heroui logo

Citrix ShareFile Exploitation CVE-2023-24489

Splunk Security Content

View Source
Summary
This detection rule targets potential exploitation attempts against Citrix ShareFile through the identification of suspicious file upload behaviors using specific URL patterns via HTTP POST requests. The detection focuses on URLs containing parameters such as 'parentid', 'filename', and 'uploadId', which are indicative of possible malicious upload activities. The rule utilizes the Web datamodel to aggregate counts of events involving these URLs and the HTTP POST method, correlating them with user agent information and response status codes to discern potential intrusions. Instances of confirmed exploitation could lead to unauthorized access and significant operational disruptions for organizations utilizing the Documentum application within their Citrix ShareFile environment.
Categories
  • Network
  • Infrastructure
Data Sources
  • Web Credential
  • Network Traffic
ATT&CK Techniques
  • T1190
Created: 2024-11-15