This utility can help determine if indicators of compromise (IOCs) exist in the log files of a Pulse Secure VPN Appliance for CVE-2019-11510.
The Cybersecurity and Infrastructure Security Agency (CISA) has seen many organ izations breached despite patching their appliance because of Active Directory credentials (to include Domain Admin) harvested prior to patching. Details are available in Alert AA20-107A. This tool may help organizations locate exploitation attempts in their logs and assess their risk based on the results. If exploitation attempts are located p rior to the date of patch, it may be necessary to carefully watch for unauthori zed connections and perform a full domain password reset.
The IOCs included in this tool are TLP:WHITE. Adding more indicators from open- source or commercial vendors may improve the effectiveness of this tool.
The tool works by looking for IOCs (strings, Internet Protocol [IP] addresses, and user agents) associated with Threat Actors exploiting this vulnerability in the wild.
NOTE: check-your-pulse will alert on ANY IOCs it finds in the log files. If an IOC occurred after patch, it may be a false positive.
Python versions 3.6 and above. Note that Python 2 is not supported.
PULSE SECURE SETUP
If unauthenticated logging was not enabled prior to patching, you will be rel iant on user agent strings and IPs, which are much less reliable indicators.
Detailed instructions regarding pulse secure setup can be found here.
git clone https://github.com/cisagov/check-your-pulse.git cd check-your-pulse
Download the logs from web console
Instructions can be found here for version 8.3 of the Pulse Connect Secure.
$ python3 ./app.py --path <path to .events and .access files, defaults to ./> OUTPUT
Detailed usage information can be viewed with:
$ python3 ./app.py -h usage: app.py [-h] [-r RAW] [-c CSV] [-j JSON] [-p PATH] [-n NUMEVENTS] optional arguments: -h, --help show this help message and exit -r RAW, --raw RAW Dumps the output to a human readable file. -c CSV, --csv CSV Writes output to a .csv file. Needs to be provided the name to save as. -j JSON, --json JSON Writes output to a .json file. Needs to be provided the name to save as. -p PATH, --path PATH Path to the folder containing .access and .events. -n NUMEVENTS, --numevents NUMEVENTS Number of events to print in the quick summary (default 10)
For more information about this vulnerability see: https://nvd.nist.gov/vuln/detail/CVE-2019-19781
If you have issues using the code, open an issue on the repository!
You can do this by clicking "Issues" at the top and clicking "New Issue" on the following page.
We welcome contributions! Please see here for details.
This project is in the worldwide public domain.
This project is in the public domain within the United States, and copyright and related rights in the work worldwide are waived through the CC0 1.0 Universal public domain dedication.
All contributions to this project will be released under the CC0 dedication. By submitting a pull request, you are agreeing to comply with this waiver of copyright interest.
This software package (“software” or “code”) was created by the United States G overnment and is not subject to copyright. You may use, modify, or redistribute the code in any manner. However, you may not subsequently copyright the code a s it is distributed. The United States Government makes no claim of copyright o n the changes you effect, nor will it will it restrict your distribution of bon a fide changes to the software. If you decide to update or redistribute the cod e, please include this notice with the code. Where relevant, we ask that you cr edit the Cybersecurity and Infrastructure Security Agency with the following st atement: “Original code developed by the Cybersecurity and Infrastructure Secur ity Agency (CISA), U.S. Department of Homeland Security.”
USE THIS SOFTWARE AT YOUR OWN RISK. THIS SOFTWARE COMES WITH NO WARRANTY, EITHE R EXPRESS OR IMPLIED. THE UNITED STATES GOVERNMENT ASSUMES NO LIABILITY FOR THE USE OR MISUSE OF THIS SOFTWARE OR ITS DERIVATIVES.
THIS SOFTWARE IS OFFERED “AS-IS.” THE UNITED STATES GOVERNMENT WILL NOT INSTALL , REMOVE, OPERATE OR SUPPORT THIS SOFTWARE AT YOUR REQUEST. IF YOU ARE UNSURE O F HOW THIS SOFTWARE WILL INTERACT WITH YOUR SYSTEM, DO NOT USE IT.