[et_pb_section fb_built=”1″ _builder_version=”4.19.5″ _module_preset=”default” da_disable_devices=”off|off|off” global_colors_info=”{}” da_is_popup=”off” da_exit_intent=”off” da_has_close=”on” da_alt_close=”off” da_dark_close=”off” da_not_modal=”on” da_is_singular=”off” da_with_loader=”off” da_has_shadow=”on”][et_pb_row _builder_version=”4.19.5″ _module_preset=”default” global_colors_info=”{}”][et_pb_column type=”4_4″ _builder_version=”4.19.5″ _module_preset=”default” global_colors_info=”{}”][et_pb_text _builder_version=”4.19.5″ _module_preset=”default” global_colors_info=”{}”]<\/p>\n
In today’s interconnected world, cyber adversaries are increasingly targeting and exploiting Internet-facing appliances and devices with unconventional or restricted operating systems. A pressing concern for users is whether it’s possible to perform a compromise assessment scan on these systems using the YARA rules used in THOR.<\/p>\n
In light of recent events surrounding the unauthenticated remote code execution vulnerability of Internet-facing Citrix Netscaler (CVE-2023-3519), this blog post aims to explore methods for conducting remote scans on devices like Citrix Netscaler using THOR or the free THOR Lite YARA and IOC scanners. This approach can also extend to scanning other devices that may not be supported by real-time Antivirus engines or EDRs, such as ESX servers. Let’s delve into the details of this powerful method.<\/p>\n
[\/et_pb_text][\/et_pb_column][\/et_pb_row][et_pb_row column_structure=”2_5,3_5″ _builder_version=”4.19.5″ _module_preset=”default” global_colors_info=”{}”][et_pb_column type=”2_5″ _builder_version=”4.19.5″ _module_preset=”default” global_colors_info=”{}”][et_pb_text _builder_version=”4.19.5″ _module_preset=”default” global_colors_info=”{}”]<\/p>\n
Therefore, our approach involves mounting the remote file system using SSH (SSHFS<\/a>) and subsequently instructing THOR to conduct the scan on the mounted remote filesystem. This method allows us to effectively assess the security of the remote system without the need for direct physical access.<\/span><\/p>\n [\/et_pb_text][\/et_pb_column][et_pb_column type=”3_5″ _builder_version=”4.19.5″ _module_preset=”default” global_colors_info=”{}”][et_pb_image src=”https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2023\/07\/Screenshot-2023-07-20-at-12.40.48.png” title_text=”Screenshot 2023-07-20 at 12.40.48″ _builder_version=”4.21.0″ _module_preset=”default” global_colors_info=”{}”][\/et_pb_image][\/et_pb_column][\/et_pb_row][et_pb_row _builder_version=”4.19.5″ _module_preset=”default” global_colors_info=”{}”][et_pb_column type=”4_4″ _builder_version=”4.19.5″ _module_preset=”default” global_colors_info=”{}”][et_pb_text _builder_version=”4.21.0″ _module_preset=”default” global_colors_info=”{}”]<\/p>\n To enable remote mounting of the NetScaler file system, it is imperative to modify the configuration of the SSH daemon. The default configuration lacks support for ssh mounts through the sftp-server. Consequently, adjustments are required to allow for this functionality. (please refer to the provided banner and error message below for more details)<\/span> [\/et_pb_text][et_pb_image src=”https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2023\/07\/Screenshot-2023-07-25-at-20.42.01.png” title_text=”Screenshot 2023-07-25 at 20.42.01″ _builder_version=”4.21.0″ _module_preset=”default” global_colors_info=”{}”][\/et_pb_image][et_pb_text _builder_version=”4.21.0″ _module_preset=”default” global_colors_info=”{}”]<\/p>\n 1. We change the following line in the file To:<\/p>\n 2. Restart the SSH service to apply the changes<\/p>\n Optional: To persist the changes we copy [\/et_pb_text][\/et_pb_column][\/et_pb_row][et_pb_row _builder_version=”4.19.5″ _module_preset=”default” global_colors_info=”{}”][et_pb_column type=”4_4″ _builder_version=”4.19.5″ _module_preset=”default” global_colors_info=”{}”][et_pb_text _builder_version=”4.19.5″ _module_preset=”default” global_colors_info=”{}”]<\/p>\n First we create a new folder and mount the remote file system to that local folder:<\/p>\n The [\/et_pb_text][\/et_pb_column][\/et_pb_row][et_pb_row _builder_version=”4.19.5″ _module_preset=”default” global_colors_info=”{}”][et_pb_column type=”4_4″ _builder_version=”4.19.5″ _module_preset=”default” global_colors_info=”{}”][et_pb_text _builder_version=”4.19.5″ _module_preset=”default” global_colors_info=”{}”]<\/p>\n With THOR Lite we can now run a so-called “Filescan” on the mounted drive.<\/p>\n The following scan is much more intense as it scans every single file regardless of its extension or type. Scanning every file usually leads to much longer scan times and higher network load (be careful when using the [\/et_pb_text][\/et_pb_column][\/et_pb_row][et_pb_row _builder_version=”4.19.5″ _module_preset=”default” custom_padding=”33px|||||” global_colors_info=”{}”][et_pb_column type=”4_4″ _builder_version=”4.19.5″ _module_preset=”default” global_colors_info=”{}”][et_pb_text _builder_version=”4.19.5″ _module_preset=”default” global_colors_info=”{}”]<\/p>\n With a full featured THOR and a so-called Lab license we can use the –virtual-map flag<\/a> to virtually map the folder Using the full version, we would use a different flag combination for a more intense scan of the remote system. The full version with a lab license allows us to use the The [\/et_pb_text][\/et_pb_column][\/et_pb_row][et_pb_row _builder_version=”4.19.5″ _module_preset=”default” global_colors_info=”{}”][et_pb_column type=”4_4″ _builder_version=”4.19.5″ _module_preset=”default” global_colors_info=”{}”][et_pb_text _builder_version=”4.19.5″ _module_preset=”default” global_colors_info=”{}”]<\/p>\n The provided screenshot demonstrates an illustrative match of a web shell discovered on systems impacted by CVE-2023-3519 exploitation. Some of this attack’s specific rules and indicators of compromise (IOCs) are available in THOR but not in the free THOR Lite version. However, it’s worth noting that the free THOR Lite version includes many generic rules that successfully detected all of the known dropped web shells. (including the one shown below)<\/span><\/p>\n [\/et_pb_text][et_pb_image src=”https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2023\/07\/Screenshot-2023-07-18-at-20.52.46.png” title_text=”Screenshot 2023-07-18 at 20.52.46″ _builder_version=”4.21.0″ _module_preset=”default” global_colors_info=”{}”][\/et_pb_image][\/et_pb_column][\/et_pb_row][et_pb_row _builder_version=”4.19.5″ _module_preset=”default” global_colors_info=”{}”][et_pb_column type=”4_4″ _builder_version=”4.19.5″ _module_preset=”default” global_colors_info=”{}”][et_pb_text _builder_version=”4.21.0″ _module_preset=”default” global_colors_info=”{}”]<\/p>\n [\/et_pb_text][\/et_pb_column][\/et_pb_row][et_pb_row _builder_version=”4.19.5″ _module_preset=”default” global_colors_info=”{}”][et_pb_column type=”4_4″ _builder_version=”4.19.5″ _module_preset=”default” global_colors_info=”{}”][et_pb_text _builder_version=”4.19.5″ _module_preset=”default” global_colors_info=”{}”]<\/p>\n [\/et_pb_text][\/et_pb_column][\/et_pb_row][et_pb_row _builder_version=”4.21.0″ _module_preset=”default” global_colors_info=”{}”][et_pb_column type=”4_4″ _builder_version=”4.21.0″ _module_preset=”default” global_colors_info=”{}”][et_pb_text _builder_version=”4.21.0″ _module_preset=”default” global_colors_info=”{}”]<\/p>\nPrerequisites<\/h1>\n
\n
Ensure that you can reach port 22\/tcp on the target system. This is essential for establishing an SSH connection, which is necessary for the remote file system mounting process.<\/li>\n
You’ll need a source system that supports sshfs. If you’re using Debian, you can install sshfs by running the following command: sudo apt install sshfs<\/code>.<\/li>\n
Obtain either THOR Lite<\/a> or the full THOR version with a valid lab license<\/a>. This license is necessary to use the scanning capabilities of THOR effectively.<\/li>\n
It is crucial to modify the \/etc\/ssh\/sshd_config<\/code> file on the NetScaler appliance to allow for SSH mounting. Ensure that the necessary changes are made to facilitate the process. (see configuration details below)<\/li>\n<\/ul>\nSSHD Config Changes<\/h3>\n
<\/a><\/p>\n\/etc\/ssh\/sshd_config<\/code>:
From:<\/p>\nSubsystem sftp \/usr\/lib\/openssh\/sftp-server\n<\/pre>\n
Subsystem sftp internal-sftp<\/pre>\n
kill -HUP `cat \/var\/run\/sshd.pid`<\/pre>\n
\/etc\/ssh\/sshd_config<\/code> to \/nsconfig\/sshd_config<\/code><\/p>\ncp \/etc\/ssh\/sshd_config \/nsconfig\/sshd_config<\/pre>\n
Mounting the Remote File System via SSH<\/h2>\n
sudo mkdir -p \/mnt\/ns
sudo sshfs -o reconnect,allow_other root@ns.company:\/ \/mnt\/ns<\/pre>\n-o reconnect<\/code> option makes sure to reconnect the session on unstable networks.<\/p>\nScanning the Mount Point with THOR Lite<\/h2>\n
sudo .\/thor-lite-linux-64 -a FileScan --alldrives -p \/mnt\/ns<\/pre>\n
--intense<\/code> flag).<\/p>\nsudo .\/thor-lite-linux-64 -a FileScan --alldrives -p \/mnt\/ns --intense<\/pre>\n
Scanning the Mount Point with THOR<\/h2>\n
\/mnt\/ns<\/code> to \/<\/code> internally. This means that signatures and filename patterns that make use of the virtual and not the actual path. We can also define a hostname that will appear in the log file using the -j<\/code> flag. Otherwise the log would always contain the hostname of the scanning workstation.<\/p>\nsudo .\/thor-linux-64 -a FileScan --alldrives -p \/mnt\/ns<\/pre>\n
--lab<\/code> flag.<\/p>\nsudo .\/thor-linux-64 --lab -p \/mnt\/ns --virtual-map \/mnt\/ns:\/ -j my-ns-hostname<\/pre>\n
--lab<\/code> flag automatically activates the intense scan mode that checks every file, multi-threaded scanning, deactivates resource control and some other flags<\/a> that can be useful in a lab scanning scenario.<\/p>\nExample Match<\/h1>\n
Specific Detection Rules<\/h1>\n
File name IOCs<\/h3>\n
\n
YARA<\/h3>\n
\n
Other Notes<\/h1>\n
\n
Conclusion<\/h1>\n
![<\/a><\/p>\n[\/et_pb_text][et_pb_image src=”https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2023\/07\/Screenshot-2023-07-25-at-20.42.01.png” title_text=”Screenshot 2023-07-25 at 20.42.01″ _builder_version=”4.21.0″ _module_preset=”default” global_colors_info=”{}”][\/et_pb_image][et_pb_text _builder_version=”4.21.0″ _module_preset=”default” global_colors_info=”{}”]<\/p>\n1. We change the following line in the file \/etc\/ssh\/sshd_config<\/code>: From:<\/p>\nSubsystem sftp \/usr\/lib\/openssh\/sftp-server\n<\/pre>\nTo:<\/p>\nSubsystem sftp internal-sftp<\/pre>\n2. Restart the SSH service to apply the changes<\/p>\nkill -HUP `cat \/var\/run\/sshd.pid`<\/pre>\nOptional: To persist the changes we copy \/etc\/ssh\/sshd_config<\/code> to \/nsconfig\/sshd_config<\/code><\/p>\ncp \/etc\/ssh\/sshd_config \/nsconfig\/sshd_config<\/pre>\n[\/et_pb_text][\/et_pb_column][\/et_pb_row][et_pb_row _builder_version=”4.19.5″ _module_preset=”default” global_colors_info=”{}”][et_pb_column type=”4_4″ _builder_version=”4.19.5″ _module_preset=”default” global_colors_info=”{}”][et_pb_text _builder_version=”4.19.5″ _module_preset=”default” global_colors_info=”{}”]<\/p>\nMounting the Remote File System via SSH<\/h2>\nFirst we create a new folder and mount the remote file system to that local folder:<\/p>\nsudo mkdir -p \/mnt\/nssudo sshfs -o reconnect,allow_other root@ns.company:\/ \/mnt\/ns<\/pre>\nThe -o reconnect<\/code> option makes sure to reconnect the session on unstable networks.<\/p>\n[\/et_pb_text][\/et_pb_column][\/et_pb_row][et_pb_row _builder_version=”4.19.5″ _module_preset=”default” global_colors_info=”{}”][et_pb_column type=”4_4″ _builder_version=”4.19.5″ _module_preset=”default” global_colors_info=”{}”][et_pb_text _builder_version=”4.19.5″ _module_preset=”default” global_colors_info=”{}”]<\/p>\nScanning the Mount Point with THOR Lite<\/h2>\nWith THOR Lite we can now run a so-called “Filescan” on the mounted drive.<\/p>\nsudo .\/thor-lite-linux-64 -a FileScan --alldrives -p \/mnt\/ns<\/pre>\nThe following scan is much more intense as it scans every single file regardless of its extension or type. Scanning every file usually leads to much longer scan times and higher network load (be careful when using the --intense<\/code> flag).<\/p>\nsudo .\/thor-lite-linux-64 -a FileScan --alldrives -p \/mnt\/ns --intense<\/pre>\n[\/et_pb_text][\/et_pb_column][\/et_pb_row][et_pb_row _builder_version=”4.19.5″ _module_preset=”default” custom_padding=”33px|||||” global_colors_info=”{}”][et_pb_column type=”4_4″ _builder_version=”4.19.5″ _module_preset=”default” global_colors_info=”{}”][et_pb_text _builder_version=”4.19.5″ _module_preset=”default” global_colors_info=”{}”]<\/p>\nScanning the Mount Point with THOR<\/h2>\nWith a full featured THOR and a so-called Lab license we can use the –virtual-map flag<\/a> to virtually map the folder \/mnt\/ns<\/code> to \/<\/code> internally. This means that signatures and filename patterns that make use of the virtual and not the actual path. We can also define a hostname that will appear in the log file using the -j<\/code> flag. Otherwise the log would always contain the hostname of the scanning workstation.<\/p>\nsudo .\/thor-linux-64 -a FileScan --alldrives -p \/mnt\/ns<\/pre>\nUsing the full version, we would use a different flag combination for a more intense scan of the remote system. The full version with a lab license allows us to use the --lab<\/code> flag.<\/p>\nsudo .\/thor-linux-64 --lab -p \/mnt\/ns --virtual-map \/mnt\/ns:\/ -j my-ns-hostname<\/pre>\nThe --lab<\/code> flag automatically activates the intense scan mode that checks every file, multi-threaded scanning, deactivates resource control and some other flags<\/a> that can be useful in a lab scanning scenario.<\/p>\n[\/et_pb_text][\/et_pb_column][\/et_pb_row][et_pb_row _builder_version=”4.19.5″ _module_preset=”default” global_colors_info=”{}”][et_pb_column type=”4_4″ _builder_version=”4.19.5″ _module_preset=”default” global_colors_info=”{}”][et_pb_text _builder_version=”4.19.5″ _module_preset=”default” global_colors_info=”{}”]<\/p>\nExample Match<\/h1>\nThe provided screenshot demonstrates an illustrative match of a web shell discovered on systems impacted by CVE-2023-3519 exploitation. Some of this attack’s specific rules and indicators of compromise (IOCs) are available in THOR but not in the free THOR Lite version. However, it’s worth noting that the free THOR Lite version includes many generic rules that successfully detected all of the known dropped web shells. (including the one shown below)<\/span><\/p>\n[\/et_pb_text][et_pb_image src=”https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2023\/07\/Screenshot-2023-07-18-at-20.52.46.png” title_text=”Screenshot 2023-07-18 at 20.52.46″ _builder_version=”4.21.0″ _module_preset=”default” global_colors_info=”{}”][\/et_pb_image][\/et_pb_column][\/et_pb_row][et_pb_row _builder_version=”4.19.5″ _module_preset=”default” global_colors_info=”{}”][et_pb_column type=”4_4″ _builder_version=”4.19.5″ _module_preset=”default” global_colors_info=”{}”][et_pb_text _builder_version=”4.21.0″ _module_preset=”default” global_colors_info=”{}”]<\/p>\nSpecific Detection Rules<\/h1>\nFile name IOCs<\/h3>\n\n\nFile Names used in Citrix NetScaler ADC exploitation CVE-2023-3519<\/a><\/li>\n<\/ul>\nYARA<\/h3>\n\nEXPL_Citrix_Netscaler_ADC_ForensicArtifacts_CVE_2023_3519_Jul23<\/a><\/li>\nEXPL_Citrix_Netscaler_ADC_ForensicArtifacts_CVE_2023_3519_Jul23_2<\/a><\/li>\nEXPL_Citrix_Netscaler_ADC_ForensicArtifacts_CVE_2023_3519_Jul23_3<\/a><\/li>\nWEBSHELL_PHP_Citrix_Netscaler_ADC_Jul23<\/a> (only in full version)<\/li>\nWEBSHELL_SECRETSAUCE_Jul23_1<\/a><\/li>\nWEBSHELL_PHP_OBFUSC_3<\/a><\/li>\nWEBSHELL_PHP_By_String_Known_Webshell<\/a><\/li>\n<\/ul>\n<\/div>\n[\/et_pb_text][\/et_pb_column][\/et_pb_row][et_pb_row _builder_version=”4.19.5″ _module_preset=”default” global_colors_info=”{}”][et_pb_column type=”4_4″ _builder_version=”4.19.5″ _module_preset=”default” global_colors_info=”{}”][et_pb_text _builder_version=”4.19.5″ _module_preset=”default” global_colors_info=”{}”]<\/p>\nOther Notes<\/h1>\n\nTest scans on our customer’s NetScaler systems took between 30 and 60 minutes<\/li>\nA network disconnect only pauses the scan, a forced “umount” crashes the scanner.<\/li>\nWe tested network disconnects of 1 and 5 minutes. After a reconnect THOR just resumes the scan where it left off.\u00a0<\/li>\n<\/ul>\n[\/et_pb_text][\/et_pb_column][\/et_pb_row][et_pb_row _builder_version=”4.21.0″ _module_preset=”default” global_colors_info=”{}”][et_pb_column type=”4_4″ _builder_version=”4.21.0″ _module_preset=”default” global_colors_info=”{}”][et_pb_text _builder_version=”4.21.0″ _module_preset=”default” global_colors_info=”{}”]<\/p>\nConclusion<\/h1>\nAs the frequency and complexity of cyberattacks continue to rise, ensuring the security of Internet-facing devices becomes paramount. By incorporating YARA rules from THOR into compromise assessment scans, users can bolster their cybersecurity defense and remotely identify potential threats on devices like Citrix Netscaler and others. <\/span><\/p>\nAdditionally, the ability to extend this coverage to unsupported devices opens up new possibilities for safeguarding critical systems. Adopting these cutting-edge cybersecurity practices will undoubtedly prove instrumental in mitigating risks and protecting digital assets in an ever-evolving threat landscape.<\/span><\/p>\n[\/et_pb_text][\/et_pb_column][\/et_pb_row][et_pb_row _builder_version=”4.19.5″ _module_preset=”default” global_colors_info=”{}”][et_pb_column type=”4_4″ _builder_version=”4.19.5″ _module_preset=”default” global_colors_info=”{}”][et_pb_text _builder_version=”4.19.5″ _module_preset=”default” global_colors_info=”{}”]<\/p>\nAdvantages of the full THOR version<\/h1>\nApart from the usual advantages<\/a> of the full THOR version over THOR Lite, there are a few more reasons to use the full version in this scenario:<\/p>\n\nUse multiple instances on a single source system to scan many different remote systems at the same time<\/li>\nUse virtual drive mapping to allow for additional detection opportunities<\/li>\nSet a custom host name that appears in the log files (helpful when you scan many different targets)<\/li>\n<\/ul>\nIf you’re interested in the full version, contact us using the “Get Started” button in the upper right corner.\u00a0<\/p>\n[\/et_pb_text][\/et_pb_column][\/et_pb_row][\/et_pb_section]<\/p>\n","protected":false},"excerpt":{"rendered":"In today’s interconnected world, cyber adversaries are increasingly targeting and exploiting Internet-facing appliances and devices with unconventional or restricted operating systems. A pressing concern for users is whether it’s possible to perform a compromise assessment scan on these systems using the YARA rules used in THOR. In light of recent events surrounding the unauthenticated remote code execution vulnerability of Internet-facing Citrix Netscaler (CVE-2023-3519), this blog post aims to explore methods for conducting remote scans on devices like Citrix Netscaler using THOR or the free THOR Lite YARA and IOC scanners. This approach can also extend to scanning other devices that may not be supported by real-time Antivirus engines or EDRs, such as ESX servers. Let’s delve into the details of this powerful method.Therefore, our approach involves mounting the remote file system using SSH (SSHFS) and subsequently instructing THOR to conduct the scan on the mounted remote filesystem. This method allows us to effectively assess the security of the remote system without the need for direct physical access.Prerequisites Access to Port 22\/tcpEnsure that you can reach port 22\/tcp on the target system. This is essential for establishing an SSH connection, which is necessary for the remote file system mounting process. Source […]<\/p>\n","protected":false},"author":10,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"on","_et_pb_old_content":"","_et_gb_content_width":"","footnotes":""},"categories":[749,1,32,269],"tags":[88,382,239,69,719,118,241,172,117,7,12,48],"class_list":["post-17128","post","type-post","status-publish","format-standard","hentry","category-homepage","category-nextron","category-thor","category-tutorial","tag-antivirus","tag-check","tag-citrix","tag-compromise-assessment","tag-cve-2023-3519","tag-iocs","tag-netscaler","tag-remote","tag-scan","tag-scanner","tag-threat","tag-yara"],"yoast_head":"\nHow to Perform Compromise Assessments on NetScaler \/ Citrix ADC Appliances Using THOR - Nextron Systems<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.nextron-systems.com\/2023\/07\/20\/how-to-perform-compromise-assessments-on-netscaler-citrix-adc-appliances-using-thor\/\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.nextron-systems.com\/2023\/07\/20\/how-to-perform-compromise-assessments-on-netscaler-citrix-adc-appliances-using-thor\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.nextron-systems.com\/2023\/07\/20\/how-to-perform-compromise-assessments-on-netscaler-citrix-adc-appliances-using-thor\/\"},\"author\":{\"name\":\"Christian Burkard\",\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/person\/2f316d4e46f0e9b705e63b8a4b1303ea\"},\"headline\":\"How to Perform Compromise Assessments on NetScaler \/ Citrix ADC Appliances Using THOR\",\"datePublished\":\"2023-07-20T08:28:23+00:00\",\"dateModified\":\"2024-11-23T12:52:34+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.nextron-systems.com\/2023\/07\/20\/how-to-perform-compromise-assessments-on-netscaler-citrix-adc-appliances-using-thor\/\"},\"wordCount\":1656,\"publisher\":{\"@id\":\"https:\/\/www.nextron-systems.com\/#organization\"},\"keywords\":[\"antivirus\",\"check\",\"Citrix\",\"compromise assessment\",\"CVE-2023-3519\",\"IOCs\",\"Netscaler\",\"remote\",\"scan\",\"scanner\",\"threat\",\"YARA\"],\"articleSection\":[\"Homepage\",\"Nextron\",\"THOR\",\"Tutorial\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.nextron-systems.com\/2023\/07\/20\/how-to-perform-compromise-assessments-on-netscaler-citrix-adc-appliances-using-thor\/\",\"url\":\"https:\/\/www.nextron-systems.com\/2023\/07\/20\/how-to-perform-compromise-assessments-on-netscaler-citrix-adc-appliances-using-thor\/\",\"name\":\"How to Perform Compromise Assessments on NetScaler \/ Citrix ADC Appliances Using THOR - Nextron Systems\",\"isPartOf\":{\"@id\":\"https:\/\/www.nextron-systems.com\/#website\"},\"datePublished\":\"2023-07-20T08:28:23+00:00\",\"dateModified\":\"2024-11-23T12:52:34+00:00\",\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.nextron-systems.com\/2023\/07\/20\/how-to-perform-compromise-assessments-on-netscaler-citrix-adc-appliances-using-thor\/\"]}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.nextron-systems.com\/#website\",\"url\":\"https:\/\/www.nextron-systems.com\/\",\"name\":\"Nextron Systems\",\"description\":\"We Detect Hackers\",\"publisher\":{\"@id\":\"https:\/\/www.nextron-systems.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.nextron-systems.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.nextron-systems.com\/#organization\",\"name\":\"Nextron Systems GmbH\",\"url\":\"https:\/\/www.nextron-systems.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2017\/11\/Nextron_0.2s_inv_symbol_only.png\",\"contentUrl\":\"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2017\/11\/Nextron_0.2s_inv_symbol_only.png\",\"width\":260,\"height\":260,\"caption\":\"Nextron Systems GmbH\"},\"image\":{\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/logo\/image\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/person\/2f316d4e46f0e9b705e63b8a4b1303ea\",\"name\":\"Christian Burkard\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/2fd90eec7befb8360376a2489ea979b7?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/2fd90eec7befb8360376a2489ea979b7?s=96&d=mm&r=g\",\"caption\":\"Christian Burkard\"},\"url\":\"https:\/\/www.nextron-systems.com\/author\/christian\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"How to Perform Compromise Assessments on NetScaler \/ Citrix ADC Appliances Using THOR - Nextron Systems","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.nextron-systems.com\/2023\/07\/20\/how-to-perform-compromise-assessments-on-netscaler-citrix-adc-appliances-using-thor\/","schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.nextron-systems.com\/2023\/07\/20\/how-to-perform-compromise-assessments-on-netscaler-citrix-adc-appliances-using-thor\/#article","isPartOf":{"@id":"https:\/\/www.nextron-systems.com\/2023\/07\/20\/how-to-perform-compromise-assessments-on-netscaler-citrix-adc-appliances-using-thor\/"},"author":{"name":"Christian Burkard","@id":"https:\/\/www.nextron-systems.com\/#\/schema\/person\/2f316d4e46f0e9b705e63b8a4b1303ea"},"headline":"How to Perform Compromise Assessments on NetScaler \/ Citrix ADC Appliances Using THOR","datePublished":"2023-07-20T08:28:23+00:00","dateModified":"2024-11-23T12:52:34+00:00","mainEntityOfPage":{"@id":"https:\/\/www.nextron-systems.com\/2023\/07\/20\/how-to-perform-compromise-assessments-on-netscaler-citrix-adc-appliances-using-thor\/"},"wordCount":1656,"publisher":{"@id":"https:\/\/www.nextron-systems.com\/#organization"},"keywords":["antivirus","check","Citrix","compromise assessment","CVE-2023-3519","IOCs","Netscaler","remote","scan","scanner","threat","YARA"],"articleSection":["Homepage","Nextron","THOR","Tutorial"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.nextron-systems.com\/2023\/07\/20\/how-to-perform-compromise-assessments-on-netscaler-citrix-adc-appliances-using-thor\/","url":"https:\/\/www.nextron-systems.com\/2023\/07\/20\/how-to-perform-compromise-assessments-on-netscaler-citrix-adc-appliances-using-thor\/","name":"How to Perform Compromise Assessments on NetScaler \/ Citrix ADC Appliances Using THOR - Nextron Systems","isPartOf":{"@id":"https:\/\/www.nextron-systems.com\/#website"},"datePublished":"2023-07-20T08:28:23+00:00","dateModified":"2024-11-23T12:52:34+00:00","inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.nextron-systems.com\/2023\/07\/20\/how-to-perform-compromise-assessments-on-netscaler-citrix-adc-appliances-using-thor\/"]}]},{"@type":"WebSite","@id":"https:\/\/www.nextron-systems.com\/#website","url":"https:\/\/www.nextron-systems.com\/","name":"Nextron Systems","description":"We Detect Hackers","publisher":{"@id":"https:\/\/www.nextron-systems.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.nextron-systems.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.nextron-systems.com\/#organization","name":"Nextron Systems GmbH","url":"https:\/\/www.nextron-systems.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.nextron-systems.com\/#\/schema\/logo\/image\/","url":"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2017\/11\/Nextron_0.2s_inv_symbol_only.png","contentUrl":"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2017\/11\/Nextron_0.2s_inv_symbol_only.png","width":260,"height":260,"caption":"Nextron Systems GmbH"},"image":{"@id":"https:\/\/www.nextron-systems.com\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.nextron-systems.com\/#\/schema\/person\/2f316d4e46f0e9b705e63b8a4b1303ea","name":"Christian Burkard","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.nextron-systems.com\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/2fd90eec7befb8360376a2489ea979b7?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/2fd90eec7befb8360376a2489ea979b7?s=96&d=mm&r=g","caption":"Christian Burkard"},"url":"https:\/\/www.nextron-systems.com\/author\/christian\/"}]}},"_links":{"self":[{"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/posts\/17128","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/users\/10"}],"replies":[{"embeddable":true,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/comments?post=17128"}],"version-history":[{"count":40,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/posts\/17128\/revisions"}],"predecessor-version":[{"id":17205,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/posts\/17128\/revisions\/17205"}],"wp:attachment":[{"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/media?parent=17128"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/categories?post=17128"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/tags?post=17128"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}](\"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2023\/07\/Screenshot-2023-07-25-at-20.42.01.png\"){kind=link}