r-a023e6 r-rjixqe r-b88u0q r-1awozwy r-6koalj r-1udh08x r-3s2u2q r-1ddef8g" dir="ltr"><SPAN class="css-1qaijid r-dnmrzs r-1udh08x r-3s2u2q r-bcqeeo r-qvutc0 r-poiln3"><SPAN class="css-1qaijid r-bcqeeo r-qvutc0 r-poiln3">Florian Roth</SPAN></SPAN></DIV> <DIV class="css-1rynq56 r-bcqeeo r-qvutc0 r-37j5jr r-a023e6 r-rjixqe r-16dba41 r-xoduu5 r-18u37iz r-1q142lx" dir="ltr"><SPAN>@cyb3rops</SPAN></DIV> </DIV> </DIV> </DIV> <P>&nbsp;</P> <DIV class="css-175oi2r"> <DIV class="css-175oi2r r-1s2bzr4"> <DIV id="id__lqdzripxg8s" class="css-1rynq56 r-bcqeeo r-qvutc0 r-37j5jr r-1inkyih r-16dba41 r-bnwqim r-135wba7" dir="auto" lang="en" data-testid="tweetText"><SPAN class="css-1qaijid r-bcqeeo r-qvutc0 r-poiln3">We decided to share our </SPAN><SPAN class="r-18u37iz"><A class="css-1qaijid r-bcqeeo r-qvutc0 r-poiln3 r-1loqt21" dir="ltr" role="link" href="https://twitter.com/hashtag/YARA?src=hashtag_click" target="_blank" rel="noopener">#YARA</A></SPAN><SPAN class="css-1qaijid r-bcqeeo r-qvutc0 r-poiln3"> rules to scan for indicators of the exploitation of CVE-2024-3400 in </SPAN><SPAN class="r-18u37iz"><A class="css-1qaijid r-bcqeeo r-qvutc0 r-poiln3 r-1loqt21" dir="ltr" role="link" href="https://twitter.com/hashtag/PaloAlto?src=hashtag_click" target="_blank" rel="noopener">#PaloAlto</A></SPAN><SPAN class="css-1qaijid r-bcqeeo r-qvutc0 r-poiln3">'s PAN-OS with the community and included some of the generic rules (detect similar attacks) Three Steps </SPAN></DIV> <DIV class="css-1rynq56 r-bcqeeo r-qvutc0 r-37j5jr r-1inkyih r-16dba41 r-bnwqim r-135wba7" dir="auto" lang="en" data-testid="tweetText"><SPAN class="css-1qaijid r-bcqeeo r-qvutc0 r-poiln3">1. Generate a Tech Support file and extract it </SPAN><A class="css-1qaijid r-bcqeeo r-qvutc0 r-poiln3 r-1loqt21" dir="ltr" role="link" href="https://t.co/ITPOvDtw7U" target="_blank" rel="noopener noreferrer nofollow"><SPAN class="css-1qaijid r-bcqeeo r-qvutc0 r-poiln3 r-qlhcfr r-qvk6io" aria-hidden="true">https://</SPAN>knowledgebase.paloaltonetworks.com/KCSArticleDeta<SPAN class="css-1qaijid r-bcqeeo r-qvutc0 r-poiln3 r-qlhcfr r-qvk6io" aria-hidden="true">il?id=kA10g000000ClRlCAK</SPAN><SPAN class="css-1qaijid r-bcqeeo r-qvutc0 r-poiln3 r-lrvibr" aria-hidden="true">…</SPAN></A></DIV> <DIV class="css-1rynq56 r-bcqeeo r-qvutc0 r-37j5jr r-1inkyih r-16dba41 r-bnwqim r-135wba7" dir="auto" lang="en" data-testid="tweetText"><SPAN class="css-1qaijid r-bcqeeo r-qvutc0 r-poiln3">2. Download and extract THOR Lite </SPAN><A class="css-1qaijid r-bcqeeo r-qvutc0 r-poiln3 r-1loqt21" dir="ltr" role="link" href="https://t.co/EVPjanmunk" target="_blank" rel="noopener noreferrer nofollow"><SPAN class="css-1qaijid r-bcqeeo r-qvutc0 r-poiln3 r-qlhcfr r-qvk6io" aria-hidden="true">https://</SPAN>nextron-systems.com/thor-lite/</A></DIV> <DIV class="css-1rynq56 r-bcqeeo r-qvutc0 r-37j5jr r-1inkyih r-16dba41 r-bnwqim r-135wba7" dir="auto" lang="en" data-testid="tweetText"><SPAN class="css-1qaijid r-bcqeeo r-qvutc0 r-poiln3">3. Scan the extracted folder (tech support files) thor64-lite.exe -a FileScan -p ..\2024XXXX_XXXX_techsupport.tgz_unpacked --intense --cross-platform --max-file-size 500MB YARA Rules (already included in THOR Lite's signature package) </SPAN><A class="css-1qaijid r-bcqeeo r-qvutc0 r-poiln3 r-1loqt21" dir="ltr" role="link" href="https://t.co/qMgto8kP9k" target="_blank" rel="noopener noreferrer nofollow"><SPAN class="css-1qaijid r-bcqeeo r-qvutc0 r-poiln3 r-qlhcfr r-qvk6io" aria-hidden="true">https://</SPAN>github.com/Neo23x0/signat<SPAN class="css-1qaijid r-bcqeeo r-qvutc0 r-poiln3 r-qlhcfr r-qvk6io" aria-hidden="true">ure-base/blob/master/yara/vuln_paloalto_cve_2024_3400_apr24.yar</SPAN><SPAN class="css-1qaijid r-bcqeeo r-qvutc0 r-poiln3 r-lrvibr" aria-hidden="true">…</SPAN></A></DIV> </DIV> </DIV> <DIV class="css-175oi2r"> <DIV id="id__zdu545mgs" class="css-175oi2r r-9aw3ui r-1s2bzr4" aria-labelledby="id__3805k9f3i45 id__03mr2g14mtoo"> <DIV class="css-175oi2r r-9aw3ui"> <DIV class="css-175oi2r"> <DIV class="css-175oi2r"> <DIV class="css-175oi2r r-1kqtdi0 r-1phboty r-rs99b7 r-1867qdf r-1udh08x r-o7ynqc r-6416eg r-1ny4l3l"> <DIV class="css-175oi2r r-1adg3ll r-1udh08x"> <DIV class="r-1p0dtai r-1pi2tsx r-u8s1d r-1d2f490 r-ipm5af r-13qz1uu"> <DIV class="css-175oi2r r-1pi2tsx r-13qz1uu r-18u37iz"> <DIV class="css-175oi2r r-1iusvr4 r-16y2uox r-eqz5dr"> <DIV class="css-175oi2r r-1iusvr4 r-16y2uox r-bnwqim r-zl2h9q"> <DIV id="tinyMceEditorOtakarKlier_3" class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV> <DIV id="tinyMceEditorOtakarKlier_0" class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV> <DIV id="tinyMceEditorOtakarKlier_1" class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV> <P>Screen shots in the original post on Twitter.</P> </DIV> <DIV class="css-175oi2r r-1iusvr4 r-16y2uox r-bnwqim"> <DIV class="css-175oi2r r-16y2uox r-1pi2tsx r-13qz1uu"> <DIV class="css-175oi2r r-1p0dtai r-1d2f490 r-1udh08x r-u8s1d r-zchlnj r-ipm5af"> <DIV class="css-175oi2r r-1mlwlqe r-1udh08x r-417010" aria-label="Image" data-testid="tweetPhoto"> <DIV id="tinyMceEditorOtakarKlier_2" class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV> <P>Also PAN has updated their guidance and a search for compromise.</P> <P>&nbsp;</P> <P><A href="https://security.paloaltonetworks.com/CVE-2024-3400#:~:text=Q.Are%20there%20any%20checks%20I%20can%20run%20on%20my%20device%20to%20look%20for%20evidence%20of%20attempted%20exploit%20activity%3F" target="_blank">https://security.paloaltonetworks.com/CVE-2024-3400#:~:text=Q.Are%20there%20any%20checks%20I%20can%20run%20on%20my%20device%20to%20look%20for%20evidence%20of%20attempted%20exploit%20activity%3F</A></P> <P>&nbsp;</P> <P>Good luck to all!</P> <P>&nbsp;</P> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> Fri, 19 Apr 2024 14:57:26 GMT https://live.paloaltonetworks.com/t5/general-topics/cve-2024-3400-ioc-s/m-p/584343#M116721 OtakarKlier 2024-04-19T14:57:26Z https://live.paloaltonetworks.com/t5/general-topics/cve-2024-3400-ioc-s/m-p/584578#M116763 <P>Thanks for sharing&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/27580">@OtakarKlier</a>&nbsp;!</P> Tue, 23 Apr 2024 00:56:36 GMT https://live.paloaltonetworks.com/t5/general-topics/cve-2024-3400-ioc-s/m-p/584578#M116763 JayGolf 2024-04-23T00:56:36Z