CVE-2023-4966 Potential Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Proxy
Detects potential exploitation attempt of CVE-2023-4966 a Citrix ADC and NetScaler Gateway sensitive information disclosure vulnerability via proxy logs.
Sigma rule (View on GitHub)
1title: CVE-2023-4966 Potential Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Proxy
2id: ff349b81-617f-4af4-924f-dbe8ea9bab41
3related:
4 - id: 87c83d8e-5390-44ce-aa4a-d3b37e54d0a0 # Webserver Attempt
5 type: similar
6 - id: aee7681f-b53d-4594-a9de-ac51e6ad3362 # Proxy Exploit
7 type: similar
8 - id: a4e068b5-e27c-4f21-85b3-e69e5a4f7ce1 # Webserver Exploit
9 type: similar
10status: test
11description: Detects potential exploitation attempt of CVE-2023-4966 a Citrix ADC and NetScaler Gateway sensitive information disclosure vulnerability via proxy logs.
12references:
13 - https://support.citrix.com/article/CTX579459/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20234966-and-cve20234967
14 - https://attackerkb.com/topics/2faW2CxJgQ/cve-2023-4966
15 - https://www.rapid7.com/blog/post/2023/10/25/etr-cve-2023-4966-exploitation-of-citrix-netscaler-information-disclosure-vulnerability/
16 - https://www.assetnote.io/resources/research/citrix-bleed-leaking-session-tokens-with-cve-2023-4966
17 - https://github.com/assetnote/exploits/tree/main/citrix/CVE-2023-4966
18author: Nasreddine Bencherchali (Nextron Systems), Michael Haag (STRT)
19date: 2023-11-28
20tags:
21 - detection.emerging-threats
22 - attack.initial-access
23 - attack.t1190
24 - cve.2023-4966
25logsource:
26 category: proxy
27detection:
28 selection:
29 cs-method: 'GET'
30 cs-uri|contains: '/oauth/idp/.well-known/openid-configuration'
31 sc-status: 200
32 condition: selection
33falsepositives:
34 - Vulnerability scanners
35level: medium
References
Related rules
- CVE-2023-4966 Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Proxy
- CVE-2023-4966 Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Webserver
- CVE-2023-4966 Potential Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Webserver
- CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Linux)
- CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Windows)