Yara Rule - Citrix Netscaler ADC CVE-203-3519의 악용 후 발견 된 포렌식 아티팩트 감지
Yara 정의.
Yara Rule - Detects forensic artifacts found after an exploitation of Citrix NetScaler ADC CVE-2023-3519
Yara definition.
Author: Florian Roth
https://www.mandiant.com/resources/blog/citrix-zero-day-espionage
date = "2023-07-21"
score = 70
$s1 = "tar -czvf - /var/tmp/all.txt" ascii fullword
$s2 = "-out /var/tmp/test.tar.gz" ascii
$s3 = "/test.tar.gz /netscaler/"
date = "2023-07-24"
score = 70
$x1 = "cat /flash/nsconfig/ns.conf >>" ascii
$x2 = "cat /nsconfig/.F1.key >>" ascii
$x3 = "openssl base64 -d < /tmp/" ascii
$x4 = "cp /usr/bin/bash /var/tmp/bash" ascii
$x5 = "chmod 4775 /var/tmp/bash"
$x6 = "pwd;pwd;pwd;pwd;pwd;"
$x7 = "(&(servicePrincipalName=*)(UserAccountControl:1.2.840.113556.1.4.803:=512)(!(UserAccountControl:1.2.840.113556.1.4.803:=2))(!(objectCategory=computer)))"```
[https://github.com/Neo23x0/signature-base/commit/34e90be3e26784b5dcdbbaa81ee7bb294b387e92](https://github.com/Neo23x0/signature-base/commit/34e90be3e26784b5dcdbbaa81ee7bb294b387e92)