In this post, I will show you how to use Mandiant Security Validation (MSV) and available exploits to validate whether your internet security controls can detect and/or prevent a Chrome browser exploit.
As a Network Security Administrator or Red Teamer, your task is to validate whether your network security controls can detect and/or prevent a Remote Code Execution exploit targeting Google Chrome 78.0.3904.70 (CVE-2019-13720)The steps will be as follows:
1-Find the exploit that will be used to test the security stack:
A quick research, you came through the exploit targeting that vulnerability (in https://www.exploit-db.com/exploits/50917)
2-Create network action
Now we have the exploit and are ready to add it to the MSV library, Go to Library then Select Add Action and Select Web, as shown in the following photo.
In the Add Web Action form, click on step one and add the HTTP parameters as shown in the following photo. The exploit is being delivered in an HTML file. I decided to call that file "index.html," but you can choose any name you prefer. The request header is a typical one.
Now pay attention to the response, as the HTTP response will deliver the exploit payload. The HTTP response will be as follows:
Next Add he necessary information as per the following photo and then save the action
3-Run the Web Action
In the MSV library find the new action created, go through to validate the action data along with the exploit page.
Run the action and select source and destination as the following:
4-Validate the efficacy of the internet security controls and address any gaps
When the action completed you can see that the exploit has been blocked
When viewing the events and logs received via the integration with Palo Alto and Chronicle, you can see that the Palo Alto NGFW detected (as a Chrome vulnerability) and prevented the exploit.
You can also see that Chronicle (the SIEM deployed in this case) received the logs from Palo Alto NGFW.
By following these steps, you can demonstrate with evidence that your internet security controls and SIEM integration can detect and prevent remote exploits targeting the Google Chrome browser vulnerability (CVE-2019-13720).