curben
/
blog
mirror of https://gitlab.com/curben/blog
1
0
Fork 0
Code Issues Releases Wiki Activity
blog/source/threat-hunting/suspicious-netscaler-cli.md

484 B
Raw Blame History

title layout date
Suspicious Netscaler CLI page 2025-07-27

References: 1 SPL:

index=netscaler (citrix_netscaler_event_name="CMD_EXECUTED" OR event_source="CLI") Command IN ("*database.php*", "*ns_gui/vpn*", "*/flash/nsconfig/keys/updated*", "*LDAPTLS_REQCERT*", "*ldapsearch*", "*openssl*", "*salt*")
| eval Time = strftime(_time, "%Y-%m-%d %H:%M:%S %z")
| table Time, user, host, Command