Citrix ShareFile Exploitation CVE-2023-24489

Name:Citrix ShareFile Exploitation CVE-2023-24489
id:172c59f2-5fae-45e5-8e51-94445143e93f
version:7
date:2026-03-27
author:Michael Haag, Splunk
status:production
type:Hunting
Description:The following analytic detects potentially malicious file upload attempts to Citrix ShareFile via specific suspicious URLs and the HTTP POST method. It leverages the Web datamodel to identify URL patterns such as "/documentum/upload.aspx?parentid=", "/documentum/upload.aspx?filename=", and "/documentum/upload.aspx?uploadId=*", combined with the HTTP POST method. This activity is significant for a SOC as it may indicate an attempt to upload harmful scripts or content, potentially compromising the Documentum application. If confirmed malicious, this could lead to unauthorized access, data breaches, and operational disruptions.
Data_source:

• -Suricata

search:| tstats `security_content_summariesonly`
count min(_time) as firstTime
max(_time) as lastTime

FROM datamodel=Web WHERE

Web.url="*/documentum/upload.aspx?*"
Web.url IN (
"*parentid=*",
"*filename=*",
"*uploadId=*"
)
Web.url IN (
"*unzip=*",
"*raw=*"
)
Web.http_method=POST

BY Web.http_user_agent Web.status Web.http_method
Web.url Web.url_length Web.src Web.dest

| `drop_dm_object_name("Web")`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `citrix_sharefile_exploitation_cve_2023_24489_filter`

how_to_implement:Dependent upon the placement of the ShareFile application, ensure the latest Technology Add-On is eneabled. This detection requires the Web datamodel to be populated from a supported Technology Add-On like Suricata, Splunk for Apache, Splunk for Nginx, or Splunk for Palo Alto. The ShareFile application is IIS based, therefore ingesting IIS logs and reviewing for the same pattern would identify this activity, successful or not.
known_false_positives:False positives may be present, filtering may be needed. Also, restricting to known web servers running IIS or ShareFile will change this from Hunting to TTP.
References:
  -https://blog.assetnote.io/2023/07/04/citrix-sharefile-rce/
drilldown_searches:
  :
tags:
  analytic_story:
    - 'Citrix ShareFile RCE CVE-2023-24489'
  cve:
    - 'CVE-2023-24489'
  asset_type:Network
  atomic_guid:
  mitre_attack_id:
    - 'T1190'
  product:
    - 'Splunk Enterprise'
    - 'Splunk Enterprise Security'
    - 'Splunk Cloud'
  security_domain:network

tests:
 name:'True Positive Test'
 attack_data:
  data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/citrix/citrix-cve_2023_24489.log
  source: not_applicable
  sourcetype: suricata
manual_test:None