Citrix ADS Exploitation CVE-2020-8193 CVE-2020-8195
Detects exploitation attempt against Citrix Netscaler, Application Delivery Controller (ADS) and Citrix Gateway exploiting vulnerabilities reported as CVE-2020-8193 and CVE-2020-8195
Sigma rule (View on GitHub)
1title: Citrix ADS Exploitation CVE-2020-8193 CVE-2020-8195
2id: 0d0d9a8a-a49e-4e27-b061-7ce4b936cfb7
3status: test
4description: Detects exploitation attempt against Citrix Netscaler, Application Delivery Controller (ADS) and Citrix Gateway exploiting vulnerabilities reported as CVE-2020-8193 and CVE-2020-8195
5references:
6 - https://support.citrix.com/article/CTX276688
7 - https://research.nccgroup.com/2020/07/10/rift-citrix-adc-vulnerabilities-cve-2020-8193-cve-2020-8195-and-cve-2020-8196-intelligence/
8 - https://dmaasland.github.io/posts/citrix.html
9author: Florian Roth (Nextron Systems)
10date: 2020-07-10
11modified: 2023-01-02
12tags:
13 - attack.initial-access
14 - attack.t1190
15 - cve.2020-8193
16 - cve.2020-8195
17 - detection.emerging-threats
18logsource:
19 category: webserver
20detection:
21 selection1:
22 cs-uri-query|contains: '/rapi/filedownload?filter=path:%2F'
23 selection2:
24 cs-uri-query|contains|all:
25 - '/pcidss/report'
26 - 'type=all_signatures'
27 - 'sig_name=_default_signature_'
28 condition: 1 of selection*
29fields:
30 - client_ip
31 - vhost
32 - url
33 - response
34falsepositives:
35 - Unknown
36level: critical
References
-
-
tl;dr Citrix disclosed on July 7th, 2020 a number of vulnerabilities in the Application Delivery Controller. This blog is a summary of what we know as the situation develops. About the Research and...
Read More -
Related rules
- ADSelfService Exploitation
- Apache Spark Shell Command Injection - Weblogs
- Arcadyan Router Exploitations
- Atlassian Bitbucket Command Injection Via Archive API
- CVE-2010-5278 Exploitation Attempt