来源

关联漏洞

介绍

<img width="1536" height="785" alt="cover photo" src="https://github.com/user-attachments/assets/d74d2dec-e75c-44a2-9204-88d3098573d8" />

# 🔍 Investigating a Zero-Day Attack Using Let’s Defend SIEM

### 👉 A Walkthrough on Detecting and Analyzing CVE-2024-24919 Exploitation

---

## 🎯 **Purpose of the Investigation**

This project was conducted to **investigate a potential exploitation attempt** against a Check Point Security Gateway, specifically leveraging a **zero-day vulnerability – CVE-2024-24919**. The goal was to determine if this alert was a false positive or a legitimate breach attempt, analyze the traffic, and take appropriate containment and response steps.

---

## 🛠️ **Tools & Environment Used**

* **SIEM Platform**: Let’s Defend (cloud-based threat detection and investigation tool)
* **Virtual Lab**: Provided within Let’s Defend
* **Targeted Host**: CP-Spark-Gateway-01
* **Log Analysis Features**: HTTP traffic logs, endpoint filtering, email security console
* **Threat Intelligence**: Online sources such as NVD and Check Point security advisories

---

## ⭐ Alert Overview

* **Rule Triggered**: SOC287 - Arbitrary File Read on Check Point Gateway (CVE-2024-24919)
* **Event ID**: 263
* **Timestamp**: June 6, 2024, 03:12 PM
* **Destination IP**: `172.16.20.146`
* **Source IP**: `203.160.68.12`
* **Device Action**: Allowed
* **Request**: `aCSHELL/../../../../../../../../../../etc/passwd`
* **User-Agent**: Spoofed as Mozilla Firefox on Mac OS X

---

## 🧪 **Pre-Analysis: Understanding CVE-2024-24919**

**CVE-2024-24919** is a **zero-day path traversal vulnerability** affecting Check Point Security Gateways. It allows **unauthenticated remote attackers** to read arbitrary files, such as `/etc/passwd` and `/etc/shadow`, by sending crafted HTTP requests to vulnerable endpoints.

🔗 *[Check Point Advisory](https://support.checkpoint.com/results/sk/sk182336)*

This type of request (seen in our logs) is consistent with this vulnerability and **triggers alerts due to its attempt to exploit system file reads**.

---

## 🔎 **Step 1: Analyze HTTP Traffic**

<img width="931" alt="image" style="display: block; margin: 0 auto;" src="https://github.com/user-attachments/assets/c69a6361-393f-4657-b8ec-e2c3e4c15fff"/>

I navigated to the **Log Management page**, filtered for **Destination IP `172.16.20.146`**, and inspected incoming HTTP traffic.

<img width="931" alt="image" style="display: block; margin: 0 auto;" src="https://github.com/user-attachments/assets/a84861ff-a90d-4833-b9b9-4ad770024cdd"/>

### 🔥 Key Findings:

<img width="931" alt="image" style="display: block; margin: 0 auto;" src="https://github.com/user-attachments/assets/8d1a8db6-b250-48fe-b162-2e2ed4638e30"/>

<img width="931" alt="image" style="display: block; margin: 0 auto;" src="https://github.com/user-attachments/assets/aa0635c2-cc27-4bca-8518-1afce43d9401"/>

| Timestamp | Request Path   | Payload                          |
| --------- | -------------- | -------------------------------- |
| 15:12:45  | /clients/MyCRL | `aCSHELL/../../../../etc/passwd` |
| 15:13:10  | /clients/MyCRL | `aCSHELL/../../../../etc/shadow` |

* The payload clearly attempts **path traversal** to read critical system files.
* These files are used to store user credentials and password hashes.
* HTTP Status **200** with **Response Size: 1256 bytes** indicates the server returned data successfully — **suggesting exploitation succeeded**.

<img width="931" alt="image" style="display: block; margin: 0 auto;" src="https://github.com/user-attachments/assets/0ec43851-ddee-4481-a832-2a49024b5b98"/>

---

## 🚨 **Step 2: What Type of Attack Is This?** 

<img width="931" alt="image" style="display: block; margin: 0 auto;" src="https://github.com/user-attachments/assets/23c2dc73-63a0-41b5-83a8-8f39aa0ed890"/>

This is a **Path Traversal Attack**, also known as **Directory Traversal**.
It allows attackers to **navigate outside the intended web directory** and access protected system files.

**Why we concluded this:**

* Requests contain repeated `../` (dot-dot-slash) patterns.
* Targeted files like `/etc/passwd` and `/etc/shadow` are standard indicators.

---

## 🧪 **Step 3: Was This a Planned Test?**

<img width="931" alt="image" style="display: block; margin: 0 auto;" src="https://github.com/user-attachments/assets/eb6d75a2-3ddd-4c1d-ada8-baf407b299c6"/>

I checked the **Email Security Page** and searched using these keywords: 

* `172.16.20.146`
* `CP-Spark-Gateway-01` 
* `CVE-2024-24919`
* `penetration test`

🔍 **No emails or documentation** suggested this was a test. This likely rules out a simulation or red-team operation.

<img width="931" alt="image" style="display: block; margin: 0 auto;" src="https://github.com/user-attachments/assets/a5118f01-460b-478d-89fa-76bb05043a62"/>

---

## 🌐 **Step 4: Traffic Direction Analysis**

<img width="931" alt="image" style="display: block; margin: 0 auto;" src="https://github.com/user-attachments/assets/4b286c78-dc04-4ab7-8537-48ed8af79bc8"/>

**Source IP:** `203.160.68.12` → **Public IP Address**
**Destination IP:** `172.16.20.146` → **Private IP Address** (RFC 1918 range)

### 🔁 Direction: **Internet → Company Network**

This confirms the traffic is **coming from an external attacker** targeting internal infrastructure.

---

## 🧠 **Step 5: Was the Attack Successful?** 

The HTTP log shows:

```
"POST /clients/MyCRL HTTP/1.1" 200 1256
```

* **HTTP 200 OK** indicates success.
* **Response size (1256 bytes)** suggests the system returned data.
* The attacker likely accessed `/etc/passwd`, validating a **successful exploit**.

---

## 🛡️ **Containment Steps** 

<img width="931" alt="image" style="display: block; margin: 0 auto;" src="https://github.com/user-attachments/assets/a44e2554-e31c-42f6-b5c8-8f6d2c9ed235"/>

I accessed the **Endpoint page**, filtered by the **destination IP `172.16.20.146`**, and issued a **containment action** to isolate the host.

**Why?**

* Host has been compromised.
* It could be used to pivot or exfiltrate data.

---

## 🧾 **Step 6: Documenting IOCs**

### Why It Matters:

Indicators of Compromise (IOCs) are crucial for:

* Notifying external threat intelligence communities
* Writing future detection rules
* Strengthening security posture

### 📌 IOCs Identified:

* **Source IP**: `203.160.68.12`, `203.160.68.13`
* **User-Agent**: `Mozilla/5.0 (Mac OS X; rv:126.0)`
* **Request Paths**:

  * `/clients/MyCRL`
  * Payloads: `../../../../etc/passwd`, `../../../../etc/shadow`
* **Target Port**: 4433 (non-standard HTTPS)

---

## ⬆️ **Step 7: Tier 2 Escalation?** 

<img width="931" alt="image" style="display: block; margin: 0 auto;" src="https://github.com/user-attachments/assets/2af7b44c-4fbd-4d34-9ea4-7b9ae1a4591f"/>

✅ **Yes** — This is a **zero-day vulnerability** successfully exploited in a **live environment**, exposing sensitive files.

Escalation is essential for: 

* Deep forensics
* Patch validation
* Coordinating legal, compliance, and executive stakeholders

---

## 📄 **Step 8: Final Analysis & Comment**

I **closed the alert as a True Positive**.

<img width="931" alt="image" style="display: block; margin: 0 auto;" src="https://github.com/user-attachments/assets/0c31de9c-ac6d-49d4-8f9e-6fa2120dcbff"/>

### 📝 Brief Comment:

> "Alert confirmed as CVE-2024-24919 exploitation. External IP `203.160.68.12` successfully accessed sensitive system files via path traversal. Host CP-Spark-Gateway-01 has been contained. IOC documentation completed. Escalated to Tier 2 for advanced forensics and patch verification."

---

## 🔐 **Prevention Recommendations**

* 🧱 Apply vendor patch for CVE-2024-24919 immediately (Check Point Hotfix).
* 🔒 Block access to `/clients/MyCRL` endpoint externally.
* 🧬 Implement WAF rules for traversal patterns (`../`, `..%2F`).
* 🔍 Monitor for abnormal port activity (e.g., 4433).
* 🔄 Regularly update and audit firewall + SIEM rules.
* 📚 Conduct internal training on recent zero-day threats.

---

## ✅ **Conclusion**

This investigation highlights the **critical importance of proactive threat monitoring and response**. Detecting and responding to **zero-day exploits** quickly can make the difference between a contained incident and a widespread breach.

文件快照

 [4.0K]  /data/pocs/e046a8429860e85550b24967e15ddaefaf484130
└── [8.1K]  README.md

0 directories, 1 file

备注