Think you have a false positive on this rule?

Sid 1-

Message

SERVER-WEBAPP Citrix ADC and Gateway backdoor upload attempt

Summary

This event is generated when a perl backdoor is uploaded to a compromised Citrix ADC or Citrix Gateway device.

Impact

A Network Trojan was detected

Detailed information

Affected systems

  • Citrix ADC and Citrix Gateway version 13.0
  • NetScaler ADC and NetScaler Gateway version 12.1
  • NetScaler ADC and NetScaler Gateway version 12.0 until 12.0.63.13
  • NetScaler ADC and NetScaler Gateway version 11.1 until 11.1.63.15
  • NetScaler ADC and NetScaler Gateway version 10.5
  • Citrix SD-WAN WANOP models 4000, 4100, 5000, and 5100

Ease of attack

False positives

False negatives

Corrective action

Contributors

  • Cisco Talos Intelligence Group

Additional References

  • CVE-2019-19781
  • support.citrix.com/article/CTX267027