Skip to content
/ cve-2023-4966-iocs Public

Python script to search Citrix NetScaler logs for possible CVE-2023-4966 exploitation.

License

MIT license
0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

jmussmann/cve-2023-4966-iocs

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
helper
helper
 
 
LICENCE
LICENCE
 
 
README.md
README.md
 
 
check-cve-2023-4966.py
check-cve-2023-4966.py
 
 

Repository files navigation

Scan for CVE-2023-4966 IoCs

Script: check-cve-2023-4966.py

The script searches the Citrix NetScaler logs for possible CVE-2023-4966 exploitation.

Usage

usage: check-cve-2023-4966.py [-h] [--nologline] logdir_path

Python script to check CitrixNetScaler logs for possible CVE-2023-4966 exploitation

positional arguments:
  logdir_path  path to NetScaler log files (located on the NetScaler in the directory /mnt/temp/log/)

options:
  -h, --help   show this help message and exit
  --nologline  do not print the logline

Example

$ python check-cve-2023-4966.py NetScaler/log/mnt/temp/log/ --nologline
Logpath NetScaler/log/mnt/temp/log/ns.log.4.gz User: user1 Client_ip: XXX.XXX.XXX.XXX Source_ip YYY.YYY.YYY.YYY Session_id: 12345
Logpath NetScaler/log/mnt/temp/log/ns.log.4.gz User: user1 Client_ip: XXX.XXX.XXX.XXX Source_ip YYY.YYY.YYY.YYY Session_id: 12345
Logpath NetScaler/log/mnt/temp/log/ns.log.4.gz User: user1 Client_ip: XXX.XXX.XXX.XXX Source_ip YYY.YYY.YYY.YYY Session_id: 12345
Logpath NetScaler/log/mnt/temp/log/ns.log.4.gz User: user1 Client_ip: XXX.XXX.XXX.XXX Source_ip YYY.YYY.YYY.YYY Session_id: 12345
Logpath NetScaler/log/mnt/temp/log/ns.log.4.gz User: user1 Client_ip: XXX.XXX.XXX.XXX Source_ip YYY.YYY.YYY.YYY Session_id: 12345
Logpath NetScaler/log/mnt/temp/log/ns.log.4.gz User: user1 Client_ip: XXX.XXX.XXX.XXX Source_ip YYY.YYY.YYY.YYY Session_id: 12345
Logpath NetScaler/log/mnt/temp/log/ns.log.4.gz User: user1 Client_ip: XXX.XXX.XXX.XXX Source_ip YYY.YYY.YYY.YYY Session_id: 12345
Logpath NetScaler/log/mnt/temp/log/ns.log.4.gz User: user1 Client_ip: XXX.XXX.XXX.XXX Source_ip YYY.YYY.YYY.YYY Session_id: 12345
Logpath NetScaler/log/mnt/temp/log/ns.log.4.gz User: user1 Client_ip: XXX.XXX.XXX.XXX Source_ip YYY.YYY.YYY.YYY Session_id: 12345
Logpath NetScaler/log/mnt/temp/log/ns.log.4.gz User: user1 Client_ip: XXX.XXX.XXX.XXX Source_ip YYY.YYY.YYY.YYY Session_id: 12345

Citrix XenDesk/XenApp Monitoring Database

Citrix XenDesk and XenApp sessions are logged in the monitoring database. With this monitoring database it is possible to find the sessions and worker machines which might be used after successful exploitation.

The helper directory contains sql queries to check the monitoring database.

machines.sql

Script to get the machine id, name and ip address.

last-sessions.sql

Query to get sessions from a specific machine (MachineId).

session query

Query to get additionl sessions information for a specific machine (MachineId) and user.

About

Python script to search Citrix NetScaler logs for possible CVE-2023-4966 exploitation.

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages