This script is designed to check for signs of compromise in Palo systems, specifically for the vulnerability identified as CVE-2024-3400. It searches through tech support package gz or .tgz archive files for specific log entries that may indicate a security breach.

• Python 3.x
• Access to the .tar.gz file containing Palo logs.

1. Ensure you have a .tar.gz tech supprot file containing the relevant Palo logs.
2. Modify the filepath variable in the script to point to your .tar.gz file.
3. Optional - Update the search_terms list with the terms that are indicative of the CVE-2024-3400 vulnerability.
4. Run the script in a Python environment.

• The script will decompress the .tar.gz file and search through the specified log files.
• If it finds any of the search terms, it will print the matching lines and advise you to follow remediation guidance and share the files with the vendor.
• If no matches are found, it will print a message indicating that no compromise was detected, but still recommend sharing the file with the vendor for certainty.

# Replace this with your actual file path
filepath = r'path to techsupport.tgz'

• The script stops searching after finding the first set of matches. If you need a full search, remove the return statement after printing matches.
• The script is a basic tool for initial checks and does not replace professional forensic analysis.
• Always ensure you have the latest updates and patches applied to your Palo systems to prevent vulnerabilities like CVE-2024-3400.

If you have suggestions for improving this script or have found a bug, please open an issue or a pull request with your changes.