A jupyter notebook to aid in automating some of the forensic analysis related to Citrix Netscaler hosts compromised via CVE-2019-19781.
For help retrieving artifacts to examine see this Citrix triage script.
All notes/suggestions are welcome. Feel free to submit pull requests or issues.
Disclaimer: Not intended to be a be-all end-all solution, just there to help you get started.
- Currently handles the following logs and payload XMLs if available:
- HTTPAccess
- HTTPError
- Cron
- Bash
- Notice
- Sh
- Decompression of logs
- Parsing of logs into pandas dataframes for further analysis if desired
- Searching of logs for common IOCs associated with compromise
- Parsing and decoding of XML payload files if available
- Output of analysis to excel results sheet for review
- Citrix Final Patches
- FireEye IOC Script
- x1sec Great CVE-2019-19781 Notes
- Overview of Observed Payloads
- FireEye NOTROBIN Writeup
- TrustedSec Forensics Guide
- TrustedSec Honeypot Writeup
- US-Cert Writeup
- Added httperror log parsing
- Notice analysis now searches for same terms as sh analysis (sh are included in notice and thus we must search the same terms in both for the same results)
- Dataframes will now no longer be exported to the results sheet if they are empty. Instead a log message will display which dataframes are empty in the excel writing cell of the notebook.
- Added retrieval of start and end date covered by each log listed above
- Refactored xml parsing code slightly to incorporate 'username' key allowing parsing of xmls retrieved from /xml/bookmarks
- Added 'latin1' encoding to all log parsing to account for instances where logs were not in utf-8 and caused parsing errors
- Split searchFor into searchFor and shSearchFor as sh logs have different criteria to search that doesn't show up in other logs
- Added payload decoding (chr() and base64) + aggregation of all payloads into 'decodedpayloads' column
- Added sh log parsing
- Added common 'searchFor' var to config to hold search terms for suspicious activity that will be searched for in every log
- Added parsing for the majority of notice logs (see errors for exceptions)
- Exceptions are currently: sslvpn_aaad_login_handler and Session setup data send logs although they print via errors so you can still inspect them
- Added bash log parsing