Hub configuration

More info

CVE-2024-0012 Scenario

« CVE-2024-0012 »
v0.1 by crowdsecurity / CVE-2024-0012
Attack scenariopanosNot spoofableHigh confidence

Detect CVE-2024-0012 exploitation attempts

Installation

cscli scenarios install crowdsecurity/CVE-2024-0012

Description

Detect exploitation of PanOS CVE-2024-0012

Ref: https://labs.watchtowr.com/pots-and-pans-aka-an-sslvpn-palo-alto-pan-os-cve-2024-0012-and-cve-2024-9474/

YAML Configuration

1type: trigger
2format: 2.0
3name: crowdsecurity/CVE-2024-0012
4description: "Detect CVE-2024-0012 exploitation attempts"
5filter: |
6  let request = Lower(evt.Parsed.request);
7  evt.Meta.log_type in ['http_access-log', 'http_error-log'] && 
8  evt.Meta.http_status in ['404', '403'] &&
9  (request matches '/php/.*/\\.js\\.map' || request matches '/index.php/.*\\.js\\.map')
10groupby: "evt.Meta.source_ip"
11blackhole: 2m
12labels:
13  type: exploit
14  remediation: true
15  classification:
16    - attack.T1595
17    - attack.T1190
18    - cve.CVE-2024-0012
19  confidence: 3
20  spoofable: 0
21  behavior: "http:exploit"
22  label: "CVE-2024-0012"
23  service: panos
24

Hub configuration

« CVE-2024-0012 »v0.1 by crowdsecurity / CVE-2024-0012Attack scenarioCVE-2024-0012panosNot spoofableHigh confidenceMITRE:T1595MITRE:T1190

« CVE-2024-0012 »
v0.1 by crowdsecurity / CVE-2024-0012
Attack scenariopanosNot spoofableHigh confidence