CVE-2024-9474 Scenario

« CVE-2024-9474 »
v0.1 by crowdsecurity
Attack scenarioremediation:truetype:exploit service:panosspoofable:0MITRE:T1595MITRE:T1190confidence:3

Detect CVE-2024-9474 exploitation attempts

Installation

cscli scenarios install crowdsecurity/CVE-2024-9474

Description

Detect exploitation of PanOS CVE-2024-9474

Ref: https://labs.watchtowr.com/pots-and-pans-aka-an-sslvpn-palo-alto-pan-os-cve-2024-0012-and-cve-2024-9474/

YAML Configuration

1type: trigger
2format: 2.0
3name: crowdsecurity/CVE-2024-9474
4description: "Detect CVE-2024-9474 exploitation attempts"
5filter: |
6  let request = Lower(evt.Parsed.request);
7  evt.Meta.log_type in ['http_access-log', 'http_error-log'] && 
8  evt.Meta.http_status in ['404', '403'] &&
9  evt.Meta.http_verb == 'POST' &&
10  request contains '/php/utils/createremoteappwebsession.php/watchtowr.js.map'
11groupby: "evt.Meta.source_ip"
12blackhole: 2m
13labels:
14  type: exploit
15  remediation: true
16  classification:
17    - attack.T1595
18    - attack.T1190
19    - cve.CVE-2024-9474
20  confidence: 3
21  spoofable: 0
22  behavior: "http:exploit"
23  label: "CVE-2024-9474"
24  service: panos
25

Hub configuration

« CVE-2024-9474 »v0.1 by crowdsecurityAttack scenarioremediation:truetype:exploit service:panosCVE-2024-9474spoofable:0MITRE:T1595MITRE:T1190confidence:3

« CVE-2024-9474 »
v0.1 by crowdsecurity
Attack scenarioremediation:truetype:exploit service:panosspoofable:0MITRE:T1595MITRE:T1190confidence:3