This is a work in progress for parsing the System Snapshot from an Ivanti Connect Secure applicance to identify possible IOCs related to CVE-2023-46805, CVE-2024-21887 and CVE-2025-0282.
Caveat: False positives are possible so it's best to check manually to verify any results.
The snapshot is encrypted with a hardcoded key. Unfortunately I can't publish the key here, so you will need to find it yourself.
You will need to format the key as a 24 byte hex string, and provide it to the script using the --key flag.
First you will need to install the dependencies:
python -m venv env
source env/bin/activate
pip install -r requirements.txt
Now you will need to get hold of a System Snapshot from your Ivanti/Pulse Connect Secure appliance.
You can do this by logging into the admin interface and going to /dana-admin/dump/dump.cgi.
From here, click the "Take Snapshot" button, wait for it to complete and then download the "Admin generated snapshot" file.
Once you have the snapshot, you can run the script like as follows.
First, decrypt the snapshot file:
> python .\pulse-meter.py decrypt .\pulsesecure-state-admin-localhost2-7-20240115-193030.encrypted --key <key>
2025-01-14 12:27:32,120 - DEBUG - Decrypted Snapshot
2025-01-14 12:27:32,372 - INFO - Decrypted snapshot file written to: .\pulsesecure-state-admin-localhost2-7-20240115-193030.decrypted
Then run the parser:
> python .\pulse-meter.py parse .\pulsesecure-state-admin-localhost2-7-20240115-193030.decrypted
2025-01-14 12:28:49,045 - INFO - Parsing snapshot file: .\pulsesecure-state-admin-localhost2-7-20240115-193030.decrypted
2025-01-14 12:28:49,229 - CRITICAL - [Yara IOC] Rule: SPAWN_Malware_Family (Detects artifacts related to the SPAWN Malware Family), Reference: https://www.mandiant.com/resources/blog/suspected-apt-targets-ivanti-zero-day
- https://www.volexity.com/blog/2024/01/10/active-exploitation-of-two-zero-day-vulnerabilities-in-ivanti-connect-secure-vpn/
- https://www.mandiant.com/resources/blog/suspected-apt-targets-ivanti-zero-day
- https://forums.ivanti.com/s/article/CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US
- https://forums.ivanti.com/s/article/KB-CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US
- https://attackerkb.com/topics/AdUh6by52K/cve-2023-46805/rapid7-analysis
- https://www.volexity.com/blog/2024/01/10/active-exploitation-of-two-zero-day-vulnerabilities-in-ivanti-connect-secure-vpn/