{"id":6035,"date":"2020-01-14T11:13:01","date_gmt":"2020-01-14T10:13:01","guid":{"rendered":"https:\/\/www.nextron-systems.com\/?p=5252"},"modified":"2024-04-15T11:41:08","modified_gmt":"2024-04-15T09:41:08","slug":"automated-citrix-netscaler-forensic-analysis-with-thor","status":"publish","type":"post","link":"https:\/\/www.nextron-systems.com\/2020\/01\/14\/automated-citrix-netscaler-forensic-analysis-with-thor\/","title":{"rendered":"Automated Citrix Netscaler Forensic Analysis with THOR"},"content":{"rendered":"

[et_pb_section fb_built=”1″ _builder_version=”4.16″ custom_margin=”-1px|||||” da_disable_devices=”off|off|off” global_colors_info=”{}” theme_builder_area=”post_content” da_is_popup=”off” da_exit_intent=”off” da_has_close=”on” da_alt_close=”off” da_dark_close=”off” da_not_modal=”on” da_is_singular=”off” da_with_loader=”off” da_has_shadow=”on”][et_pb_row _builder_version=”4.16″ global_colors_info=”{}” theme_builder_area=”post_content”][et_pb_column type=”4_4″ _builder_version=”4.16″ global_colors_info=”{}” theme_builder_area=”post_content”][et_pb_text _builder_version=”4.24.3″ hover_enabled=”0″ global_colors_info=”{}” theme_builder_area=”post_content” sticky_enabled=”0″]<\/p>\n

Update 14.02.2023
\nThe information in this blog post is outdated. For more information on how to scan appliances remotely using SSH see this newer blog post<\/a>.<\/p><\/blockquote>\n

In this blog post I’d like to outline an idea on how to perform an automated compromise assessment on Citrix Netscaler \/ Citrix ADC appliances.[\/et_pb_text][\/et_pb_column][\/et_pb_row][et_pb_row column_structure=”1_3,1_3,1_3″ _builder_version=”4.16″ global_colors_info=”{}” theme_builder_area=”post_content”][et_pb_column type=”1_3″ _builder_version=”4.16″ global_colors_info=”{}” theme_builder_area=”post_content”][et_pb_text _builder_version=”4.16″ global_colors_info=”{}” theme_builder_area=”post_content”]<\/p>\n

I you haven’t heard about that vulnerability yet, you should read my tweets over the past weekend or try to get a full picture with the help of this Reddit<\/a>.\u00a0<\/p>\n

This blog post is about a subsequent forensic analysis, not detection, not protection and contains no marketing blah-blah.<\/p>\n

The described solution should work with the free \/ open scanners as well. They just don’t have that huge signature set as it is included in THOR.\u00a0\u00a0<\/p>\n

 <\/p>\n

[\/et_pb_text][\/et_pb_column][et_pb_column type=”1_3″ _builder_version=”4.16″ global_colors_info=”{}” theme_builder_area=”post_content”][et_pb_image src=”https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2020\/01\/Screenshot-2020-01-14-at-10.30.57.png” _builder_version=”4.16″ global_colors_info=”{}” theme_builder_area=”post_content”][\/et_pb_image][\/et_pb_column][et_pb_column type=”1_3″ _builder_version=”4.16″ global_colors_info=”{}” theme_builder_area=”post_content”][et_pb_image src=”https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2020\/01\/Screenshot-2020-01-14-at-10.31.08.png” _builder_version=”4.16″ global_colors_info=”{}” theme_builder_area=”post_content”][\/et_pb_image][\/et_pb_column][\/et_pb_row][et_pb_row _builder_version=”4.16″ global_colors_info=”{}” theme_builder_area=”post_content”][et_pb_column type=”4_4″ _builder_version=”4.16″ global_colors_info=”{}” theme_builder_area=”post_content”][et_pb_text _builder_version=”4.16″ global_colors_info=”{}” theme_builder_area=”post_content”]<\/p>\n

The reason for this is that although you’ve implemented the workaround on Monday 13th of January, you can’t trust your gateway anymore.<\/p>\n

The vulnerability is known since December 17th and the public exploit code available since Friday the 10th of January. Nation state actors have most likely used Christmas holiday season to analyze Netscaler systems in their lab and produce an exploit, just like many offensive researchers did. Since Friday the 10th, even script kiddies can exploit this vulnerbility.<\/p>\n

Strictly speaking, you can’t trust these gateways anymore.\u00a0<\/p>\n

But how can we regain trust?\u00a0<\/p>\n

A. Wait for a patched version and reinstall the gateways from scratch<\/p>\n

B. Perform a manual forensic analysis\u00a0<\/p>\n

C. Perform an automated forensic analysis\u00a0<\/p>\n

[\/et_pb_text][\/et_pb_column][\/et_pb_row][et_pb_row _builder_version=”4.16″ global_colors_info=”{}” theme_builder_area=”post_content”][et_pb_column type=”4_4″ _builder_version=”4.16″ global_colors_info=”{}” theme_builder_area=”post_content”][et_pb_text _builder_version=”4.16″ global_colors_info=”{}” theme_builder_area=”post_content”]<\/p>\n

Automated Analysis with THOR<\/h1>\n

[\/et_pb_text][\/et_pb_column][\/et_pb_row][et_pb_row _builder_version=”4.16″ global_colors_info=”{}” theme_builder_area=”post_content”][et_pb_column type=”4_4″ _builder_version=”4.16″ global_colors_info=”{}” theme_builder_area=”post_content”][et_pb_text _builder_version=”4.16″ global_colors_info=”{}” theme_builder_area=”post_content”]<\/p>\n

We don’t have or plan to release a THOR version for FreeBSD 8.4, but we could try to mount the remote filesystem of the Citrix Netscaler \/ ADC gateway with SSHFS.\u00a0<\/p>\n

DigitalOcean has a good tutorial<\/a> on how to enable it on your workstation.\u00a0\u00a0<\/p>\n

[\/et_pb_text][\/et_pb_column][\/et_pb_row][et_pb_row _builder_version=”4.16″ global_colors_info=”{}” theme_builder_area=”post_content”][et_pb_column type=”4_4″ _builder_version=”4.16″ global_colors_info=”{}” theme_builder_area=”post_content”][et_pb_text _builder_version=”4.18.0″ global_colors_info=”{}” theme_builder_area=”post_content”]<\/p>\n

\nmkdir ~\/netscaler-mount\nsudo sshfs -o allow_other,defer_permissions nsroot@citrix-gateway.nextron:\/netscaler ~\/netscaler-mount\/\n<\/pre>\n
[\/et_pb_text][\/et_pb_column][\/et_pb_row][et_pb_row _builder_version=”4.16″ global_colors_info=”{}” theme_builder_area=”post_content”][et_pb_column type=”4_4″ _builder_version=”4.16″ global_colors_info=”{}” theme_builder_area=”post_content”][et_pb_image src=”https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2020\/01\/Screenshot-2020-01-14-at-10.50.15.png” _builder_version=”4.16″ global_colors_info=”{}” theme_builder_area=”post_content”][\/et_pb_image][\/et_pb_column][\/et_pb_row][et_pb_row _builder_version=”4.16″ global_colors_info=”{}” theme_builder_area=”post_content”][et_pb_column type=”4_4″ _builder_version=”4.16″ global_colors_info=”{}” theme_builder_area=”post_content”][et_pb_text _builder_version=”4.16″ global_colors_info=”{}” theme_builder_area=”post_content”]<\/p>\n
We can then use the full version of THOR to scan that drive in lab scan mode.<\/p>\n
[\/et_pb_text][et_pb_text _builder_version=”4.18.0″ global_colors_info=”{}” theme_builder_area=”post_content”]<\/p>\n
.\/thor64 --lab -p ~\/netscaler-mount<\/pre>\n
[\/et_pb_text][\/et_pb_column][\/et_pb_row][et_pb_row _builder_version=”4.16″ global_colors_info=”{}” theme_builder_area=”post_content”][et_pb_column type=”4_4″ _builder_version=”4.16″ global_colors_info=”{}” theme_builder_area=”post_content”][et_pb_text _builder_version=”4.16″ global_colors_info=”{}” theme_builder_area=”post_content”]<\/p>\n
The free version doesn’t have that lab scanning feature, but we can use a set of commands that achieves something very similar. (this<\/a> blog post explains the differences in more detail)<\/p>\n
[\/et_pb_text][et_pb_text _builder_version=”4.18.0″ global_colors_info=”{}” theme_builder_area=”post_content”]<\/p>\n
.\/thor-linux-64 -a Filescan --intense --norescontrol --cross-platform --alldrives -p ~\/netscaler-mountan<\/pre>\n
[\/et_pb_text][\/et_pb_column][\/et_pb_row][et_pb_row _builder_version=”4.16″ global_colors_info=”{}” theme_builder_area=”post_content”][et_pb_column type=”4_4″ _builder_version=”4.16″ global_colors_info=”{}” theme_builder_area=”post_content”][et_pb_text _builder_version=”4.16″ global_colors_info=”{}” theme_builder_area=”post_content”]<\/p>\n
With this method we can detect dropped malicious templates.\u00a0<\/p>\n
[\/et_pb_text][et_pb_image src=”https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2020\/01\/Screenshot-2020-01-14-at-10.16.52.png” _builder_version=”4.16″ global_colors_info=”{}” theme_builder_area=”post_content”][\/et_pb_image][\/et_pb_column][\/et_pb_row][et_pb_row _builder_version=”4.16″ global_colors_info=”{}” theme_builder_area=”post_content”][et_pb_column type=”4_4″ _builder_version=”4.16″ global_colors_info=”{}” theme_builder_area=”post_content”][et_pb_text _builder_version=”4.16″ global_colors_info=”{}” theme_builder_area=”post_content”]<\/p>\n
You can use the public YARA rule<\/a>, which I’ve published in LOKI’s and THOR Lite’s signature base.<\/p>\n
[\/et_pb_text][\/et_pb_column][\/et_pb_row][et_pb_row _builder_version=”4.16″ global_colors_info=”{}” theme_builder_area=”post_content”][et_pb_column type=”4_4″ _builder_version=”4.16″ global_colors_info=”{}” theme_builder_area=”post_content”][et_pb_text _builder_version=”4.16″ global_colors_info=”{}” theme_builder_area=”post_content”]<\/p>\n
Important note: this only works for templates that have been dropped since the last reboot. Users reported that dropped malicious templates get removed during a reboot. As the workaround described by Citrix<\/a> requires a reboot, scanning with this single YARA rule alone won’t be a reliable method.<\/p>\n
I recommend scanning with the full signatures set in all scanners, as they also include rules for web shells and other suspicious content in files. I’ll also extend the YARA rules on github and add further indicators.\u00a0<\/p>\n
[\/et_pb_text][\/et_pb_column][\/et_pb_row][et_pb_row _builder_version=”4.16″ global_colors_info=”{}” theme_builder_area=”post_content”][et_pb_column type=”4_4″ _builder_version=”4.16″ global_colors_info=”{}” theme_builder_area=”post_content”][et_pb_text _builder_version=”4.16″ global_colors_info=”{}” theme_builder_area=”post_content”]<\/p>\n
Additional Indicators<\/h1>\n
[\/et_pb_text][\/et_pb_column][\/et_pb_row][et_pb_row _builder_version=”4.16″ global_colors_info=”{}” theme_builder_area=”post_content”][et_pb_column type=”4_4″ _builder_version=”4.16″ global_colors_info=”{}” theme_builder_area=”post_content”][et_pb_text _builder_version=”4.16″ global_colors_info=”{}” theme_builder_area=”post_content”]<\/p>\n
We can use the following YARA rule to check for suspicious strings in log files. But we don’t want to use that rule on any Linux\/FreeBSD system. Therefore I won’t integrate that YARA rule in the public signature base. You can just copy it from this blog post and place it in the ‘custom-signatures\/yara’ sub folder (‘\/signatures’ for LOKI).\u00a0<\/p>\n
This rule<\/a> for the forensic artefacts is based on remarks made in this article<\/a> by TrustedSec and shared as gist.\u00a0<\/p>\n
[\/et_pb_text][\/et_pb_column][\/et_pb_row][et_pb_row _builder_version=”4.16″ global_colors_info=”{}” theme_builder_area=”post_content”][et_pb_column type=”4_4″ _builder_version=”4.16″ global_colors_info=”{}” theme_builder_area=”post_content”][et_pb_text _builder_version=”4.16″ global_colors_info=”{}” theme_builder_area=”post_content”]<\/p>\n
First, we mount the ‘\/var\/log’ directory from our remote Netscaler system.\u00a0<\/p>\n
[\/et_pb_text][\/et_pb_column][\/et_pb_row][et_pb_row _builder_version=”4.16″ global_colors_info=”{}” theme_builder_area=”post_content”][et_pb_column type=”4_4″ _builder_version=”4.16″ global_colors_info=”{}” theme_builder_area=”post_content”][et_pb_text _builder_version=”4.18.0″ global_colors_info=”{}” theme_builder_area=”post_content”]<\/p>\n
\nmkdir ~\/netscaler-logs\nsudo sshfs -o allow_other,defer_permissions nsroot@citrix-gateway.nextron:\/var\/log ~\/netscaler-logs\/\n<\/pre>\n
[\/et_pb_text][\/et_pb_column][\/et_pb_row][et_pb_row _builder_version=”4.16″ global_colors_info=”{}” theme_builder_area=”post_content”][et_pb_column type=”4_4″ _builder_version=”4.16″ global_colors_info=”{}” theme_builder_area=”post_content”][et_pb_text _builder_version=”4.16″ global_colors_info=”{}” theme_builder_area=”post_content”]We then start a scan on the mounted log directory.[\/et_pb_text][\/et_pb_column][\/et_pb_row][et_pb_row _builder_version=”4.16″ global_colors_info=”{}” theme_builder_area=”post_content”][et_pb_column type=”4_4″ _builder_version=”4.16″ global_colors_info=”{}” theme_builder_area=”post_content”][et_pb_image src=”https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2020\/01\/Screenshot-2020-01-14-at-11.43.26.png” _builder_version=”4.16″ global_colors_info=”{}” theme_builder_area=”post_content”][\/et_pb_image][\/et_pb_column][\/et_pb_row][et_pb_row _builder_version=”4.16″ global_colors_info=”{}” theme_builder_area=”post_content”][et_pb_column type=”4_4″ _builder_version=”4.16″ global_colors_info=”{}” theme_builder_area=”post_content”][et_pb_text _builder_version=”4.16″ global_colors_info=”{}” theme_builder_area=”post_content”]<\/p>\n
As you can see, the scanner noticed a an issued ‘whoami’ command in the ‘bash.log’ and ‘notice.log’ files, which is a good starting point for further investigations.\u00a0<\/p>\n
[\/et_pb_text][\/et_pb_column][\/et_pb_row][et_pb_row _builder_version=”4.16″ global_colors_info=”{}” theme_builder_area=”post_content”][et_pb_column type=”4_4″ _builder_version=”4.16″ global_colors_info=”{}” theme_builder_area=”post_content”][et_pb_text _builder_version=”4.16″ global_colors_info=”{}” theme_builder_area=”post_content”]<\/p>\n
Final Thoughts<\/h1>\n
[\/et_pb_text][\/et_pb_column][\/et_pb_row][et_pb_row _builder_version=”4.16″ global_colors_info=”{}” theme_builder_area=”post_content”][et_pb_column type=”4_4″ _builder_version=”4.16″ global_colors_info=”{}” theme_builder_area=”post_content”][et_pb_text _builder_version=”4.16″ global_colors_info=”{}” theme_builder_area=”post_content”]<\/p>\n
I think we’ll develop more rules for post-exploitation payloads over the coming days. Stay tuned and follow my twitter account<\/a> for updates.<\/p>\n
[\/et_pb_text][\/et_pb_column][\/et_pb_row][\/et_pb_section]<\/p>\n","protected":false},"excerpt":{"rendered":"
Update 14.02.2023 The information in this blog post is outdated. For more information on how to scan appliances remotely using SSH see this newer blog post. In this blog post I’d like to outline an idea on how to perform an automated compromise assessment on Citrix Netscaler \/ Citrix ADC appliances.I you haven’t heard about that vulnerability yet, you should read my tweets over the past weekend or try to get a full picture with the help of this Reddit.\u00a0 This blog post is about a subsequent forensic analysis, not detection, not protection and contains no marketing blah-blah. The described solution should work with the free \/ open scanners as well. They just don’t have that huge signature set as it is included in THOR.\u00a0\u00a0  The reason for this is that although you’ve implemented the workaround on Monday 13th of January, you can’t trust your gateway anymore. The vulnerability is known since December 17th and the public exploit code available since Friday the 10th of January. Nation state actors have most likely used Christmas holiday season to analyze Netscaler systems in their lab and produce an exploit, just like many offensive researchers did. Since Friday the 10th, even script kiddies […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"on","_et_pb_old_content":"","_et_gb_content_width":"","footnotes":""},"categories":[46,32],"tags":[90,239,240,233,118,241,117,7,242],"class_list":["post-6035","post","type-post","status-publish","format-standard","hentry","category-newsletter","category-thor","tag-analysis","tag-citrix","tag-cve-2019-19781","tag-forensic","tag-iocs","tag-netscaler","tag-scan","tag-scanner","tag-shitrix"],"yoast_head":"\nAutomated Citrix Netscaler Forensic Analysis with THOR - Nextron Systems<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.nextron-systems.com\/2020\/01\/14\/automated-citrix-netscaler-forensic-analysis-with-thor\/\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.nextron-systems.com\/2020\/01\/14\/automated-citrix-netscaler-forensic-analysis-with-thor\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.nextron-systems.com\/2020\/01\/14\/automated-citrix-netscaler-forensic-analysis-with-thor\/\"},\"author\":{\"name\":\"Florian Roth\",\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/person\/4fd503007d60aabaf1ae747502f36919\"},\"headline\":\"Automated Citrix Netscaler Forensic Analysis with THOR\",\"datePublished\":\"2020-01-14T10:13:01+00:00\",\"dateModified\":\"2024-04-15T09:41:08+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.nextron-systems.com\/2020\/01\/14\/automated-citrix-netscaler-forensic-analysis-with-thor\/\"},\"wordCount\":1899,\"publisher\":{\"@id\":\"https:\/\/www.nextron-systems.com\/#organization\"},\"keywords\":[\"analysis\",\"Citrix\",\"CVE-2019-19781\",\"Forensic\",\"IOCs\",\"Netscaler\",\"scan\",\"scanner\",\"Shitrix\"],\"articleSection\":[\"Newsletter\",\"THOR\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.nextron-systems.com\/2020\/01\/14\/automated-citrix-netscaler-forensic-analysis-with-thor\/\",\"url\":\"https:\/\/www.nextron-systems.com\/2020\/01\/14\/automated-citrix-netscaler-forensic-analysis-with-thor\/\",\"name\":\"Automated Citrix Netscaler Forensic Analysis with THOR - Nextron Systems\",\"isPartOf\":{\"@id\":\"https:\/\/www.nextron-systems.com\/#website\"},\"datePublished\":\"2020-01-14T10:13:01+00:00\",\"dateModified\":\"2024-04-15T09:41:08+00:00\",\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.nextron-systems.com\/2020\/01\/14\/automated-citrix-netscaler-forensic-analysis-with-thor\/\"]}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.nextron-systems.com\/#website\",\"url\":\"https:\/\/www.nextron-systems.com\/\",\"name\":\"Nextron Systems\",\"description\":\"We Detect Hackers\",\"publisher\":{\"@id\":\"https:\/\/www.nextron-systems.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.nextron-systems.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.nextron-systems.com\/#organization\",\"name\":\"Nextron Systems GmbH\",\"url\":\"https:\/\/www.nextron-systems.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2017\/11\/Nextron_0.2s_inv_symbol_only.png\",\"contentUrl\":\"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2017\/11\/Nextron_0.2s_inv_symbol_only.png\",\"width\":260,\"height\":260,\"caption\":\"Nextron Systems GmbH\"},\"image\":{\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/logo\/image\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/person\/4fd503007d60aabaf1ae747502f36919\",\"name\":\"Florian Roth\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/0dfaa838ce5d82e2e7bfa75ed3f43ae5?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/0dfaa838ce5d82e2e7bfa75ed3f43ae5?s=96&d=mm&r=g\",\"caption\":\"Florian Roth\"},\"description\":\"Florian Roth serves as the Head of Research and Development at Nextron Systems. With a background in IT security since 2000, he has delved deep into nation-state cyber attacks since 2012. Florian has developed the THOR Scanner and actively engages with the community via his Twitter handle @cyb3rops. He has contributed to open-source projects, including 'Sigma', a generic SIEM rule format, and 'LOKI', an open-source scanner. Additionally, he has shared valuable resources like a mapping of APT groups and operations and an Antivirus Event Analysis Cheat Sheet.\",\"url\":\"https:\/\/www.nextron-systems.com\/author\/florian\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Automated Citrix Netscaler Forensic Analysis with THOR - Nextron Systems","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.nextron-systems.com\/2020\/01\/14\/automated-citrix-netscaler-forensic-analysis-with-thor\/","schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.nextron-systems.com\/2020\/01\/14\/automated-citrix-netscaler-forensic-analysis-with-thor\/#article","isPartOf":{"@id":"https:\/\/www.nextron-systems.com\/2020\/01\/14\/automated-citrix-netscaler-forensic-analysis-with-thor\/"},"author":{"name":"Florian Roth","@id":"https:\/\/www.nextron-systems.com\/#\/schema\/person\/4fd503007d60aabaf1ae747502f36919"},"headline":"Automated Citrix Netscaler Forensic Analysis with THOR","datePublished":"2020-01-14T10:13:01+00:00","dateModified":"2024-04-15T09:41:08+00:00","mainEntityOfPage":{"@id":"https:\/\/www.nextron-systems.com\/2020\/01\/14\/automated-citrix-netscaler-forensic-analysis-with-thor\/"},"wordCount":1899,"publisher":{"@id":"https:\/\/www.nextron-systems.com\/#organization"},"keywords":["analysis","Citrix","CVE-2019-19781","Forensic","IOCs","Netscaler","scan","scanner","Shitrix"],"articleSection":["Newsletter","THOR"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.nextron-systems.com\/2020\/01\/14\/automated-citrix-netscaler-forensic-analysis-with-thor\/","url":"https:\/\/www.nextron-systems.com\/2020\/01\/14\/automated-citrix-netscaler-forensic-analysis-with-thor\/","name":"Automated Citrix Netscaler Forensic Analysis with THOR - Nextron Systems","isPartOf":{"@id":"https:\/\/www.nextron-systems.com\/#website"},"datePublished":"2020-01-14T10:13:01+00:00","dateModified":"2024-04-15T09:41:08+00:00","inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.nextron-systems.com\/2020\/01\/14\/automated-citrix-netscaler-forensic-analysis-with-thor\/"]}]},{"@type":"WebSite","@id":"https:\/\/www.nextron-systems.com\/#website","url":"https:\/\/www.nextron-systems.com\/","name":"Nextron Systems","description":"We Detect Hackers","publisher":{"@id":"https:\/\/www.nextron-systems.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.nextron-systems.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.nextron-systems.com\/#organization","name":"Nextron Systems GmbH","url":"https:\/\/www.nextron-systems.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.nextron-systems.com\/#\/schema\/logo\/image\/","url":"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2017\/11\/Nextron_0.2s_inv_symbol_only.png","contentUrl":"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2017\/11\/Nextron_0.2s_inv_symbol_only.png","width":260,"height":260,"caption":"Nextron Systems GmbH"},"image":{"@id":"https:\/\/www.nextron-systems.com\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.nextron-systems.com\/#\/schema\/person\/4fd503007d60aabaf1ae747502f36919","name":"Florian Roth","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.nextron-systems.com\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/0dfaa838ce5d82e2e7bfa75ed3f43ae5?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/0dfaa838ce5d82e2e7bfa75ed3f43ae5?s=96&d=mm&r=g","caption":"Florian Roth"},"description":"Florian Roth serves as the Head of Research and Development at Nextron Systems. With a background in IT security since 2000, he has delved deep into nation-state cyber attacks since 2012. Florian has developed the THOR Scanner and actively engages with the community via his Twitter handle @cyb3rops. He has contributed to open-source projects, including 'Sigma', a generic SIEM rule format, and 'LOKI', an open-source scanner. Additionally, he has shared valuable resources like a mapping of APT groups and operations and an Antivirus Event Analysis Cheat Sheet.","url":"https:\/\/www.nextron-systems.com\/author\/florian\/"}]}},"_links":{"self":[{"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/posts\/6035","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/comments?post=6035"}],"version-history":[{"count":7,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/posts\/6035\/revisions"}],"predecessor-version":[{"id":22057,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/posts\/6035\/revisions\/22057"}],"wp:attachment":[{"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/media?parent=6035"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/categories?post=6035"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/tags?post=6035"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}