WEBSHELL_SECRETSAUCE_Jul23_1

Rule Info

Name
WEBSHELL_SECRETSAUCE_Jul23_1
Author
Florian Roth
Description
Detects SECRETSAUCE PHP webshells (found after an exploitation of Citrix NetScaler ADC CVE-2023-3519)
Score
85
Reference
https://www.mandiant.com/resources/blog/citrix-zero-day-espionage
Date
2023-07-24
Minimum Yara
1.7
Rule Hash
9ae8445b8f964be8f574a93032aa5a46
Tags
['T1505_003', 'CVE_2023_3519', 'DEMO', 'WEBSHELL']
Required Modules
[]
Virustotal Matches
https://www.virustotal.com/gui/search/webshell_secretsauce_jul23_1/comments
Community Rule
https://github.com/Neo23x0/signature-base/search?q=WEBSHELL_SECRETSAUCE_Jul23_1

Antivirus Verdicts

Rating
Number of Samples
Malicious (>= 10 engines)
0
Suspicious (< 10 engines)
3
Clean (0 engines)
0

Rule Matches

Timestamp
Positives
Total
Hash
VT
2023-08-02 01:31:14
3
58
01c897d63f5a8b9bb9efab7a3567c6a832f36dd7c2dbba433ec29a6f9b9bffd3
2023-07-25 00:18:53
1
59
20e68a276badbd6a38aa6d6e57d28c3e4c133256ef320b83848253f80ae7a1ee
2023-07-24 22:44:05
2
58
293fe23849cffb460e8d28691c640a5292fd4649b0f94a019b45cc586be83fd9

Rule Matches per Month (last 24 months)

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022