Citrix Netscaler Attack CVE-2019-19781
Detects CVE-2019-19781 exploitation attempt against Citrix Netscaler, Application Delivery Controller and Citrix Gateway Attack
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Developed to detect an active or emerging threat. Prioritize investigation of any alerts and correlate with threat intelligence.
HTTP access logs from web servers capturing request paths, methods, and status codes.
Definition
Make sure that your Netscaler appliance logs all kinds of attacks (test with http://your-citrix-gw.net/robots.txt). The directory traversal with ../ might not be needed on certain cloud instances or for authenticated users, so we also check for direct paths. All scripts in portal/scripts are exploitable except logout.pl.
detection:
selection_cs:
- cs-uri-query|contains: '/../vpns/'
- cs-uri-query|endswith: '/vpns/cfg/smb.conf'
selection_csall:
cs-uri-query|contains|all:
- '/vpns/portal/scripts/'
- '.pl'
condition: 1 of selection_*False positive likelihood has not been assessed. Additional context may be needed during triage.
Tactics
Other