Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: add CVE-2023-4966 related rules #4583

Merged
merged 5 commits into from
Nov 28, 2023
Merged

feat: add CVE-2023-4966 related rules #4583

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
9deeace
feat: add CVE-2023-4966 related rules
nasbench Nov 20, 2023
bbb8224
update metadata
nasbench Nov 28, 2023
70e0fc9
update wrong field
nasbench Nov 28, 2023
21f5535
Apply suggestions from code review
nasbench Nov 28, 2023
a7f89cc
Update test_rules.py
nasbench Nov 28, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
35 changes: 35 additions & 0 deletions ...2023-4966/proxy_exploit_cve_2023_4966_citrix_sensitive_information_disclosure_exploit.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
title: CVE-2023-4966 Exploitation Attempt - Citrix ADC Sensitive Information Disclosure (proxy)
nasbench marked this conversation as resolved.
Show resolved Hide resolved
id: aee7681f-b53d-4594-a9de-ac51e6ad3362
related:
- id: 87c83d8e-5390-44ce-aa4a-d3b37e54d0a0 # Webserver Attempt
type: similar
- id: ff349b81-617f-4af4-924f-dbe8ea9bab41 # Proxy Attempt
type: similar
- id: a4e068b5-e27c-4f21-85b3-e69e5a4f7ce1 # Webserver Exploit
type: similar
status: experimental
description: Detects exploitation attempt of CVE-2023-4966 a Citrix ADC and NetScaler Gateway sensitive information disclosure vulnerability via proxy logs by looking for a very long host header string.
references:
- https://support.citrix.com/article/CTX579459/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20234966-and-cve20234967
- https://attackerkb.com/topics/2faW2CxJgQ/cve-2023-4966
- https://www.rapid7.com/blog/post/2023/10/25/etr-cve-2023-4966-exploitation-of-citrix-netscaler-information-disclosure-vulnerability/
- https://www.assetnote.io/resources/research/citrix-bleed-leaking-session-tokens-with-cve-2023-4966
- https://github.com/assetnote/exploits/tree/main/citrix/CVE-2023-4966
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023/11/28
tags:
- detection.emerging_threats
- attack.initial_access
- attack.t1190
- cve.2023.4966
logsource:
category: proxy
detection:
selection:
cs-method: 'GET'
cs-uri|contains: '/oauth/idp/.well-known/openid-configuration'
cs-host|re: '.{150}'
condition: selection
falsepositives:
- Vulnerability scanners
level: high
35 changes: 35 additions & 0 deletions ...6/proxy_exploit_cve_2023_4966_citrix_sensitive_information_disclosure_exploit_attempt.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
title: CVE-2023-4966 Potential Exploitation Attempt - Citrix ADC Sensitive Information Disclosure (proxy)
nasbench marked this conversation as resolved.
Show resolved Hide resolved
id: ff349b81-617f-4af4-924f-dbe8ea9bab41
related:
- id: 87c83d8e-5390-44ce-aa4a-d3b37e54d0a0 # Webserver Attempt
type: similar
- id: aee7681f-b53d-4594-a9de-ac51e6ad3362 # Proxy Exploit
type: similar
- id: a4e068b5-e27c-4f21-85b3-e69e5a4f7ce1 # Webserver Exploit
type: similar
status: experimental
description: Detects potential exploitation attempt of CVE-2023-4966 a Citrix ADC and NetScaler Gateway sensitive information disclosure vulnerability via proxy logs.
references:
- https://support.citrix.com/article/CTX579459/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20234966-and-cve20234967
- https://attackerkb.com/topics/2faW2CxJgQ/cve-2023-4966
- https://www.rapid7.com/blog/post/2023/10/25/etr-cve-2023-4966-exploitation-of-citrix-netscaler-information-disclosure-vulnerability/
- https://www.assetnote.io/resources/research/citrix-bleed-leaking-session-tokens-with-cve-2023-4966
- https://github.com/assetnote/exploits/tree/main/citrix/CVE-2023-4966
author: Nasreddine Bencherchali (Nextron Systems), Michael Haag (STRT)
date: 2023/11/28
tags:
- detection.emerging_threats
- attack.initial_access
- attack.t1190
- cve.2023.4966
logsource:
category: proxy
detection:
selection:
cs-method: 'GET'
cs-uri|contains: '/oauth/idp/.well-known/openid-configuration'
sc-status: 200
condition: selection
falsepositives:
- Vulnerability scanners
level: medium
35 changes: 35 additions & 0 deletions ...E-2023-4966/web_exploit_cve_2023_4966_citrix_sensitive_information_disclosure_exploit.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
title: CVE-2023-4966 Potential Exploitation Attempt - Citrix ADC Sensitive Information Disclosure (webserver)
nasbench marked this conversation as resolved.
Show resolved Hide resolved
id: 87c83d8e-5390-44ce-aa4a-d3b37e54d0a0
related:
- id: ff349b81-617f-4af4-924f-dbe8ea9bab41 # Proxy Attempt
type: similar
- id: aee7681f-b53d-4594-a9de-ac51e6ad3362 # Proxy Exploit
type: similar
- id: a4e068b5-e27c-4f21-85b3-e69e5a4f7ce1 # Webserver Exploit
type: similar
status: experimental
description: Detects potential exploitation attempt of CVE-2023-4966 a Citrix ADC and NetScaler Gateway sensitive information disclosure vulnerability via webserver logs.
references:
- https://support.citrix.com/article/CTX579459/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20234966-and-cve20234967
- https://attackerkb.com/topics/2faW2CxJgQ/cve-2023-4966
- https://www.rapid7.com/blog/post/2023/10/25/etr-cve-2023-4966-exploitation-of-citrix-netscaler-information-disclosure-vulnerability/
- https://www.assetnote.io/resources/research/citrix-bleed-leaking-session-tokens-with-cve-2023-4966
- https://github.com/assetnote/exploits/tree/main/citrix/CVE-2023-4966
author: Nasreddine Bencherchali (Nextron Systems), Michael Haag (STRT)
date: 2023/11/28
tags:
- detection.emerging_threats
- attack.initial_access
- attack.t1190
- cve.2023.4966
logsource:
category: webserver
detection:
selection:
cs-method: 'GET'
cs-uri-stem|contains: '/oauth/idp/.well-known/openid-configuration'
sc-status: 200
condition: selection
falsepositives:
- Vulnerability scanners
level: medium
35 changes: 35 additions & 0 deletions ...966/web_exploit_cve_2023_4966_citrix_sensitive_information_disclosure_exploit_attempt.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
title: CVE-2023-4966 Exploitation Attempt - Citrix ADC Sensitive Information Disclosure (webserver)
nasbench marked this conversation as resolved.
Show resolved Hide resolved
id: a4e068b5-e27c-4f21-85b3-e69e5a4f7ce1
related:
- id: 87c83d8e-5390-44ce-aa4a-d3b37e54d0a0 # Webserver Attempt
type: similar
- id: ff349b81-617f-4af4-924f-dbe8ea9bab41 # Proxy Attempt
type: similar
- id: aee7681f-b53d-4594-a9de-ac51e6ad3362 # Proxy Exploit
type: similar
status: experimental
description: Detects exploitation attempt of CVE-2023-4966 a Citrix ADC and NetScaler Gateway sensitive information disclosure vulnerability via webserver logs by looking for a very long host header string.
references:
- https://support.citrix.com/article/CTX579459/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20234966-and-cve20234967
- https://attackerkb.com/topics/2faW2CxJgQ/cve-2023-4966
- https://www.rapid7.com/blog/post/2023/10/25/etr-cve-2023-4966-exploitation-of-citrix-netscaler-information-disclosure-vulnerability/
- https://www.assetnote.io/resources/research/citrix-bleed-leaking-session-tokens-with-cve-2023-4966
- https://github.com/assetnote/exploits/tree/main/citrix/CVE-2023-4966
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023/11/28
tags:
- detection.emerging_threats
- attack.initial_access
- attack.t1190
- cve.2023.4966
logsource:
category: webserver
detection:
selection:
cs-method: 'GET'
cs-uri-stem|contains: '/oauth/idp/.well-known/openid-configuration'
cs-host|re: '.{150}'
condition: selection
falsepositives:
- Vulnerability scanners
level: high
Loading