← Back to Explore
splunk_escuHunting
Citrix ShareFile Exploitation CVE-2023-24489
The following analytic detects potentially malicious file upload attempts to Citrix ShareFile via specific suspicious URLs and the HTTP POST method. It leverages the Web datamodel to identify URL patterns such as "/documentum/upload.aspx?parentid=", "/documentum/upload.aspx?filename=", and "/documentum/upload.aspx?uploadId=*", combined with the HTTP POST method. This activity is significant for a SOC as it may indicate an attempt to upload harmful scripts or content, potentially compromising the Documentum application. If confirmed malicious, this could lead to unauthorized access, data breaches, and operational disruptions.
Detection Query
| tstats `security_content_summariesonly`
count min(_time) as firstTime
max(_time) as lastTime
FROM datamodel=Web WHERE
Web.url="*/documentum/upload.aspx?*"
Web.url IN (
"*parentid=*",
"*filename=*",
"*uploadId=*"
)
Web.url IN (
"*unzip=*",
"*raw=*"
)
Web.http_method=POST
BY Web.http_user_agent Web.status Web.http_method
Web.url Web.url_length Web.src Web.dest
| `drop_dm_object_name("Web")`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `citrix_sharefile_exploitation_cve_2023_24489_filter`Author
Michael Haag, Splunk
Created
2026-03-27
Data Sources
Suricata
Tags
Citrix ShareFile RCE CVE-2023-24489
Raw Content
name: Citrix ShareFile Exploitation CVE-2023-24489
id: 172c59f2-5fae-45e5-8e51-94445143e93f
version: 7
date: '2026-03-27'
author: Michael Haag, Splunk
status: production
type: Hunting
data_source:
- Suricata
description: The following analytic detects potentially malicious file upload attempts to Citrix ShareFile via specific suspicious URLs and the HTTP POST method. It leverages the Web datamodel to identify URL patterns such as "/documentum/upload.aspx?parentid=", "/documentum/upload.aspx?filename=", and "/documentum/upload.aspx?uploadId=*", combined with the HTTP POST method. This activity is significant for a SOC as it may indicate an attempt to upload harmful scripts or content, potentially compromising the Documentum application. If confirmed malicious, this could lead to unauthorized access, data breaches, and operational disruptions.
search: |-
| tstats `security_content_summariesonly`
count min(_time) as firstTime
max(_time) as lastTime
FROM datamodel=Web WHERE
Web.url="*/documentum/upload.aspx?*"
Web.url IN (
"*parentid=*",
"*filename=*",
"*uploadId=*"
)
Web.url IN (
"*unzip=*",
"*raw=*"
)
Web.http_method=POST
BY Web.http_user_agent Web.status Web.http_method
Web.url Web.url_length Web.src Web.dest
| `drop_dm_object_name("Web")`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `citrix_sharefile_exploitation_cve_2023_24489_filter`
how_to_implement: |-
Dependent upon the placement of the ShareFile application, ensure the latest Technology Add-On is eneabled. This detection requires the Web datamodel to be populated from a supported Technology Add-On like Suricata, Splunk for Apache, Splunk for Nginx, or Splunk for Palo Alto. The ShareFile application is IIS based, therefore ingesting IIS logs and reviewing for the same pattern would identify this activity, successful or not.
known_false_positives: |-
False positives may be present, filtering may be needed.
Also, restricting to known web servers running IIS or ShareFile will change this from Hunting to TTP.
references:
- https://blog.assetnote.io/2023/07/04/citrix-sharefile-rce/
tags:
analytic_story:
- Citrix ShareFile RCE CVE-2023-24489
cve:
- CVE-2023-24489
asset_type: Network
atomic_guid: []
mitre_attack_id:
- T1190
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
security_domain: network
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/citrix/citrix-cve_2023_24489.log
source: not_applicable
sourcetype: suricata