S1164: UPSTYLE
Analyst context for executives and security teams
UPSTYLE matters because ATT&CK ties it to attempted backdoor installation on compromised Palo Alto firewall devices during CVE-2024-3400 exploitation activity. For leaders, the key issue is not just malware on Linux or network devices; it is the possibility that an internet-facing security appliance could become an attacker-controlled foothold with limited endpoint-style visibility.
Executive priority
Treat this as a perimeter-device resilience and vulnerability-prioritization issue. Confirm which Palo Alto GlobalProtect/PAN-OS assets were exposed to CVE-2024-3400, whether remediation was completed, and whether incident response can prove absence or presence of post-exploitation behavior. This is also an audit-evidence question: patch records alone are not enough if appliance logs, network telemetry, and forensic retention cannot support investigation.
Technical view
ATT&CK provides no dedicated detection text for UPSTYLE, so defenders should build validation around the related behaviors: Python execution, process discovery, masquerading, encoded or decoded files, file deletion, timestomping, event-triggered execution, Linux log clearing, and command-and-control behaviors using junk data, one-way communication, or hidden infrastructure. Focus on Network Devices and Linux platforms, especially affected firewall appliances, and correlate any suspicious activity with CVE-2024-3400 exposure and Operation MidnightEclipse context.
Likely telemetry
- Asset and vulnerability records for Palo Alto GlobalProtect/PAN-OS devices and CVE-2024-3400 exposure/remediation status
- Firewall or network-device system logs, including administrative, process, file, and event-triggered execution evidence where available
- Linux log sources such as /var/log/ messages, authentication, and system activity logs when applicable
- File metadata and integrity evidence for unexpected files, timestamp anomalies, encoded artifacts, or deletions
- Process execution telemetry for Python and process discovery commands on Linux or appliance environments
Detection direction
- Validate that security appliances and Linux-based network devices are actually sending logs off-device before an attacker could clear local logs.
- Prioritize correlation over single indicators: CVE-2024-3400 exposure plus unexpected Python execution, new or masqueraded files, timestamp changes, or log clearing should be treated as higher-risk.
- Tune carefully for legitimate vendor maintenance and administrator activity, but treat unexpected scripting or outbound web behavior from managed firewall appliances as materially suspicious.
- Use the related ATT&CK techniques to create hunt hypotheses because the official UPSTYLE object does not include detection guidance.
- Check whether SOC tooling has blind spots for network devices compared with servers and endpoints, especially around process, file, and script execution telemetry.
Mitigation priorities
- Inventory and prioritize remediation for Palo Alto firewall assets potentially affected by CVE-2024-3400, using vendor guidance and documented change evidence.
- Centralize and retain appliance and Linux logs so file deletion or log clearing on the device does not erase investigative evidence.
- Restrict administrative access and unnecessary outbound connectivity from network devices where operationally feasible.
- Monitor for unexpected Python execution, persistence/event-triggered execution mechanisms, file tampering, and anomalous outbound communications from security appliances.
- Prepare IR procedures for compromised perimeter devices, including evidence preservation, containment, credential review, and validation of device integrity before return to service.
Analyst notes and limits
The relationship set is unusually useful for defensive planning: it shows UPSTYLE associated with stealth, discovery, execution, persistence, defense impairment, and command-and-control behaviors, even though the malware object itself has no ATT&CK tactics listed. The most practical defensive value is to turn those relationships into validation questions for firewall telemetry, vulnerability management, and incident response readiness.
This take is limited to the supplied ATT&CK fields, references, and relationships. ATT&CK provides no official detection section, no aliases, and no detailed indicators here. Local device models, logging configuration, exposure history, vendor advisories, and forensic evidence are required to determine actual risk or compromise.
UPSTYLE
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | UPSTYLE encodes its main content prior to loading via Python as base64-encoded blobs.CitationVolexity UPSTYLE 2024CitationPalo Alto MidnightEclipse APR 2024 |
| Enterprise | T1685.006 | Clear Linux or Mac System Logs Sub-technique | UPSTYLE clears error logs after reading embedded commands for execution.CitationVolexity UPSTYLE 2024 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | UPSTYLE stores primary content as base64-encoded objects.CitationVolexity UPSTYLE 2024CitationPalo Alto MidnightEclipse APR 2024 |
| Enterprise | T1036 | Masquerading | UPSTYLE has masqueraded filenames using examples such as `update.py`.CitationVolexity UPSTYLE 2024 |
| Enterprise | T1070.004 | File Deletion Sub-technique | UPSTYLE removes `bootstrap.min.css` after parsing command and control instructions, restoring the file to its original state.CitationVolexity UPSTYLE 2024 |
| Enterprise | T1001.001 | Junk Data Sub-technique | UPSTYLE retrieves a non-existent webpage from the command and control server then parses commands from the resulting error logs to decode commands to the web shell.CitationVolexity UPSTYLE 2024 |
| Enterprise | T1070.006 | Timestomp Sub-technique | UPSTYLE restores timestamps to original values following modification.CitationVolexity UPSTYLE 2024 |
| Enterprise | T1102.003 | One-Way Communication Sub-technique | UPSTYLE parses encoded commands from error logs after attempting to resolve a non-existing webpage from the command and control server.CitationVolexity UPSTYLE 2024 |
| Enterprise | T1057 | Process Discovery | UPSTYLE has the ability to read `/proc/self/cmdline` to see if it is running as a monitored process.CitationPalo Alto MidnightEclipse APR 2024 |
| Enterprise | T1546 | Event Triggered Execution | UPSTYLE creates a `.pth` file beginning with the text `import` so that any time another process or script attempts to reference the modified item the malicious code will also run.CitationVolexity UPSTYLE 2024 |
| Enterprise | T1059.006 | Python Sub-technique | UPSTYLE is a Python-based application.CitationVolexity UPSTYLE 2024CitationPalo Alto MidnightEclipse APR 2024 |
| Enterprise | T1665 | Hide Infrastructure | UPSTYLE attempts to retrieve a non-existent webpage from the command and control server resulting in hidden commands sent via resulting error messages.CitationVolexity UPSTYLE 2024 |
Groups, software, and campaigns
C0048: Operation MidnightEclipse
Operation MidnightEclipse was a campaign conducted in March and April 2024 that involved initial exploit of zero-day vulnerability CVE-2024-3400, a critical command injection vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS.[1][2]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 13e4445272fd… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Volexity UPSTYLE 2024
Volexity Threat Research. (2024, April 12). Zero-Day Exploitation of Unauthenticated Remote Code Execution Vulnerability in GlobalProtect (CVE-2024-3400). Retrieved November 20, 2024.
Open source URL -
[2]
Palo Alto MidnightEclipse APR 2024
Unit 42. (2024, April 12). Threat Brief: Operation MidnightEclipse, Post-Exploitation Activity Related to CVE-2024-3400 . Retrieved January 15, 2025.
Open source URL -
[3]
mitre-attack S1164Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.