rule EXPL_Citrix_Netscaler_ADC_ForensicArtifacts_CVE_2023_3519_Jul23 { meta: description = "Detects forensic artifacts found after an exploitation of Citrix NetScaler ADC CVE-2023-3519" author = "Florian Roth" reference = "https://www.cisa.gov/sites/default/files/2023-07/aa23-201a_csa_threat_actors_exploiting_citrix-cve-2023-3519_to_implant_webshells.pdf" date = "2023-07-18" modified = "2023-07-21" score = 70 id = "07d725cc-2cf2-55e5-8609-486500547f13" strings: $sa1 = "216.41.162.172" ascii fullword $sb1 = "/flash/nsconfig/keys" ascii $sb2 = "ldapsearch" ascii fullword $sb3 = "ns_gui/vpn" ascii $sb4 = "LDAPTLS_REQCERT" ascii fullword condition: filesize < 10MB and $sa1 or ( filepath == "/var/log" and filename matches /^(bash|sh)\.log/ and 1 of ($sb*) ) } rule EXPL_Citrix_Netscaler_ADC_ForensicArtifacts_CVE_2023_3519_Jul23_2 { meta: description = "Detects forensic artifacts found after an exploitation of Citrix NetScaler ADC CVE-2023-3519" author = "Florian Roth" reference = "https://www.cisa.gov/sites/default/files/2023-07/aa23-201a_csa_threat_actors_exploiting_citrix-cve-2023-3519_to_implant_webshells.pdf" date = "2023-07-21" score = 70 id = "471ce547-0133-5836-b9d1-02c932ecfd1e" strings: $s1 = "tar -czvf - /var/tmp/all.txt" ascii fullword $s2 = "-out /var/tmp/test.tar.gz" ascii $s3 = "/test.tar.gz /netscaler/" condition: filesize < 10MB and 1 of them } rule EXPL_Citrix_Netscaler_ADC_ForensicArtifacts_CVE_2023_3519_Jul23_3 { meta: description = "Detects forensic artifacts found after an exploitation of Citrix NetScaler ADC CVE-2023-3519" author = "Florian Roth" reference = "https://www.mandiant.com/resources/blog/citrix-zero-day-espionage" date = "2023-07-24" score = 70 id = "2f40b423-f1da-5711-ac4f-18de77cd52d0" strings: $x1 = "cat /flash/nsconfig/ns.conf >>" ascii $x2 = "cat /nsconfig/.F1.key >>" ascii $x3 = "openssl base64 -d < /tmp/" ascii $x4 = "cp /usr/bin/bash /var/tmp/bash" ascii $x5 = "chmod 4775 /var/tmp/bash" $x6 = "pwd;pwd;pwd;pwd;pwd;" $x7 = "(&(servicePrincipalName=*)(UserAccountControl:1.2.840.113556.1.4.803:=512)(!(UserAccountControl:1.2.840.113556.1.4.803:=2))(!(objectCategory=computer)))" condition: filesize < 10MB and 1 of them } rule LOG_EXPL_Citrix_Netscaler_ADC_Exploitation_Attempt_CVE_2023_3519_Jul23_1 { meta: description = "This YARA rule detects forensic artifacts that appear following an attempted exploitation of Citrix NetScaler ADC CVE-2023-3519. The rule identifies an attempt to access the vulnerable function using an overly long URL, a potential sign of attempted exploitation. However, it does not confirm whether such an attempt was successful." author = "Florian Roth" reference = "https://blog.assetnote.io/2023/07/24/citrix-rce-part-2-cve-2023-3519/" date = "2023-07-27" score = 65 id = "7dfe4130-d976-5d6d-a05d-ccadefe45406" strings: /* overly long URL - all URLLEN values >= 200 */ $sr1 = /GWTEST FORMS SSO: Parse=0; URLLEN=([2-9][0-9]{2}|[0-9]{4,20}); Event: start=0x/ $s1 = ", type=1; Target: start=0x" condition: all of them } rule WEBSHELL_SECRETSAUCE_Jul23_1 { meta: description = "Detects SECRETSAUCE PHP webshells (found after an exploitation of Citrix NetScaler ADC CVE-2023-3519)" author = "Florian Roth" reference = "https://www.mandiant.com/resources/blog/citrix-zero-day-espionage" date = "2023-07-24" score = 85 id = "db0542e7-648e-5f60-9838-e07498f58b51" strings: $sa1 = "for ($x=0; $x<=1; $x++) {" ascii $sa2 = "$_REQUEST[" ascii $sa3 = "@eval" ascii $sb1 = "public $cmd;" ascii $sb2 = "return @eval($a);" ascii $sb3 = "$z->run($z->get('openssl_public_decrypt'));" condition: filesize < 100KB and ( all of ($sa*) or 2 of ($sb*) ) }