CVE-2023-4966 Potential Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Proxy

Detects potential exploitation attempt of CVE-2023-4966 a Citrix ADC and NetScaler Gateway sensitive information disclosure vulnerability via proxy logs.

Sigma rule (View on GitHub)

 1title: CVE-2023-4966 Potential Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Proxy
 2id: ff349b81-617f-4af4-924f-dbe8ea9bab41
 3related:
 4    - id: 87c83d8e-5390-44ce-aa4a-d3b37e54d0a0 # Webserver Attempt
 5      type: similar
 6    - id: aee7681f-b53d-4594-a9de-ac51e6ad3362 # Proxy Exploit
 7      type: similar
 8    - id: a4e068b5-e27c-4f21-85b3-e69e5a4f7ce1 # Webserver Exploit
 9      type: similar
10status: test
11description: Detects potential exploitation attempt of CVE-2023-4966 a Citrix ADC and NetScaler Gateway sensitive information disclosure vulnerability via proxy logs.
12references:
13    - https://support.citrix.com/article/CTX579459/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20234966-and-cve20234967
14    - https://attackerkb.com/topics/2faW2CxJgQ/cve-2023-4966
15    - https://www.rapid7.com/blog/post/2023/10/25/etr-cve-2023-4966-exploitation-of-citrix-netscaler-information-disclosure-vulnerability/
16    - https://www.assetnote.io/resources/research/citrix-bleed-leaking-session-tokens-with-cve-2023-4966
17    - https://github.com/assetnote/exploits/tree/main/citrix/CVE-2023-4966
18author: Nasreddine Bencherchali (Nextron Systems), Michael Haag (STRT)
19date: 2023-11-28
20tags:
21    - detection.emerging-threats
22    - attack.initial-access
23    - attack.t1190
24    - cve.2023-4966
25logsource:
26    category: proxy
27detection:
28    selection:
29        cs-method: 'GET'
30        cs-uri|contains: '/oauth/idp/.well-known/openid-configuration'
31        sc-status: 200
32    condition: selection
33falsepositives:
34    - Vulnerability scanners
35level: medium

References

Related rules

to-top