Citrix

Date: 2023-07-21 ID: 56fbbe5d-d63e-4b59-abed-738363477b95 Author: Michael Haag, Splunk Environment: attack_range Directory: citrix

Description

Attack data related to CVE-2023-3519

ID	Technique	Tactic
T1190	Exploit Public-Facing Application	Initial Access

The following datasets were collected during this attack simulation:

Path: /datasets/attack_techniques/T1190/citrix/nginx_kv_citrixbleed2_startwebview.log
Sourcetype: nginx:plus:access
Source: nginx

Path: /datasets/attack_techniques/T1190/citrix/nginx_kv_cve_2023-4966-citrix.log
Sourcetype: nginx:plus:access
Source: nginx

The following detections in our security content repository use this attack data for testing:

Detection Name	Type	Source	MITRE ATT&CK	Analytic Story
Citrix ADC and Gateway CitrixBleed 2 Memory Disclosure	`Anomaly`	Web	T1190	Citrix NetScaler ADC and NetScaler Gateway CVE-2025-5777
Citrix ADC Exploitation CVE-2023-3519	`Hunting`	Web	T1190	Citrix Netscaler ADC CVE-2023-3519, CISA AA24-241A
Citrix ShareFile Exploitation CVE-2023-24489	`Hunting`	Web	T1190	Citrix ShareFile RCE CVE-2023-24489
Citrix ADC and Gateway Unauthorized Data Disclosure	`TTP`	Web	T1190	Citrix NetScaler ADC and NetScaler Gateway CVE-2023-4966, Scattered Lapsus$ Hunters

Replay attack data with replay.py from Splunk Attack Data.

1python replay.py --dataset /datasets/attack_techniques/T1190/citrix/suricata_citrixbleed2.log --index attack_data

Find more detections and analytics for this attack technique in our security content repository.

Source: GitHub | Version: 1.0