08e8d462fe
RED PILL 🔴 💊
102 lines
4 KiB
Text
102 lines
4 KiB
Text
|
|
rule EXPL_Citrix_Netscaler_ADC_ForensicArtifacts_CVE_2023_3519_Jul23 {
|
|
meta:
|
|
description = "Detects forensic artifacts found after an exploitation of Citrix NetScaler ADC CVE-2023-3519"
|
|
author = "Florian Roth"
|
|
reference = "https://www.cisa.gov/sites/default/files/2023-07/aa23-201a_csa_threat_actors_exploiting_citrix-cve-2023-3519_to_implant_webshells.pdf"
|
|
date = "2023-07-18"
|
|
modified = "2023-07-21"
|
|
score = 70
|
|
id = "07d725cc-2cf2-55e5-8609-486500547f13"
|
|
strings:
|
|
$sa1 = "216.41.162.172" ascii fullword
|
|
|
|
$sb1 = "/flash/nsconfig/keys" ascii
|
|
$sb2 = "ldapsearch" ascii fullword
|
|
$sb3 = "ns_gui/vpn" ascii
|
|
$sb4 = "LDAPTLS_REQCERT" ascii fullword
|
|
condition:
|
|
filesize < 10MB and $sa1
|
|
or (
|
|
filepath == "/var/log"
|
|
and filename matches /^(bash|sh)\.log/
|
|
and 1 of ($sb*)
|
|
)
|
|
}
|
|
|
|
rule EXPL_Citrix_Netscaler_ADC_ForensicArtifacts_CVE_2023_3519_Jul23_2 {
|
|
meta:
|
|
description = "Detects forensic artifacts found after an exploitation of Citrix NetScaler ADC CVE-2023-3519"
|
|
author = "Florian Roth"
|
|
reference = "https://www.cisa.gov/sites/default/files/2023-07/aa23-201a_csa_threat_actors_exploiting_citrix-cve-2023-3519_to_implant_webshells.pdf"
|
|
date = "2023-07-21"
|
|
score = 70
|
|
id = "471ce547-0133-5836-b9d1-02c932ecfd1e"
|
|
strings:
|
|
$s1 = "tar -czvf - /var/tmp/all.txt" ascii fullword
|
|
$s2 = "-out /var/tmp/test.tar.gz" ascii
|
|
$s3 = "/test.tar.gz /netscaler/"
|
|
condition:
|
|
filesize < 10MB and 1 of them
|
|
}
|
|
|
|
rule EXPL_Citrix_Netscaler_ADC_ForensicArtifacts_CVE_2023_3519_Jul23_3 {
|
|
meta:
|
|
description = "Detects forensic artifacts found after an exploitation of Citrix NetScaler ADC CVE-2023-3519"
|
|
author = "Florian Roth"
|
|
reference = "https://www.mandiant.com/resources/blog/citrix-zero-day-espionage"
|
|
date = "2023-07-24"
|
|
score = 70
|
|
id = "2f40b423-f1da-5711-ac4f-18de77cd52d0"
|
|
strings:
|
|
$x1 = "cat /flash/nsconfig/ns.conf >>" ascii
|
|
$x2 = "cat /nsconfig/.F1.key >>" ascii
|
|
$x3 = "openssl base64 -d < /tmp/" ascii
|
|
$x4 = "cp /usr/bin/bash /var/tmp/bash" ascii
|
|
$x5 = "chmod 4775 /var/tmp/bash"
|
|
$x6 = "pwd;pwd;pwd;pwd;pwd;"
|
|
$x7 = "(&(servicePrincipalName=*)(UserAccountControl:1.2.840.113556.1.4.803:=512)(!(UserAccountControl:1.2.840.113556.1.4.803:=2))(!(objectCategory=computer)))"
|
|
condition:
|
|
filesize < 10MB and 1 of them
|
|
}
|
|
|
|
rule LOG_EXPL_Citrix_Netscaler_ADC_Exploitation_Attempt_CVE_2023_3519_Jul23_1 {
|
|
meta:
|
|
description = "This YARA rule detects forensic artifacts that appear following an attempted exploitation of Citrix NetScaler ADC CVE-2023-3519. The rule identifies an attempt to access the vulnerable function using an overly long URL, a potential sign of attempted exploitation. However, it does not confirm whether such an attempt was successful."
|
|
author = "Florian Roth"
|
|
reference = "https://blog.assetnote.io/2023/07/24/citrix-rce-part-2-cve-2023-3519/"
|
|
date = "2023-07-27"
|
|
score = 65
|
|
id = "7dfe4130-d976-5d6d-a05d-ccadefe45406"
|
|
strings:
|
|
/* overly long URL - all URLLEN values >= 200 */
|
|
$sr1 = /GWTEST FORMS SSO: Parse=0; URLLEN=([2-9][0-9]{2}|[0-9]{4,20}); Event: start=0x/
|
|
$s1 = ", type=1; Target: start=0x"
|
|
condition:
|
|
all of them
|
|
}
|
|
|
|
rule WEBSHELL_SECRETSAUCE_Jul23_1 {
|
|
meta:
|
|
description = "Detects SECRETSAUCE PHP webshells (found after an exploitation of Citrix NetScaler ADC CVE-2023-3519)"
|
|
author = "Florian Roth"
|
|
reference = "https://www.mandiant.com/resources/blog/citrix-zero-day-espionage"
|
|
date = "2023-07-24"
|
|
score = 85
|
|
id = "db0542e7-648e-5f60-9838-e07498f58b51"
|
|
strings:
|
|
$sa1 = "for ($x=0; $x<=1; $x++) {" ascii
|
|
$sa2 = "$_REQUEST[" ascii
|
|
$sa3 = "@eval" ascii
|
|
|
|
$sb1 = "public $cmd;" ascii
|
|
$sb2 = "return @eval($a);" ascii
|
|
$sb3 = "$z->run($z->get('openssl_public_decrypt'));"
|
|
condition:
|
|
filesize < 100KB and (
|
|
all of ($sa*) or
|
|
2 of ($sb*)
|
|
)
|
|
}
|
|
|
|
|