Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/b0lg0r0v/citrix-netscaler-forensics

This repository contains a list of artifacts to search for while performing a forensic investigation on Citrix Netscaler appliances.
https://github.com/b0lg0r0v/citrix-netscaler-forensics

citrix-adc citrix-adc-forensics citrix-netscaler forensic-analysis guide malware

Last synced: about 1 year ago
JSON representation

This repository contains a list of artifacts to search for while performing a forensic investigation on Citrix Netscaler appliances.

Awesome Lists containing this project

README 

          
# Citrix Netscaler Forensics

This repository provides a comprehensive list of commands & artifacts to search for while performing a forensic investigation on Citrix Netscaler appliances. Contributions are welcome.



# Table Of Contents

- [Automated Script](#automated-script)

- [Manual Forensics](#manual-forensics)

- [Launch the THOR APT Scanner](#launch-the-thor-apt-scanner)

- [References](#references)



# Automated Script

I've made a small shell script which acts as a wrapper around these commands. You can, if you want to automate the process (although I still recommend to double check manually), run the script directly on the ADC appliance.



```

curl -o citrix-adc-forensics.sh https://raw.githubusercontent.com/B0lg0r0v/citrix-netscaler-forensics/main/citrix-adc-forensics.sh

chmod +x citrix-adc-forensics.sh

./citrix-adc-forensics.sh

```



This will generate a `forensics` folder in your current working directory. 



# Manual Forensics



Generally located log files:

```

/var/log/*

```



Failed authentication attempts

```

zcat /var/log/ns.log.*.gz | grep "Authentication is rejected" | awk '{$1=$2=$3=$4=$5=$6=$7=$8=""; print $0}' | sort | uniq -c | sort -nr

```



SSH logs

```

zcat /var/log/auth.log.*.gz | grep -i "sshd" | grep -i "accepted password" | awk '{$1=$2=$3=$4=$5=$6=$7=$8=""; sub(/^[[:space:]]+/, ""); print "Accepted password for " $0}' | uniq -c | sort -nr

```



Search for suspicious commands

```

curl

hostname

uname

nobody

whoami

id

```



Search for suspicious activity in the http logs

```

/var/log/httpaccess.log

/var/log/httperror.log

```



Look for suspicious files in these directories. Payloads are often placed here.

```

/netscaler/portal/templates

/var/tmp/netscaler/portal/templates

```



Look for processes and child processes

```

ps aux

ps aux | grep nobody

```



Look for cronjobs and also the cron history

```

crontab -l -u nobody

crontab -l -u nsroot

crontab -l -u root



/var/log/cron

```



Look for unauthorized modifications to the crontab file and/or existence of suspicious files in /var/cron/tabs and other locations

```

find / -type f -name “res*” | grep -E ‘res($|\.[a-z]{3})$’

```



Check the file integrity with a md5 sum. Compare them with a 100% secure ADC.

```

cd /netscaler ; for i in “nsppe nsaaad nsconf nsreadfile nsconmsg”; do md5 ${i} ; done

```



Check for APT5 techniques. This should provide no output. If yes, potential compromise.

```

procstat –v $(pgrep –o –i nsppe) | grep “0x10400000 “ | grep “rwx”

```



Check for unusual administrator activity. You can look for the `pb_policy` in the `ns.log` file.

```

Example:



 [hostname] pb_policy: Changing pitboss policy from X to Y

 [hostname] pb_policy: Changing pitboss policy from Y to X



X & Y are constant values for you system

```



Check for potential PHP WebShells

```

/var/netscaler/logon/LogonPoint/uiareas/[FILE].php



content could be something like this:




Follow the link: https://www.nextron-systems.com/2020/01/14/automated-citrix-netscaler-forensic-analysis-with-thor/



# References

2024-01-26, https://trustedsec.com/blog/netscaler-remote-code-execution-forensics


2024-01-26, https://www.mandiant.com/resources/blog/session-hijacking-citrix-cve-2023-4966


2024-01-26, https://support.citrix.com/article/CTX227560/citrix-adc-logs-collection-guide


2024-01-26, https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-201a


2024-01-26, https://www.nextron-systems.com/2020/01/14/automated-citrix-netscaler-forensic-analysis-with-thor/


2024-01-26, https://media.defense.gov/2022/Dec/13/2003131586/-1/-1/0/CSA-APT5-CITRIXADC-V1.PDF