Sneed-Reactivity/yara-Neo23x0/expl_citrix_netscaler_adc_exploitation_cve_2023_3519.yar
Sam Sneed 08e8d462fe OMG ISTG PLS WORK
RED PILL 🔴 💊
2024-07-25 12:43:35 -05:00

102 lines
4 KiB
Text

rule EXPL_Citrix_Netscaler_ADC_ForensicArtifacts_CVE_2023_3519_Jul23 {
meta:
description = "Detects forensic artifacts found after an exploitation of Citrix NetScaler ADC CVE-2023-3519"
author = "Florian Roth"
reference = "https://www.cisa.gov/sites/default/files/2023-07/aa23-201a_csa_threat_actors_exploiting_citrix-cve-2023-3519_to_implant_webshells.pdf"
date = "2023-07-18"
modified = "2023-07-21"
score = 70
id = "07d725cc-2cf2-55e5-8609-486500547f13"
strings:
$sa1 = "216.41.162.172" ascii fullword
$sb1 = "/flash/nsconfig/keys" ascii
$sb2 = "ldapsearch" ascii fullword
$sb3 = "ns_gui/vpn" ascii
$sb4 = "LDAPTLS_REQCERT" ascii fullword
condition:
filesize < 10MB and $sa1
or (
filepath == "/var/log"
and filename matches /^(bash|sh)\.log/
and 1 of ($sb*)
)
}
rule EXPL_Citrix_Netscaler_ADC_ForensicArtifacts_CVE_2023_3519_Jul23_2 {
meta:
description = "Detects forensic artifacts found after an exploitation of Citrix NetScaler ADC CVE-2023-3519"
author = "Florian Roth"
reference = "https://www.cisa.gov/sites/default/files/2023-07/aa23-201a_csa_threat_actors_exploiting_citrix-cve-2023-3519_to_implant_webshells.pdf"
date = "2023-07-21"
score = 70
id = "471ce547-0133-5836-b9d1-02c932ecfd1e"
strings:
$s1 = "tar -czvf - /var/tmp/all.txt" ascii fullword
$s2 = "-out /var/tmp/test.tar.gz" ascii
$s3 = "/test.tar.gz /netscaler/"
condition:
filesize < 10MB and 1 of them
}
rule EXPL_Citrix_Netscaler_ADC_ForensicArtifacts_CVE_2023_3519_Jul23_3 {
meta:
description = "Detects forensic artifacts found after an exploitation of Citrix NetScaler ADC CVE-2023-3519"
author = "Florian Roth"
reference = "https://www.mandiant.com/resources/blog/citrix-zero-day-espionage"
date = "2023-07-24"
score = 70
id = "2f40b423-f1da-5711-ac4f-18de77cd52d0"
strings:
$x1 = "cat /flash/nsconfig/ns.conf >>" ascii
$x2 = "cat /nsconfig/.F1.key >>" ascii
$x3 = "openssl base64 -d < /tmp/" ascii
$x4 = "cp /usr/bin/bash /var/tmp/bash" ascii
$x5 = "chmod 4775 /var/tmp/bash"
$x6 = "pwd;pwd;pwd;pwd;pwd;"
$x7 = "(&(servicePrincipalName=*)(UserAccountControl:1.2.840.113556.1.4.803:=512)(!(UserAccountControl:1.2.840.113556.1.4.803:=2))(!(objectCategory=computer)))"
condition:
filesize < 10MB and 1 of them
}
rule LOG_EXPL_Citrix_Netscaler_ADC_Exploitation_Attempt_CVE_2023_3519_Jul23_1 {
meta:
description = "This YARA rule detects forensic artifacts that appear following an attempted exploitation of Citrix NetScaler ADC CVE-2023-3519. The rule identifies an attempt to access the vulnerable function using an overly long URL, a potential sign of attempted exploitation. However, it does not confirm whether such an attempt was successful."
author = "Florian Roth"
reference = "https://blog.assetnote.io/2023/07/24/citrix-rce-part-2-cve-2023-3519/"
date = "2023-07-27"
score = 65
id = "7dfe4130-d976-5d6d-a05d-ccadefe45406"
strings:
/* overly long URL - all URLLEN values >= 200 */
$sr1 = /GWTEST FORMS SSO: Parse=0; URLLEN=([2-9][0-9]{2}|[0-9]{4,20}); Event: start=0x/
$s1 = ", type=1; Target: start=0x"
condition:
all of them
}
rule WEBSHELL_SECRETSAUCE_Jul23_1 {
meta:
description = "Detects SECRETSAUCE PHP webshells (found after an exploitation of Citrix NetScaler ADC CVE-2023-3519)"
author = "Florian Roth"
reference = "https://www.mandiant.com/resources/blog/citrix-zero-day-espionage"
date = "2023-07-24"
score = 85
id = "db0542e7-648e-5f60-9838-e07498f58b51"
strings:
$sa1 = "for ($x=0; $x<=1; $x++) {" ascii
$sa2 = "$_REQUEST[" ascii
$sa3 = "@eval" ascii
$sb1 = "public $cmd;" ascii
$sb2 = "return @eval($a);" ascii
$sb3 = "$z->run($z->get('openssl_public_decrypt'));"
condition:
filesize < 100KB and (
all of ($sa*) or
2 of ($sb*)
)
}