Citrix ADC Exploitation CVE-2023-3519

Status: production
Group by: Web.src, Web.status, Web.url_length, c-uri, c-useragent, cs-host, cs-method
Author: Michael Haag, Splunk
Source: github.com/splunk/security_content

The following analytic identifies potential exploitation attempts against Citrix ADC related to CVE-2023-3519. It detects POST requests to specific web endpoints associated with this vulnerability by leveraging the Web datamodel. This activity is significant as CVE-2023-3519 involves a SAML processing overflow issue that can lead to memory corruption, posing a high risk. If confirmed malicious, attackers could exploit this to execute arbitrary code, escalate privileges, or disrupt services, making it crucial for SOC analysts to monitor and investigate these alerts promptly.

MITRE ATT&CK coverage

Tactic	Techniques
Initial Access	`T1190` Exploit Public-Facing Application

Rule body splunk

name: Citrix ADC Exploitation CVE-2023-3519
id: 76ac2dcb-333c-4a77-8ae9-2720cfae47a8
version: 9
creation_date: '2023-07-21'
modification_date: '2026-05-13'
author: Michael Haag, Splunk
status: production
type: Hunting
description: |
    The following analytic identifies potential exploitation attempts against Citrix ADC related to CVE-2023-3519. It detects POST requests to specific web endpoints associated with this vulnerability by leveraging the Web datamodel.
    This activity is significant as CVE-2023-3519 involves a SAML processing overflow issue that can lead to memory corruption, posing a high risk.
    If confirmed malicious, attackers could exploit this to execute arbitrary code, escalate privileges, or disrupt services, making it crucial for SOC analysts to monitor and investigate these alerts promptly.
data_source:
    - Palo Alto Network Threat
search: |-
    | tstats `security_content_summariesonly`
             count min(_time) as firstTime
                   max(_time) as lastTime
    FROM datamodel=Web WHERE
    
    Web.http_method=POST
    Web.url IN (
        "*/cgi/logout",
        "*/saml/activelogin",
        "*/saml/login",
        "/cgi/samlart?samlart=*",
        "/cgi/samlauth",
        "/gwtest/formssso?event=start&target=*",
        "/netscaler/ns_gui/vpn/*"
    )
    BY Web.http_user_agent, Web.status
       Web.http_method Web.url Web.url_length
       Web.src Web.dest
    | `drop_dm_object_name("Web")`
    | `security_content_ctime(firstTime)`
    | `security_content_ctime(lastTime)`
    | `citrix_adc_exploitation_cve_2023_3519_filter`
how_to_implement: This detection requires the Web datamodel to be populated from a supported Technology Add-On like Splunk for Apache, Splunk for Nginx, or Splunk for Palo Alto.
known_false_positives: False positives may be present based on organization use of SAML utilities. Filter, or restrict the analytic to Citrix devices only.
references:
    - https://blog.assetnote.io/2023/07/21/citrix-CVE-2023-3519-analysis/
    - https://support.citrix.com/article/CTX561482/citrix-adc-and-citrix-gateway-security-bulletin-for-cve20233519-cve20233466-cve20233467
    - https://securityintelligence.com/x-force/x-force-uncovers-global-netscaler-gateway-credential-harvesting-campaign/
    - https://support.citrix.com/article/CTX579459/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20234966-and-cve20234967
analytic_story:
    - Citrix Netscaler ADC CVE-2023-3519
    - CISA AA24-241A
asset_type: Network
cve:
    - CVE-2023-3519
mitre_attack_id:
    - T1190
product:
    - Splunk Enterprise
    - Splunk Enterprise Security
    - Splunk Cloud
category: web
security_domain: endpoint
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/citrix/citrix-cve20233519.log
          source: not_applicable
          sourcetype: pan:threat
      test_type: unit

Stages and Predicates

Stage 1: `tstats`

| tstats `security_content_summariesonly`
         count min(_time) as firstTime
               max(_time) as lastTime
FROM datamodel=Web WHERE

Web.http_method=POST
Web.url IN (
    "*/cgi/logout",
    "*/saml/activelogin",
    "*/saml/login",
    "/cgi/samlart?samlart=*",
    "/cgi/samlauth",
    "/gwtest/formssso?event=start&target=*",
    "/netscaler/ns_gui/vpn/*"
)
BY Web.http_user_agent, Web.status
   Web.http_method Web.url Web.url_length
   Web.src Web.dest

Stage 2: `search`

| `drop_dm_object_name("Web")`

Stage 3: `search`

| `security_content_ctime(firstTime)`

Stage 4: `search`

| `security_content_ctime(lastTime)`

Stage 5: `search`

| `citrix_adc_exploitation_cve_2023_3519_filter`

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`Web.http_method`	eq	`POST`
`Web.url`	in	`"/cgi/logout"` `"/saml/activelogin"` `"/saml/login"` `"/cgi/samlart?samlart="` `"/cgi/samlauth"` `"/gwtest/formssso?event=start&target="` `"/netscaler/ns_gui/vpn/"`

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)

Citrix ADC Exploitation CVE-2023-3519

MITRE ATT&CK coverage

Rule body splunk

Stages and Predicates

Stage 1: `tstats`

Stage 2: `search`

Stage 3: `search`

Stage 4: `search`

Stage 5: `search`

Indicators

Keyboard shortcuts

Search operators

Citrix ADC Exploitation CVE-2023-3519

MITRE ATT&CK coverage

Rule body splunk

Stages and Predicates

Stage 1: tstats

Stage 2: search

Stage 3: search

Stage 4: search

Stage 5: search

Indicators

Stage 1: `tstats`

Stage 2: `search`

Stage 3: `search`

Stage 4: `search`

Stage 5: `search`