Citrix ADS Exploitation CVE-2020-8193 CVE-2020-8195

calendar Jun 20, 2023 · attack.initial_access attack.t1190 cve.2020.8193 cve.2020.8195 detection.emerging_threats  ·
Share on: linkedin copy

Detects exploitation attempt against Citrix Netscaler, Application Delivery Controller (ADS) and Citrix Gateway exploiting vulnerabilities reported as CVE-2020-8193 and CVE-2020-8195

Sigma rule (View on GitHub)

 1title: Citrix ADS Exploitation CVE-2020-8193 CVE-2020-8195
 2id: 0d0d9a8a-a49e-4e27-b061-7ce4b936cfb7
 3status: test
 4description: Detects exploitation attempt against Citrix Netscaler, Application Delivery Controller (ADS) and Citrix Gateway exploiting vulnerabilities reported as CVE-2020-8193 and CVE-2020-8195
 5references:
 6    - https://support.citrix.com/article/CTX276688
 7    - https://research.nccgroup.com/2020/07/10/rift-citrix-adc-vulnerabilities-cve-2020-8193-cve-2020-8195-and-cve-2020-8196-intelligence/
 8    - https://dmaasland.github.io/posts/citrix.html
 9author: Florian Roth (Nextron Systems)
10date: 2020/07/10
11modified: 2023/01/02
12tags:
13    - attack.initial_access
14    - attack.t1190
15    - cve.2020.8193
16    - cve.2020.8195
17    - detection.emerging_threats
18logsource:
19    category: webserver
20detection:
21    selection1:
22        cs-uri-query|contains: '/rapi/filedownload?filter=path:%2F'
23    selection2:
24        cs-uri-query|contains|all:
25            - '/pcidss/report'
26            - 'type=all_signatures'
27            - 'sig_name=_default_signature_'
28    condition: 1 of selection*
29fields:
30    - client_ip
31    - vhost
32    - url
33    - response
34falsepositives:
35    - Unknown
36level: critical

References

Related rules

to-top