| ID | Technique | Tactic |
|---|---|---|
| T1190 | Exploit Public-Facing Application | Initial Access |
Detection: Citrix ADC and Gateway Unauthorized Data Disclosure
Description
The following analytic detects attempts to exploit the Citrix Bleed vulnerability (CVE-2023-4966), which can lead to the leaking of session tokens. It identifies HTTP requests with a 200 status code targeting the /oauth/idp/.well-known/openid-configuration URL endpoint. By parsing web traffic and filtering based on user agent details, HTTP method, source and destination IPs, and sourcetype, it aims to identify potentially malicious requests. This activity is significant for a SOC because successful exploitation can allow attackers to impersonate legitimate users, bypass authentication, and access sensitive data. If confirmed malicious, it could lead to unauthorized data access, network propagation, and critical information exfiltration.
Search
1
2| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN ("*/oauth/idp/.well-known/openid-configuration*") Web.status=200 by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype
3| `drop_dm_object_name("Web")`
4| `security_content_ctime(firstTime)`
5| `security_content_ctime(lastTime)`
6| `citrix_adc_and_gateway_unauthorized_data_disclosure_filter`
Data Source
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| Suricata | N/A | 'suricata' |
'suricata' |
Macros Used
| Name | Value |
|---|---|
| security_content_ctime | convert timeformat="%Y-%m-%dT%H:%M:%S" ctime($field$) |
| citrix_adc_and_gateway_unauthorized_data_disclosure_filter | search * |
citrix_adc_and_gateway_unauthorized_data_disclosure_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Annotations
MITRE ATT&CK
Kill Chain Phases
NIST
CIS
Threat Actors
KillChainPhase.DELIVERY
NistCategory.DE_CM
Cis18Value.CIS_13
APT28
APT29
APT39
APT41
APT5
Agrius
Axiom
BackdoorDiplomacy
BlackTech
Blue Mockingbird
Cinnamon Tempest
Dragonfly
Earth Lusca
Ember Bear
FIN13
FIN7
Fox Kitten
GALLIUM
GOLD SOUTHFIELD
HAFNIUM
INC Ransom
Ke3chang
Kimsuky
Magic Hound
Moses Staff
MuddyWater
Play
Rocke
Sandworm Team
Threat Group-3390
ToddyCat
Volatile Cedar
Volt Typhoon
Winter Vivern
menuPass
Default Configuration
This detection is configured by default in Splunk Enterprise Security to run with the following settings:
| Setting | Value |
|---|---|
| Disabled | true |
| Cron Schedule | 0 * * * * |
| Earliest Time | -70m@m |
| Latest Time | -10m@m |
| Schedule Window | auto |
| Creates Notable | Yes |
| Rule Title | %name% |
| Rule Description | %description% |
| Notable Event Fields | user, dest |
| Creates Risk Event | True |
This configuration file applies to all detections of type TTP. These detections will use Risk Based Alerting and generate Notable Events.
Implementation
This detection requires the Web datamodel to be populated from a supported Technology Add-On like Splunk for Apache, Splunk for Nginx, or Splunk for Palo Alto. We recommend hunting in the environment first to understand the scope of the issue and then deploying this detection to monitor for future exploitation attempts. Limit or restrict to Citrix devices only if possible.
Known False Positives
False positives may be present based on organization use of Citrix ADC and Gateway. Filter, or restrict the analytic to Citrix devices only.
Associated Analytic Story
Risk Based Analytics (RBA)
| Risk Message | Risk Score | Impact | Confidence |
|---|---|---|---|
| Possible exploitation of Citrix Bleed vulnerability against $dest$ fron $src$. | 90 | 100 | 90 |
The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.
References
-
https://www.assetnote.io/resources/research/citrix-bleed-leaking-session-tokens-with-cve-2023-4966
-
https://github.com/assetnote/exploits/tree/main/citrix/CVE-2023-4966
Detection Testing
| Test Type | Status | Dataset | Source | Sourcetype |
|---|---|---|---|---|
| Validation | ✅ Passing | N/A | N/A | N/A |
| Unit | ✅ Passing | Dataset | suricata |
suricata |
| Integration | ✅ Passing | Dataset | suricata |
suricata |
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
Source: GitHub | Version: 3