Warning
It is known that certain guid and suid binaries are not filtered correctly on ram disks. This may result in false positives. We are working on the issue.
Warning
Some of these checks are meant to hunt for compromises, while other checks verify if you are compromised. We are working on seperating hunting from compromise checks.
These scripts are provided without any guarantees regarding its effectiveness.
The detection capabilities of these scripts are based on a limited set of detection rules.
Make sure to follow instructions from the vendor and information listed in advisories regarding vulnerabilities.
Make sure no sensitive information is disclosed when sharing the output of these scripts.
For interpretation of the output from these scanning scripts, please forward this information
to your national cybersecurity entity (national CSIRT or otherwise).
This repository contains 3 sets of scripts, each script has it's own folder with instructions for that specific script.
- core-dump-checks, these scripts will check all saved core dumps generated by a NetScaler appliance for possible compromise indicators
- disk-image-checks, these scritps will check for any indicators on disk images of NetScaler appliances.
- live-host-bash-check, this script will check for any indicators on a running NetScaler appliance.
- core-dump-checks: 1.0.0
- disk-image-checks: 1.0.0
- live-host-bash-check: 1.8.3
Run all the check scripts on backups, coredumps, and NetScaler appliances. Share the logfile with your national cyber security incident response entity (CSIRT) such as a NCSC or Govcert for further assistance, for EU: https://csirtsnetwork.eu
Please monitor this repository for changes, additional checks could follow. Feedback and improvements are very much welcomed and can be suggested by opening a Github issue.
