The tool looks for both specific indicators of malware
(coinminers, NOTROBIN and more) as well as methodology indicators that should generically identify compromise (e.g. processes spawned by user nobody, files with 644 user permission...etc.)
#DFIR
-
-
Prikaži ovu nit
-
Lots of late nights and work on the weekend/holiday to get this out. Many thanks to
@williballenthin@MadeleyJosh@_bromiley@jkoppen1@ItsReallyNick for help making it happen.Prikaži ovu nit -
There are two modes that you can run the tool in. Default and --verbose. The default mode will look for high confidence evidence of compromise. The --verbose mode will also look through HTTP access logs for evidence of successful vuln scanning as well as failed vuln scanning.
Prikaži ovu nit -
There are a lot of great resources that you can leverage to learn more about CVE-2019-19781 and how it's being exploited. https://www.fireeye.com/blog/products-and-services/2020/01/rough-patch-promise-it-will-be-200-ok.html …https://www.fireeye.com/blog/threat-research/2020/01/vigilante-deploying-mitigation-for-citrix-netscaler-vulnerability-while-maintaining-backdoor.html …
Prikaži ovu nit -
@TrustedSec has put out some great research both on the#DFIR side of investigating CVE-2019-19781 and from their honeypot with details around what threat actors are dropping https://www.trustedsec.com/blog/netscaler-remote-code-execution-forensics/ …https://www.trustedsec.com/blog/netscaler-honeypot/ …Prikaži ovu nit -
@sans_isc has put out two really interesting blogs on the recent history of scanning (and significant uptick after PoCs released) and the type of payloads they've observed https://isc.sans.edu/forums/diary/Citrix+ADC+Exploits+are+Public+and+Heavily+Used+Attempts+to+Install+Backdoor/25700/ … https://isc.sans.edu/forums/diary/Citrix+ADC+Exploits+Overview+of+Observed+Payloads/25704/ …Prikaži ovu nit -
This
@reddit thread has probably the most comprehensive list of links and discussion around CVE-2019-19781https://www.reddit.com/r/blueteamsec/comments/en4m7j/multiple_exploits_for_cve201919781_citrix/ …Prikaži ovu nit -
This thread from
@mpgn_x64 was useful in helping to understand alternate ways an attacker could exploit the vulnerability. This is important when trying to come up with resilient detection logic.https://twitter.com/mpgn_x64/status/1216787131210829826?s=20 …
Prikaži ovu nit -
This brief thread from
@buffaloverflow sheds light on potential implications of a successful compromise (e.g. decrypting passwords in ns.conf and stealing session tokens)https://twitter.com/buffaloverflow/status/1216807963974938624?s=20 …
Prikaži ovu nit -
Not sure why - but the initial Tweet in this thread didn't link properly to the
@FireEye blog. Here's the link with description and instructions on how to use the tool and example output.https://www.fireeye.com/blog/products-and-services/2020/01/fireeye-and-citrix-tool-scans-for-iocs-related-to-vulnerability.html …Prikaži ovu nit
Kraj razgovora
Novi razgovor -
Čini se da učitavanje traje već neko vrijeme.
Twitter je možda preopterećen ili ima kratkotrajnih poteškoća u radu. Pokušajte ponovno ili potražite dodatne informacije u odjeljku Status Twittera.
