Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Netscaler Forensic Artefacts
rule SUSP_Netscaler_Forensic_Artefacts {
meta:
description = "Detects strings / forensic artefacts on exploited Netscaler systems"
author = "Florian Roth"
reference = "https://www.trustedsec.com/blog/netscaler-remote-code-execution-forensics/"
date = "2020-01-14"
score = 70
strings:
$ = "shell_command=\"whoami\"" ascii
$ = "shell_command=\"hostname\"" ascii
$ = "shell_command=\"uname\"" ascii
$ = "/vpn/../vpns/portal/scripts/" ascii
$ = "cat /var/nstmp/sess_" ascii /* https://twitter.com/buffaloverflow/status/1216808338450677760 */
$ = "cat /flash/nsconfig/ns.conf" ascii /* https://twitter.com/buffaloverflow/status/1216807963974938624 */
$ = "<?php @eval(base64_decode(" ascii /* https://www.reddit.com/r/blueteamsec/comments/en4m7j/multiple_exploits_for_cve201919781_citrix/ */
$ = ".pl HTTP/1.1\" 200 143" ascii /* https://twitter.com/ItsReallyNick/status/1216821591281225729 */
$ = ".pl HTTP/1.1\" 200 135" ascii /* https://twitter.com/ItsReallyNick/status/1216821591281225729 */
condition:
1 of them
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.