Techniques
Sample rules
Cisco Secure Firewall - Citrix NetScaler Memory Overread Attempt
- source: splunk
- technicques:
- T1203
- T1059
Description
This analytic detects exploitation activity of CVE-2025-5777 using Cisco Secure Firewall Intrusion Events. It leverages Cisco Secure Firewall Threat Defense IntrusionEvent logs to identify cases where Snort signature 65118 (Citrix NetScaler memory overread attempt) is triggered If confirmed malicious, this behavior is highly indicative of a potential exploitation of CVE-2025-5777.
Detection logic
`cisco_secure_firewall`
EventType=IntrusionEvent
signature_id = 65118
| fillnull
| stats min(_time) as firstTime
max(_time) as lastTime
values(signature_id) as signature_id
values(signature) as signature
values(class_desc) as class_desc
values(MitreAttackGroups) as MitreAttackGroups
values(InlineResult) as InlineResult
values(InlineResultReason) as InlineResultReason
values(src_ip) as src_ip
values(dest_port) as dest_port
values(rule) as rule
values(transport) as transport
values(app) as app
by dest_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `cisco_secure_firewall___citrix_netscaler_memory_overread_attempt_filter`