Report Type
Threat Intelligence Assessment

Threat Category
Exploit Framework Activity
Multi-Stage Exploitation Chain
Client-Side Exploitation and Malware Delivery

Assessment Date
March 26, 2026

Primary Impact Domain
Endpoint Security (iOS / Mobile Platform)
Exploit Chain Execution and Detection Evasion
Device-Level Trust Boundaries and Telemetry Visibility

BLUF

Internet-facing NetScaler ADC appliances configured as SAML Identity Providers expose organizations to unauthorized access risk because the vulnerability allows unauthenticated retrieval of authentication-related memory at the identity boundary. The issue is caused by improper input validation leading to memory overread conditions during request processing. Exploitation likelihood is high and time-compressed, with an assessed 82% probability of inclusion in the CISA Known Exploited Vulnerabilities catalog based on exposure conditions and exploit feasibility; EEP is a forward-looking analytic measure of operational exploitation potential, not a statement of confirmed exploitation, KEV inclusion, or incident activity. Executives should immediately identify and patch all exposed NetScaler SAML Identity Provider deployments and treat unpatched systems as active identity compromise risk.

Executive Risk Translation

This vulnerability enables direct exposure of authentication data from an internet-facing control point, creating risk of session misuse, unauthorized access, and loss of trust in identity enforcement mechanisms.

S3 Why This Matters Now

· The vulnerability affects NetScaler ADC systems operating as SAML Identity Providers, placing authentication infrastructure directly at risk from unauthenticated network access.

· The exploit requires no authentication, enabling automated scanning and rapid targeting of exposed appliances.

· The memory disclosure condition creates the potential exposure of authentication tokens, session data, and credential artifacts during request handling.

· Exposure is configuration-dependent, and organizations may lack visibility into where SAML Identity Provider functionality is enabled across deployments.

· The assessed 82% likelihood of KEV inclusion indicates a strong probability of near-term exploitation activity.

S4 Key Judgments

· CVE-2026-3055 is a high-impact identity-boundary vulnerability due to unauthenticated access to sensitive memory on internet-facing NetScaler ADC systems.

· The highest-risk environments are those using NetScaler ADC as a SAML Identity Provider within federated authentication architectures.

· The vulnerability enables exposure of authentication material, including session and credential artifacts, which can be leveraged for unauthorized access.

· Unauthenticated exploitability enables large-scale scanning and opportunistic exploitation.

· Delayed remediation increases exposure during the initial post-disclosure exploitation window.

S5 Executive Risk Summary

Business Risk

Compromise of authentication infrastructure at the network edge introduces the risk of unauthorized access, session misuse, and degradation of identity trust across enterprise systems.

Technical Cause

Improper input validation in NetScaler ADC request handling results in memory overread conditions exposing sensitive system memory.

Threat Posture

Exploitation conditions are favorable due to unauthenticated access and direct exposure of identity infrastructure, increasing the likelihood of rapid attacker targeting.

Executive Decision Requirement

Immediate identification and patching of all affected NetScaler ADC systems configured as SAML Identity Providers is required.

S6 Executive Cost Summary

This cost analysis was developed by the CyberDax team using expert judgment and assisted analytical tools to support clarity and consistency.

· Low Impact $150,000 to $500,000
Rapid remediation with limited exposure duration, no confirmed authentication data exposure, and minimal disruption to identity or access services.

· Moderate Impact $500,000 to $2 million
Emergency patching across multiple systems, authentication data validation, targeted credential rotation, and short-term disruption to SSO, VPN, or federated access workflows requiring user re-authentication.

· High Impact $2 million to $7 million
Suspected or confirmed exposure of authentication or session data requiring enterprise-wide credential resets, forced re-authentication across identity platforms, disruption to access-dependent business operations, and full incident response engagement.

S6A Key Cost Drivers

· Presence of internet-facing NetScaler ADC systems configured as SAML Identity Providers.

· Duration of exposure prior to remediation.

· Scope of identity infrastructure dependent on affected systems.

· Requirement for credential rotation, token invalidation, and session reset.

· Operational dependence on NetScaler for remote access and authentication workflows.

S6B Compliance and Risk Context

Compliance Exposure Indicator

Elevated due to potential compromise of authentication systems and identity-related data, which may trigger incident response, audit validation, and access control review obligations.

Risk Register Entry

Critical exposure of NetScaler ADC identity infrastructure due to unauthenticated memory disclosure vulnerability affecting SAML Identity Provider configurations.

Annualized Risk Exposure

Estimated at $300,000 to $4.5 million annually during the active exposure window, driven by exploitation likelihood and the impact of compromised authentication infrastructure at the network edge.

Risk Drivers

· Internet exposure of NetScaler ADC appliances.

· SAML Identity Provider configuration enabling vulnerability conditions.

· Unauthenticated exploitability.

· Exposure of sensitive memory containing authentication-related data.

· High probability of near-term attacker targeting.

S8 Bottom Line for Executives

· Identify and patch all NetScaler ADC systems configured as SAML Identity Providers without delay.

· Treat any unpatched system as an identity compromise risk due to unauthenticated memory exposure.

· Validate authentication integrity after remediation, including session handling and access control behavior.

S9 Board-Level Takeaway

· The vulnerability affects a critical identity control layer responsible for authentication and enterprise access enforcement.

· Governance focus should be on rapid remediation, validation of affected configurations, and assurance of identity system integrity post-remediation.

· Management should confirm that exposure was identified, remediated, and validated within an accelerated response window.

S10 Vulnerability Overview

Vulnerability Type

Memory Disclosure via Out-of-Bounds Read

Affected Systems

Citrix NetScaler ADC instances configured as SAML Identity Providers

Exposure Conditions

· SAML Identity Provider functionality enabled

· Appliance is network-accessible (typically internet-facing)

· Vulnerable firmware version in use

Privilege Requirements

None — unauthenticated exploitation

Attack Vector

Remote network-based interaction with exposed NetScaler ADC services

S11 Technical Vulnerability Details

Root Cause

Improper input validation in request-processing routines leading to out-of-bounds memory read conditions

Vulnerable Component

NetScaler ADC SAML Identity Provider request-handling logic

Trigger Mechanism

Crafted input processed by the SAML request-handling pipeline causes the system to read beyond intended memory boundaries

Exploitable Condition

The appliance processes attacker-controlled input within the SAML IdP workflow without sufficient boundary validation, exposing portions of process memory during request handling, including authentication-related data

S12 Exploitability Assessment

Exploit Complexity

Low — exploitation requires only crafted network requests without complex chaining

Authentication Requirements

None — vulnerability is exploitable without valid credentials

Network Exposure

High — commonly deployed as an internet-facing identity service

Operational Constraints

No specialized environmental dependencies or race conditions required; exploit reliability is driven primarily by exposure and configuration rather than timing or system state

S13 KEV Status and Patch Availability

KEV Status

Not listed in the CISA Known Exploited Vulnerabilities catalog as of report development

Patch Availability

Vendor-provided patches available for supported NetScaler ADC versions

Remediation Priority

Critical — immediate remediation required for exposed systems

KEV Likelihood Assessment (EEP)

Assessed at 82% likelihood of KEV inclusion based on unauthenticated exploitability, exposure at the identity boundary, and similarity to previously exploited NetScaler memory disclosure vulnerabilities; EEP is a forward-looking analytic measure of operational exploitation potential, not a statement of confirmed exploitation, KEV inclusion, or incident activity.

S14 Sectors / Countries Affected

Sectors Affected

· Enterprise IT and Identity Infrastructure

· Financial Services

· Healthcare

· Government

· Technology and SaaS providers

· Organizations using federated authentication or remote access via NetScaler

Countries Affected

· Global

o Exposure determined by deployment of affected systems rather than geographic targeting

S15 Adversary Capability Profiling

Skill Level

Low to moderate — requires ability to craft and deliver malformed network requests targeting exposed SAML endpoints

Tooling Requirements

· Basic HTTP/S request manipulation

· Easily automatable scanning capability

Infrastructure Needs

· Standard internet-based scanning infrastructure

Operational Scale

High — vulnerability characteristics support rapid scanning and broad opportunistic targeting across exposed systems

S16 Targeting Probability Assessment

Organizations operating internet-facing NetScaler ADC systems configured as SAML Identity Providers have a high probability of targeting due to the direct exposure of authentication infrastructure, the absence of authentication requirements, and the potential to obtain authentication-related memory data. Environments with centralized identity services and federated authentication dependencies present elevated targeting value due to the potential impact of compromised authentication material.

S17 MITRE ATT&CK Chain Flow Mapping

Initial Access — T1190 Exploit Public-Facing Application

· Attacker sends crafted requests to an exposed NetScaler ADC SAML Identity Provider endpoint to trigger memory overread behavior

Credential Access — T1555 Credentials from Password Stores (Adapted to Application Memory Exposure Context)

· Authentication-related data, including session tokens or credential artifacts, is retrieved from exposed application memory during request processing

S18 Attack Path Narrative

An attacker initiates exploitation by sending crafted network requests to an internet-facing NetScaler ADC appliance configured as a SAML Identity Provider. These requests interact with the SAML processing workflow, targeting input handling within the request parsing logic.

During processing, insufficient boundary validation results in an out-of-bounds memory read condition. As a result, portions of process memory associated with authentication handling may be exposed as part of the system’s response behavior or processing outcome.

The exposed memory can contain authentication-related artifacts present at the time of request handling, such as session tokens, credential fragments, or identity assertion data. The scope and usefulness of retrieved data depend on the state of memory during processing.

This sequence enables retrieval of authentication-related data without requiring valid credentials or prior access to the system.

S19 Attack Chain Risk Amplification Summary

· The vulnerability affects an identity boundary system, increasing operational impact relative to internal application-layer weaknesses.

· Unauthenticated exploitability enables rapid enumeration and targeting of exposed NetScaler deployments.

· Exposure of authentication-related memory complicates validation of affected sessions, identities, and trust relationships during incident response.

· Authentication artifact exposure increases the likelihood of session misuse without triggering authentication controls.

· Configuration-dependent exposure reduces visibility into affected systems, increasing the probability of unrecognized risk prior to exploitation.

S20 Tactics, Techniques, and Procedures

T1190 – Exploit Public-Facing Application
Attackers deliver crafted requests to exposed NetScaler ADC SAML Identity Provider endpoints, specifically targeting request parsing routines to trigger memory boundary violations during SAML processing.

T1555 – Credentials from Password Stores (Adapted to Application Memory Exposure Context)
Attackers retrieve authentication-related artifacts, including session tokens, credential fragments, or identity assertions, from process memory exposed during request handling; while not a traditional credential store, this mapping reflects extraction of usable authentication material from application-resident memory.

S20A Adversary Tradecraft Summary

Attackers are likely to exploit this vulnerability to obtain authentication artifacts directly from identity infrastructure without interacting with user-driven credential collection mechanisms. This approach targets weaknesses in SAML processing logic rather than authentication workflows.

The primary objective is to obtain usable session tokens or identity assertions that may allow access to federated services or authenticated application flows, depending on the validity and scope of the exposed data at the time of exploitation.

This tradecraft enables large-scale targeting of internet-facing NetScaler deployments where identity services are externally accessible, as well as focused exploitation of environments where SAML-based authentication provides access to enterprise systems.

S21 Detection Strategy Overview

Detection of CVE-2026-3055 requires identification of anomalous interactions with NetScaler ADC systems performing SAML Identity Provider functions, specifically targeting request parsing behavior associated with authentication workflows. The exploit operates through syntactically valid but structurally manipulated requests, requiring behavioral detection rather than signature matching.

Effective detection relies on correlation across:

· abnormal SAML request handling at the network layer

· inconsistencies in authentication and session behavior

· deviations in request-response characteristics associated with identity workflows

Detection should prioritize identifying:

· anomalies in SAML request structure and processing

· mismatches between authentication events and session usage

· repeated targeting patterns against IdP endpoints

S22 Primary Detection Signals

Network Telemetry (Primary Signal Source)

· Abnormal HTTP POST requests to SAML IdP endpoints with atypical content length relative to baseline traffic

· SAML requests with irregular encoding, structure, or parameter distribution inconsistent with normal authentication flows

· Repeated access to SAML endpoints without corresponding authentication completion patterns

· Request-response size asymmetry suggesting abnormal data returned from authentication endpoints

Identity / Authentication Telemetry (Secondary Signal Source)

· Session tokens used without corresponding successful authentication events

· Authentication flows where session establishment does not align with expected SAML assertion exchange patterns

· Reuse of authentication artifacts across different client IPs or geographic locations without re-authentication

Network Behavior Correlation Signals

· High-frequency targeting of SAML IdP endpoints from single or distributed IP sources

· Sequential probing behavior against authentication endpoints indicating automated request generation

S23 Telemetry Requirements

Network / Proxy / Load Balancer Logs

o Full HTTP/S request and response logging for SAML IdP endpoints

o Content length, request method, and endpoint visibility

TLS Inspection Capability (Critical Dependency)

o Required to inspect SAML payload structure and detect malformed or manipulated requests

o Without TLS inspection, detection is limited to volumetric or behavioral anomalies

Identity Provider Logs

o SAML assertion generation, validation, and session creation events

o Token issuance and reuse tracking

NetScaler ADC Logs

o Request processing logs tied to SAML workflows

o Error or anomaly indicators during request parsing

Network Flow Telemetry

o Source IP targeting patterns

o Correlation of repeated access to authentication endpoints

S24 Detection Opportunities and Gaps

Detection Opportunities

· Identification of abnormal SAML request structure through payload inspection

· Detection of request-response size anomalies associated with memory exposure

· Correlation of network anomalies with authentication inconsistencies

· Detection of session usage patterns that bypass expected authentication workflows

Detection Gaps

· Lack of direct visibility into process memory exposure within NetScaler appliances

· Inability to inspect SAML payloads in environments without TLS decryption

· Difficulty distinguishing crafted exploit requests from legitimate but atypical SAML traffic

· Limited native logging of request parsing anomalies within NetScaler environments

S25 Ultra-Tuned Detection Engineering Rules

S25 Group 1 — Initial Access and Credential Exposure

Suricata

Rule Name

CyberDax NetScaler SAML IdP Oversized POST Request

Purpose

Detect materially oversized HTTP POST requests to locally validated NetScaler SAML Identity Provider endpoints that exceed expected SAML request norms and may indicate exploit payload shaping associated with CVE-2026-3055 targeting.

ATT&CK Technique

T1190 – Exploit Public-Facing Application

Telemetry Dependency

· Suricata with HTTP parser enabled

· HTTP traffic visible in cleartext or through a decryption or inspection point

· HTTP method visibility

· HTTP header visibility including Content-Length

· URI visibility

· Validated NetScaler SAML IdP destination scoping

Tuning Explanation

· $NETSCALER_IDP_HOSTS must contain only confirmed NetScaler ADC assets serving SAML IdP traffic

· The URI pattern is a deployment template and must be reduced or confirmed against actual IdP paths before production deployment

· The Content-Length threshold must be tuned using local SAML request-size observations

· Environments with large signed, compressed, or brokered SAML requests may require higher thresholds

· If HTTP traffic is not visible, this rule is not executable as written

Detection Logic

· Require HTTP POST

· Require targeting of locally validated SAML IdP paths

· Require request size materially above tuned local expectation

· Surface exploit-shaping behavior, not confirmed exploitation

Operational Context

Use as an early network-layer exploit-shaping signal where HTTP request metadata is visible and validated IdP paths are known.

Logical Notes

Conditional

· Requires local IdP path validation before deployment

· Requires tuned request-size thresholds based on environment

· Not executable where TLS inspection is not available

· Should not be treated as exploit confirmation by itself

Rule Regret Check

· Deployment caution
Validate local IdP paths and normal SAML request-size ranges before production deployment to reduce avoidable false positives.

· Confidence caution
Treat this as an exploit-shaping indicator, not proof of successful exploitation.

· Coverage value
This rule provides useful early network-layer visibility where HTTP metadata is available and request-size patterns are stable.

Execution Validity Status

Conditional production-ready

System-Ready Code

alert http $EXTERNAL_NET any -> $NETSCALER_IDP_HOSTS any (
    msg:"CYBERDAX NetScaler SAML IdP oversized POST request";
    flow:to_server,established;
    http.method; content:"POST";
    http.uri; pcre:"/\/(saml|saml\/login|saml\/idp|cgi\/saml|nf\/auth\/saml)(\/|$|\?)/Ui";
    http.header; pcre:"/Content-Length\x3a\s([5-9][0-9]{3,}|[1-9][0-9]{4,})/Hi";
    classtype:web-application-attack;
    sid:7306001; rev:2;
)

Rule Name

CyberDax NetScaler SAML IdP Repeated External POST Targeting

Purpose

Detect repeated external HTTP POST targeting of locally validated NetScaler SAML IdP endpoints from non-approved sources, consistent with exploit preparation or sustained hostile pressure against exposed identity infrastructure.

ATT&CK Technique

T1190 – Exploit Public-Facing Application

Telemetry Dependency

· Suricata with HTTP parser enabled

· HTTP traffic visible in cleartext or through a decryption or inspection point

· HTTP method visibility

· URI visibility

· Source IP visibility

· Validated NetScaler SAML IdP destination scoping

Tuning Explanation

· $NETSCALER_IDP_HOSTS must contain only confirmed NetScaler ADC assets serving SAML IdP traffic

· URI paths must be locally validated before production use

· Request-count thresholds must be tuned against real SSO traffic patterns, especially where partner federation or synthetic monitoring exists

· Approved scanners, health checks, and federation test sources should be excluded outside the rule where possible

· If HTTP traffic is not visible, this rule is not executable as written

Detection Logic

· Require HTTP POST

· Require targeting of locally validated SAML IdP paths

· Detect repeated requests from the same external source over a short interval

· Surface sustained endpoint pressure, not confirmed exploit success

Operational Context

Use as a network-layer pre-exploitation pressure analytic where HTTP request metadata and source tracking are visible.

Logical Notes

Conditional

· Requires local IdP path validation before deployment

· Requires threshold tuning against normal SSO patterns

· Not executable where HTTP visibility is unavailable

· Should not be treated as proof of compromise

Rule Regret Check

· Deployment caution
Tune thresholds against legitimate federation and SSO patterns before alerting to avoid unnecessary noise.

· Confidence caution
Repeated targeting indicates pressure or preparation, but not confirmed exploit success.

· Coverage value
This rule is useful for surfacing repeated hostile attention against exposed IdP assets before stronger exploit-specific signals appear.

Execution Validity Status

Conditional production-ready

System-Ready Code

alert http $EXTERNAL_NET any -> $NETSCALER_IDP_HOSTS any (
    msg:"CYBERDAX NetScaler SAML IdP repeated external POST targeting";
    flow:to_server,established;
    http.method; content:"POST";
    http.uri; pcre:"/\/(saml|saml\/login|saml\/idp|cgi\/saml|nf\/auth\/saml)(\/|$|\?)/Ui";
    detection_filter:track by_src, count 6, seconds 120;
    classtype:web-application-attack;
    sid:7306002; rev:1;
)

Rule Name

CyberDax NetScaler SAML IdP High-Rate Burst Targeting

Purpose

Detect short-duration burst targeting of locally validated NetScaler SAML IdP endpoints from a single external source, consistent with automated exploit staging, endpoint validation, or rapid exploit-delivery pressure.

ATT&CK Technique

T1190 – Exploit Public-Facing Application

Telemetry Dependency

· Suricata with HTTP parser enabled

· HTTP method visibility

· URI visibility

· Source IP visibility

· Validated NetScaler SAML IdP destination scoping

· HTTP visibility required

Tuning Explanation

· This rule is intentionally distinct from repeated-targeting logic by focusing on compressed high-rate activity rather than sustained access

· URI paths must be locally validated before production use

· Burst thresholds should be tuned against legitimate federation failover testing and approved synthetic traffic

· In environments with poor HTTP visibility or unstable IdP pathing, this should remain supporting only

Detection Logic

· Require HTTP POST to validated IdP paths

· Detect high-rate source activity within a short interval

· Surface aggressive automated ingress behavior

Operational Context

Use as a supporting network-layer analytic for fast exploit-preparation bursts against exposed IdP endpoints.

Logical Notes

Conditional

· Requires local path validation

· Requires threshold tuning

· Not executable where HTTP visibility is unavailable

· Best used as a supporting pressure signal, not a standalone compromise analytic

Rule Regret Check

· Deployment caution
Tune burst thresholds against legitimate high-volume authentication or failover behavior before operational use.

· Confidence caution
Treat this as a pressure or automation indicator rather than a standalone compromise signal.

· Coverage value
This rule can help surface rapid exploit-staging activity that slower repeated-targeting analytics may not catch quickly.

Execution Validity Status
Conditional production-ready

System-Ready Code

alert http $EXTERNAL_NET any -> $NETSCALER_IDP_HOSTS any (
    msg:"CYBERDAX NetScaler SAML IdP high-rate burst targeting";
    flow:to_server,established;
    http.method; content:"POST";
    http.uri; pcre:"/\/(saml|saml\/login|saml\/idp|cgi\/saml|nf\/auth\/saml)(\/|$|\?)/Ui";
    detection_filter:track by_src, count 12, seconds 45;
    classtype:web-application-attack;
    sid:7306003; rev:1;
)

SentinelOne

Rule Name

CyberDax NetScaler Service-Lineage Suspicious Interpreter Execution

Purpose

Detect suspicious shell, interpreter, or retrieval utility execution spawned by NetScaler-facing service processes on VPX or other host-observable NetScaler deployments, consistent with exploit-consequence behavior following malformed SAML request handling.

ATT&CK Technique

T1190 – Exploit Public-Facing Application

Telemetry Dependency

· SentinelOne process telemetry

· Parent-child process lineage

· Command-line visibility

· Host-observable NetScaler deployment model, such as VPX

· Confirmed usable process field model in the tenant

Tuning Explanation

· Scope only to confirmed NetScaler VPX or host-observable asset groups

· Validate actual parent service lineage in the local deployment before production use

· Suppress maintenance, support, diagnostics, and upgrade activity explicitly

· Do not treat this as universal appliance coverage

· Do not treat the provided field names as guaranteed tenant-exact syntax without confirmation

· This rule should remain conditional because the primary observed exploit chain is network and identity oriented, not endpoint oriented

Detection Logic

· NetScaler service-lineage process spawns shell, interpreter, or retrieval utility

· Child process shows inline command execution, temp-path execution, or retrieval behavior

· Exclude known maintenance and support activity

Operational Context

Use as a host-side exploit-consequence analytic in VPX or host-observable NetScaler deployments where process lineage is available and trustworthy. This is a supporting rule, not a primary detection layer for this CVE.

Logical Notes

Local adaptation required

· Field names are not universally consistent across SentinelOne tenants

· Requires tenant-specific query validation and mapping

· Requires confirmed NetScaler service lineage in environment

· Not executable as written without tenant validation

· Not applicable to appliance-only deployments

Rule Regret Check

· Deployment caution
Validate tenant field mappings and local NetScaler service lineage before production use.

· Confidence caution
Treat this as a host-side exploit-consequence signal, not universal proof of compromise across all NetScaler form factors.

· Coverage value
This rule is valuable only in VPX or other host-observable deployments where strong process telemetry exists and request-layer visibility may be incomplete.

Execution Validity Status

Local adaptation required

System-Ready Code (tenant-adaptation template)

Splunk

System Positioning

Splunk provides the primary detection layer for this report because it can observe:

· exploit interaction behavior at the HTTP layer

· response anomalies consistent with memory disclosure

· identity and session misuse following authentication artifact exposure

The rules below map strictly to the report’s observed chain:

· T1190 – Exploit Public-Facing Application

· T1555 – Credentials from Password Stores (Adapted to Application Memory Exposure Context)

No additional behaviors are introduced.

Rule Name

CyberDax NetScaler SAML IdP Request Size Deviation from Local Baseline

Purpose

Detect HTTP POST requests to NetScaler SAML Identity Provider endpoints whose request size materially exceeds normal behavior, indicating malformed or exploit-driven request construction.

ATT&CK Technique

T1190 – Exploit Public-Facing Application

Telemetry Dependency

· Web, proxy, WAF, or load-balancer logs

· Request byte or content-length visibility

· URI and HTTP method visibility

Tuning Explanation

· Establish local baseline per IdP endpoint

· Tune deviation threshold using real SAML traffic

· Restrict to validated IdP paths

Detection Logic

· POST to SAML endpoint

· Request size exceeds normal baseline

Operational Context

Primary exploit-shaping detection where request size anomalies are observable.

Logical Notes
Conditional

· Requires stable request-size telemetry

· Requires local baseline or threshold tuning

Rule Regret Check

Deployment caution

Tune thresholds using real SAML traffic before alerting.

Confidence caution

Large requests alone do not confirm exploitation.

Coverage value

Strong early signal of malformed exploit requests.

Execution Validity Status

Conditional production-ready

System-Ready Code

Rule Name

CyberDax NetScaler SAML IdP Request-to-Response Size Asymmetry

Purpose

Detect disproportionate response sizes relative to request size on SAML IdP endpoints, indicating possible memory disclosure behavior.

ATT&CK Technique

T1555 – Credentials from Password Stores (Adapted to Application Memory Exposure Context)

Telemetry Dependency

· Web, proxy, WAF, or load-balancer logs

· Request and response byte visibility

Tuning Explanation

· Tune ratio threshold based on normal SAML exchanges

· Restrict to validated IdP endpoints

Detection Logic

· POST to SAML endpoint

· Response size significantly larger than request

Operational Context

Primary memory-disclosure signal detection.

Logical Notes

Conditional

· Requires reliable request/response byte fields

Rule Regret Check

Deployment caution

Validate response size fidelity before enabling.

Confidence caution

High ratios indicate anomaly, not guaranteed data exposure.

Coverage value

One of the strongest practical signals for this vulnerability.

Execution Validity Status

Conditional production-ready

System-Ready Code

Rule Name

CyberDax SAML Session Activity Without Expected Authentication Event

Purpose

Detect session or token usage without a corresponding authentication event, indicating possible reuse of exposed authentication artifacts.

ATT&CK Technique

T1555 – Credentials from Password Stores (Adapted to Application Memory Exposure Context)

Telemetry Dependency

· Identity or authentication logs

· Session or token identifiers

· Authentication success events

Tuning Explanation

· Normalize session or token identifiers

· Baseline expected federation and service-account flows

· Use a bounded correlation window to reduce false positives caused by delayed logging or long-lived benign sessions

Detection Logic

· Session or token use observed

· No corresponding recent authentication or issuance event

Operational Context

Primary detection for post-exposure session misuse.

Logical Notes

Conditional

· Requires session or token correlation capability

· Requires normalized identity action values

Rule Regret Check

Deployment caution

Validate identity field mappings and event sequencing before alerting.

Confidence caution
May include edge-case federation behavior if not tuned.

Coverage value
Directly targets authentication artifact misuse.

Execution Validity Status

Conditional production-ready

System-Ready Code

index=auth OR index=identity
| eval session_id=coalesce(session_id, token_id, assertion_id, auth_context_id)
| eval action=coalesce(action, event_name, operation)
| where action IN ("session_start","session_validate","token_use","assertion_consume")
| join type=left session_id [
    search index=auth OR index=identity
    | eval session_id=coalesce(session_id, token_id, assertion_id, auth_context_id)
    | eval action=coalesce(action, event_name, operation)
    | where action IN ("authentication_success","assertion_issue","token_issue")
    | stats latest(_time) as auth_time by session_id
]
| eval delta=_time-auth_time
| where isnull(auth_time) OR delta < 0 OR delta > 3600

Rule Name

CyberDax Authentication Token Reuse Across Distinct Source Contexts

Purpose

Detect reuse of the same session or token across multiple source IPs, indicating possible use of exposed authentication artifacts.

ATT&CK Technique

T1555 – Credentials from Password Stores (Adapted to Application Memory Exposure Context)

Telemetry Dependency

· Identity or authentication logs

· Session or token identifiers

· Source IP visibility

Tuning Explanation

· Baseline expected user mobility and proxy behavior

· Tune threshold based on environment

· Run over a bounded observation window to reduce false positives from long-lived sessions

Detection Logic

· Same session or token used from multiple source IPs within a bounded period

Operational Context

Detects early-stage token reuse following exposure.

Logical Notes

Conditional

· Requires reliable session and IP correlation

· Stronger where proxy and roaming patterns are well understood

Rule Regret Check

· Deployment caution
Account for VPNs and proxies before alerting.

· Confidence caution
Multiple IPs may occur in legitimate scenarios.

· Coverage value
Practical indicator of session or token misuse.

Execution Validity Status

Conditional production-ready

System-Ready Code

index=auth OR index=identity
| eval session_id=coalesce(session_id, token_id, assertion_id, auth_context_id)
| eval src_ip=coalesce(src_ip, client_ip)
| stats dc(src_ip) as ip_count values(src_ip) as src_ips earliest(_time) as first_seen latest(_time) as last_seen by session_id
| eval session_span=last_seen-first_seen
| where ip_count > 1 AND session_span <= 86400

S25 Group 1 — Initial Access and Credential Exposure

Detection Family — Authentication Endpoint Abuse, Enumeration, and Pre-Exploitation Pressure

Family Positioning

This rule family is designed to surface early hostile interaction patterns against exposed NetScaler SAML Identity Provider infrastructure before or alongside exploit-shaping behavior. It focuses on:

· repeated non-trusted targeting of validated IdP endpoints

· short-window burst pressure suggestive of automated staging

· multi-asset probing behavior

· host-side request-handling stress signals in VPX / host-observable deployments

· SIEM-layer correlation of persistent endpoint abuse patterns

This family is strongest where:

· external IdP paths are known and locally validated

· trusted-source suppression is available

· source IP fidelity is stable

· HTTP metadata is visible at the network or logging layer

· host-observable NetScaler deployments exist for endpoint correlation

Within this family:

Primary detections are the Splunk repeated-targeting and pressure-correlation analytics where normalized logging and trusted-source controls exist

Supporting detections are the Suricata ingress-pressure rules where HTTP visibility exists

Conditional detections are the SentinelOne host-side service-abuse analytics in VPX or other host-observable deployments

Suricata

Rule Name

CyberDax NetScaler SAML IdP Repeated External POST Pressure

Purpose

Detect repeated external HTTP POST targeting of locally validated NetScaler SAML IdP endpoints from non-approved sources, consistent with exploit staging, endpoint abuse, or persistent hostile pressure against exposed identity infrastructure.

ATT&CK Technique

T1190 – Exploit Public-Facing Application
T1595 – Active Scanning

Telemetry Dependency

· Suricata with HTTP parser enabled

· HTTP traffic visible in cleartext or through a decryption / inspection point

· HTTP method visibility

· URI visibility

· Source IP visibility

· Validated NetScaler SAML IdP destination scoping

Tuning Explanation

· NETSCALER_IDP_HOSTS must include only confirmed NetScaler ADC assets serving SAML IdP traffic

· The URI pattern is a deployment template and must be reduced or replaced with exact locally validated IdP paths before production use

· Request-count thresholds must be tuned against real SSO traffic patterns, federation partner behavior, and approved synthetic monitoring

· Known scanners, health checks, and partner testing sources should be suppressed outside the rule where possible

· If HTTP traffic is not visible, this rule is not executable as written

Detection Logic

· Require HTTP POST

· Require targeting of locally validated SAML IdP paths

· Detect repeated requests from the same external source over a short interval

· Surface sustained abusive pressure, not confirmed exploit success

Operational Context

Use as a network-layer pre-exploitation pressure analytic where HTTP metadata and source tracking are visible.

Logical Notes

Conditional

· Requires local IdP path validation before deployment

· Requires threshold tuning against normal SSO behavior

· Not executable where HTTP visibility is unavailable

· Should not be treated as proof of compromise by itself

Rule Regret Check

· Deployment caution
Tune request-count thresholds against legitimate SSO and federation patterns before production use.

· Confidence caution
Repeated endpoint pressure indicates hostile attention or staging, not confirmed exploit success.

· Coverage value
This rule helps surface persistent pre-exploitation pressure that may precede stronger exploit-specific signals.

Execution Validity Status

Conditional production-ready

System-Ready Code

alert http $EXTERNAL_NET any -> $NETSCALER_IDP_HOSTS any (
    msg:"CYBERDAX NetScaler SAML IdP repeated external POST pressure";
    flow:to_server,established;
    http.method; content:"POST";
    http.uri; pcre:"/\/(saml|saml\/login|saml\/idp|cgi\/saml|nf\/auth\/saml)(\/|$|\?)/Ui";
    detection_filter:track by_src, count 8, seconds 90;
    classtype:web-application-attack;
    sid:7305401; rev:3;
)

Rule Name

CyberDax NetScaler SAML IdP Short-Window Burst Abuse

Purpose

Detect compressed, high-rate burst targeting of locally validated NetScaler SAML IdP endpoints from a single external source, consistent with automated staging, endpoint validation, or rapid exploit-delivery pressure.

ATT&CK Technique

T1190 – Exploit Public-Facing Application
T1595 – Active Scanning

Telemetry Dependency

· Suricata with HTTP parser enabled

· HTTP method visibility

· URI visibility

· Source IP visibility

· Validated NetScaler SAML IdP destination scoping

· HTTP visibility required

Tuning Explanation

· This rule is intentionally distinct from repeated-pressure logic by focusing on compressed high-rate activity rather than sustained access

· URI paths must be locally validated before production use

· Burst thresholds must be tuned against approved synthetic traffic, federation failover testing, and legitimate high-volume SSO bursts

· In environments with unstable IdP routing or poor HTTP visibility, keep this supporting only

Detection Logic

· Require HTTP POST to validated IdP paths

· Detect high-rate source activity in a short interval

· Surface aggressive automated ingress behavior

Operational Context

Use as a supporting network-layer analytic for rapid pre-exploitation pressure against exposed IdP endpoints.

Logical Notes

Conditional

· Requires local path validation

· Requires threshold tuning

· Not executable where HTTP visibility is unavailable

· Best used as a supporting automation / staging signal, not a standalone compromise analytic

Rule Regret Check

· Deployment caution
Calibrate burst thresholds carefully against legitimate high-volume identity events before production alerting.

· Confidence caution
Treat burst activity as an automation or staging signal, not direct evidence of successful exploitation.

· Coverage value
This rule can expose fast-moving abuse patterns that slower repeated-targeting analytics may miss initially.

Execution Validity Status

Conditional production-ready

System-Ready Code

alert http $EXTERNAL_NET any -> $NETSCALER_IDP_HOSTS any (
    msg:"CYBERDAX NetScaler SAML IdP short-window burst abuse";
    flow:to_server,established;
    http.method; content:"POST";
    http.uri; pcre:"/\/(saml|saml\/login|saml\/idp|cgi\/saml|nf\/auth\/saml)(\/|$|\?)/Ui";
    detection_filter:track by_src, count 14, seconds 40;
    classtype:web-application-attack;
    sid:7305402; rev:3;
)

SentinelOne

Implementation Hardening Note

The SentinelOne rules below assume a Deep Visibility-style event model. Because tenant field names, query grammar, aggregation support, and event-correlation capabilities vary, these rules are not production-ready as written across tenants and should be treated as local adaptation required templates.

Rule Name

CyberDax NetScaler Request-Handling Service Burst Activity

Purpose

Detect abnormal bursts of request-handling or authentication-service process activity on VPX or other host-observable NetScaler deployments, which may indicate endpoint abuse, repeated hostile targeting, or exploit-preparation pressure against IdP services.

ATT&CK Technique

T1190 – Exploit Public-Facing Application

Telemetry Dependency

· SentinelOne process telemetry

· Repeated process-event visibility or equivalent searchable process history

· Host-observable NetScaler deployment model

· Confirmed local service / process names associated with SAML / IdP request handling

Tuning Explanation

· Confirm actual request-handling service / process names in the local deployment before use

· This rule is only meaningful where repeated process-event visibility is available and burst conditions can be measured over short windows

· Legitimate authentication surges, maintenance, and health-check activity must be baselined and suppressed

· If the tenant query surface cannot express burst logic directly, use this as a hunt template rather than a production alert rule

Detection Logic

· Scope to VPX or host-observable NetScaler systems

· Detect elevated or burst-like request-handling service activity beyond local baseline

· Exclude known maintenance and expected high-volume authentication activity

Operational Context

Use as a host-side stress / abuse analytic in deployments where NetScaler request handling is visible through EDR process telemetry.

Logical Notes

Local adaptation required

· Requires tenant-specific field validation

· Requires confirmed local service naming

· Requires local burst / baseline methodology

· May require translation into tenant-supported hunt, aggregation, or alerting syntax

· Not applicable to appliance-only deployments

Rule Regret Check

Deployment caution

Confirm service naming and local activity baselines before production use to avoid misclassifying legitimate authentication surges.

Confidence caution
Elevated process activity suggests stress or abuse, but does not by itself prove exploit success.

Coverage value

This rule adds useful host-side pressure visibility in VPX deployments where network-layer telemetry may be incomplete.

Execution Validity Status

Local adaptation required

System-Ready Code (tenant-adaptation template)

Rule Name

CyberDax NetScaler Request-Handling Stress with Subsequent Outbound Activity

Purpose

Detect elevated NetScaler request-handling service activity followed by outbound network behavior, increasing confidence that observed host-side stress may reflect exploit staging or abusive endpoint interaction rather than benign load alone.

ATT&CK Technique

T1190 – Exploit Public-Facing Application
T1071 – Application Layer Protocol

Telemetry Dependency

· SentinelOne process telemetry

· SentinelOne endpoint network telemetry

· Host-observable NetScaler deployment model

· Confirmed ability to correlate process and network events in the tenant

Tuning Explanation

· Confirm exact process and network field names before deployment

· Validate that process and network events can be correlated by endpoint and time window

· Use outbound allowlisting where possible instead of weakening detection criteria

· If endpoint network telemetry is weak or delayed, keep this supporting after local adaptation

· Do not represent this as universal coverage for appliance-only NetScaler deployments

· If the tenant cannot support the correlation model as written, use this as a hunt / investigation template instead of a production alert

Detection Logic

· Detect elevated or suspicious request-handling service activity

· Require subsequent endpoint-observed network activity from the same host context

· Exclude known benign operational workflows

Operational Context

Use as a higher-confidence host-side confirmation analytic in validated VPX or host-observable NetScaler deployments.

Logical Notes

Local adaptation required

· Requires tenant-specific field and operator validation

· Requires usable endpoint network telemetry

· Requires confirmed correlation capability

· May require redesign into tenant-supported correlation logic

· Not applicable to appliance-only deployments

Rule Regret Check

· Deployment caution
Validate endpoint network telemetry quality and process/network correlation behavior before production use.

· Confidence caution
Treat this as a higher-confidence confirmation signal only after tenant-specific validation, not universal logic.

· Coverage value
This rule improves confidence by linking host-side service stress with subsequent outbound behavior in supported deployments.

Execution Validity Status

Local adaptation required

System-Ready Code (tenant-adaptation template)

Splunk

Implementation Hardening Note

The Splunk rules below assume a normalized logging model with supporting lookups and stable source tracking. They are conditional rather than universal drop-in content unless the environment provides:

· reliable source IP fields

· validated NetScaler IdP asset lookup

· trusted-source lookup

· normalized URI fields

· stable time-window correlation across the selected log sources

Rule Name

CyberDax NetScaler IdP Endpoint Request Burst from Single Source

Purpose

Detect high-frequency request bursts from a single non-trusted source to validated NetScaler SAML IdP endpoints, indicating exploit staging, endpoint abuse, or concentrated pre-exploitation pressure.

ATT&CK Technique

T1595 – Active Scanning
T1190 – Exploit Public-Facing Application

Telemetry Dependency

· Splunk search over web/proxy/WAF/load-balancer logs

· Reliable source IP visibility

· HTTP method visibility

· URI visibility

· netscaler_idp_assets lookup

· trusted_idp_sources lookup

· Correlatable time windows

Tuning Explanation

· The like(norm_uri,"%/saml%") condition is a starter filter and should be narrowed to exact validated IdP paths where possible

· Request-count thresholds must be tuned against real SSO behavior and approved federation partner flows

· Trusted-source suppression must be in place before production alerting

· If source IP fidelity is weak because of intermediaries, normalize or reconstruct client IP before deployment

· If burst thresholds are not tuned locally, keep this Hunt-only

Detection Logic

· Identify POST requests from non-trusted sources to validated IdP assets

· Group by source, destination, and time window

· Surface bursts exceeding locally tuned request-count thresholds

Operational Context

Use as a primary pre-exploitation pressure analytic in mature SIEM environments with reliable source tracking and trusted-source suppression.

Logical Notes

Conditional

· Requires trusted-source suppression

· Requires stable source-IP fidelity

· Requires threshold tuning against normal SSO patterns

· Not executable as intended without validated IdP path scope

Rule Regret Check

· Deployment caution
Tune burst thresholds carefully and ensure trusted-source suppression is complete before production alerting.

· Confidence caution
High-volume request bursts may still reflect benign identity activity unless environment-specific tuning is mature.

· Coverage value
This rule is useful for surfacing concentrated pre-exploitation pressure that may precede stronger exploit-specific anomalies.

Execution Validity Status

Conditional production-ready

System-Ready Code

(index=web OR index=proxy OR index=waf OR index=lb)
| eval norm_dest=coalesce(dest, host, virtual_host, site, server_name)
| eval norm_src=coalesce(src_ip, src, client_ip, c_ip, x_forwarded_for)
| eval norm_uri=coalesce(uri, uri_path, request_uri, url, cs_uri_stem)
| eval norm_method=upper(coalesce(method, http_method, cs_method))
| lookup netscaler_idp_assets asset_value as norm_dest OUTPUT asset_value as matched_asset
| where isnotnull(matched_asset)
| lookup trusted_idp_sources src_value as norm_src OUTPUT src_value as trusted_src
| where isnull(trusted_src)
| where norm_method="POST"
| where like(norm_uri,"%/saml%")
| bin time span=2m
| stats count as burstcount values(norm_uri) as targeted_paths by time normsrc norm_dest
| where burst_count >= 10

Rule Name

CyberDax NetScaler IdP Sustained Repeated Targeting from Non-Trusted Source

Purpose

Detect sustained repeated targeting of validated NetScaler SAML IdP endpoints from non-trusted sources over a longer interval, indicating endpoint abuse, enumeration, or repeated exploit preparation.

ATT&CK Technique

T1595 – Active Scanning
T1190 – Exploit Public-Facing Application

Telemetry Dependency

· Splunk search over web/proxy/WAF/load-balancer logs

· Reliable source IP visibility

· URI visibility

· netscaler_idp_assets lookup

· trusted_idp_sources lookup

· Correlatable time windows

Tuning Explanation

· This rule is intentionally distinct from burst logic by measuring sustained repeated targeting over a longer window

· The URI filter should be tightened to exact validated IdP paths where possible

· If source fidelity is weak or intermediaries obscure client identity, normalize before production use

· Tune the sustained-count threshold locally against normal SSO activity and testing workflows

· If trusted-source lookup is incomplete, keep this supporting or Hunt-only

Detection Logic

· Identify repeated POST requests from non-trusted sources to validated IdP assets

· Group over a longer interval than burst detection

· Surface sustained hostile pressure rather than compressed spikes

Operational Context

Use as a complementary repeated-targeting analytic to distinguish sustained abuse from short-burst staging behavior.

Logical Notes

Conditional

· Requires trusted-source suppression

· Requires stable source-IP fidelity

· Requires local threshold tuning

· Not executable as intended without validated IdP path scope

Rule Regret Check

· Deployment caution
Tune sustained-count thresholds against normal identity traffic and testing workflows before alerting.

· Confidence caution
Sustained targeting signals abuse or preparation, but not confirmed exploit success.

· Coverage value
This rule improves visibility into persistent endpoint abuse that would not appear as short bursts alone.

Execution Validity Status

Conditional production-ready

System-Ready Code

(index=web OR index=proxy OR index=waf OR index=lb)
| eval norm_dest=coalesce(dest, host, virtual_host, site, server_name)
| eval norm_src=coalesce(src_ip, src, client_ip, c_ip, x_forwarded_for)
| eval norm_uri=coalesce(uri, uri_path, request_uri, url, cs_uri_stem)
| eval norm_method=upper(coalesce(method, http_method, cs_method))
| lookup netscaler_idp_assets asset_value as norm_dest OUTPUT asset_value as matched_asset
| where isnotnull(matched_asset)
| lookup trusted_idp_sources src_value as norm_src OUTPUT src_value as trusted_src
| where isnull(trusted_src)
| where norm_method="POST"
| where like(norm_uri,"%/saml%")
| bin time span=10m
| stats count as repeatcount values(norm_uri) as targeted_paths by time normsrc norm_dest
| where repeat_count >= 20

Rule Name

CyberDax NetScaler IdP Multi-Asset Pressure from Single Source

Purpose

Detect one non-trusted source targeting multiple validated NetScaler SAML IdP assets in a short interval, indicating coordinated endpoint probing or distributed exploit preparation across exposed identity-boundary infrastructure.

ATT&CK Technique

T1595 – Active Scanning

Telemetry Dependency

· Splunk search over web/proxy/WAF/load-balancer logs

· Reliable source IP visibility

· Destination asset visibility

· netscaler_idp_assets lookup

· trusted_idp_sources lookup

Tuning Explanation

· Use only where more than one IdP asset, edge, VIP, or regional listener exists

· If only one IdP asset exists, do not use this rule

· Tighten URI filter to exact validated IdP paths where possible

· Tune breadth thresholds against legitimate federation partner behavior and synthetic monitoring

· If asset inventory is incomplete, keep this supporting or Hunt-only

Detection Logic

· Identify POST requests from non-trusted sources to validated IdP assets

· Group by source over a short window

· Surface single sources hitting more than one IdP asset

Operational Context

Use as a higher-context pressure analytic in multi-edge or multi-asset NetScaler IdP deployments.

Logical Notes

Conditional

· Requires more than one IdP asset in scope

· Requires trusted-source suppression

· Requires reliable source-IP fidelity

· Not meaningful in single-asset deployments

Rule Regret Check

· Deployment caution
Use only where multi-asset IdP inventory is accurate and current.

· Confidence caution
Multi-asset pressure suggests coordinated probing, but not necessarily successful exploitation.

· Coverage value
This rule is valuable in multi-edge environments because it highlights distributed hostile attention across identity infrastructure.

Execution Validity Status

Conditional production-ready

System-Ready Code

(index=web OR index=proxy OR index=waf OR index=lb)
| eval norm_dest=coalesce(dest, host, virtual_host, site, server_name)
| eval norm_src=coalesce(src_ip, src, client_ip, c_ip, x_forwarded_for)
| eval norm_uri=coalesce(uri, uri_path, request_uri, url, cs_uri_stem)
| eval norm_method=upper(coalesce(method, http_method, cs_method))
| lookup netscaler_idp_assets asset_value as norm_dest OUTPUT asset_value as matched_asset
| where isnotnull(matched_asset)
| lookup trusted_idp_sources src_value as norm_src OUTPUT src_value as trusted_src
| where isnull(trusted_src)
| where norm_method="POST"
| where like(norm_uri,"%/saml%")
| bin time span=5m
| stats dc(normdest) as targeted_assets values(norm_dest) as asset_list values(norm_uri) as targeted_paths by time normsrc
| where targeted_assets > 1

Elastic

System Positioning

For this report, Elastic is supporting, not primary.

The strongest detections for CVE-2026-3055 are still the network and identity-correlation signals already covered in Suricata and Splunk, because the observed chain in the report is:

· T1190 – Exploit Public-Facing Application

· T1555 – Credentials from Password Stores (Adapted to Application Memory Exposure Context)

Elastic should therefore include only the highest-value supporting identity-abuse detections and should not try to replicate every network-layer analytic already handled elsewhere.

Rule Name

CyberDax NetScaler Identity Artifact Use Without Expected Authentication Sequence

Purpose

Identify session validation, token use, or assertion consumption events that are not preceded by a corresponding authentication success or issuance event, indicating potential misuse of exposed authentication artifacts.

ATT&CK Technique

T1555 – Credentials from Password Stores (Adapted to Application Memory Exposure Context)

Telemetry Dependency

· Elastic identity or authentication logs

· Required fields, with at least one artifact field preserved:

o related.session

· event.action

· @timestamp

· user.name or equivalent principal field

Tuning Explanation

· Normalize artifact identifier using:

o COALESCE(session.id, authentication.id, related.session, token.id, assertion.id)

· Normalize user and source fields before production use:

o principal = COALESCE(user.name, user.name.keyword, user, src_user)

o src_ip = COALESCE(source.ip, client.ip, src_ip)

· Restrict to environments where authentication and assertion events are available in the same Elastic environment

· Suppress:

o federation brokers

o service accounts

o trusted identity infrastructure

· Use a bounded correlation window of 60 minutes

· If artifact identifiers are not reliably preserved, do not promote this rule to production alerting

Detection Logic

· Identify session validation, token use, or assertion consumption events

· Correlate those events against recent expected authentication or issuance events on the same artifact identifier

· Surface cases where artifact use occurs without expected authentication context

Operational Context

This is the primary Elastic identity-abuse analytic for this report. It is useful where the organization keeps mature identity telemetry in Elastic and can correlate artifact use with recent authentication flow.

Logical Notes

Local adaptation required

· Requires backend correlation capability or scheduled enrichment workflow

· Requires normalized identity action values

· Not universally deployable as a single standalone rule in all Elastic environments

Rule Regret Check

Deployment caution
Validate artifact field preservation and identity event sequencing before enabling production alerting.

Confidence caution
Apparent missing authentication may reflect telemetry gaps or delayed indexing if identity logging is incomplete.

Coverage value
Directly detects reuse of exposed authentication artifacts outside expected authentication flow.

Execution Validity Status

Local adaptation required (correlation package)

System-Ready Code (Component A — Artifact Use)

FROM logs-*,filebeat-*,winlogbeat-*,auditbeat-*
| WHERE event.category == "authentication"
| EVAL artifact_id = COALESCE(session.id, authentication.id, related.session, token.id, assertion.id)
| EVAL principal = COALESCE(user.name, user.name.keyword, user, src_user)
| EVAL action = LOWER(event.action)
| WHERE NOT IS_NULL(artifact_id)
| WHERE action IN ("session_validate","token_use","assertion_consume")
| KEEP @timestamp, principal, artifact_id, source.ip, action

System-Ready Code (Component B — Expected Authentication or Issuance)

FROM logs-*,filebeat-*,winlogbeat-*,auditbeat-*
| WHERE event.category == "authentication"
| EVAL artifact_id = COALESCE(session.id, authentication.id, related.session, token.id, assertion.id)
| EVAL principal = COALESCE(user.name, user.name.keyword, user, src_user)
| EVAL action = LOWER(event.action)
| WHERE NOT IS_NULL(artifact_id)
| WHERE action IN ("authentication_success","assertion_issue","token_issue")
| KEEP @timestamp, principal, artifact_id, source.ip, action

Implementation Hardening Note

Use Component A and Component B as a deployable correlation package. In production, the backend must correlate artifact use without matching preceding authentication or issuance on the same normalized artifact identifier within the configured time window.

Rule Name

CyberDax NetScaler Authentication Artifact Reuse Across Distinct Source Contexts

Purpose

Detect reuse of the same authentication artifact across multiple distinct source contexts, indicating likely token or session compromise after authentication artifact exposure.

ATT&CK Technique

T1555 – Credentials from Password Stores (Adapted to Application Memory Exposure Context)

Telemetry Dependency

· Elastic identity or authentication logs

· Artifact identifier field, normalized

· Source IP

· Optional geographic, device, or user-agent context

Tuning Explanation

· Normalize:

o artifact_id = COALESCE(session.id, authentication.id, related.session, token.id, assertion.id)

· Normalize source context:

o src_ip = COALESCE(source.ip, client.ip, src_ip)

o src_geo = COALESCE(source.geo.country_name, source.geo.country_iso_code)

· Suppress trusted:

o VPN concentrators

o proxy infrastructure

o federation brokers

· Require:

o minimum event count greater than 3

o bounded observation window no longer than 24 hours

· Stronger where device or user-agent context is also present

Detection Logic

· Same artifact used

· Multiple distinct source contexts

· Minimum activity threshold met

Operational Context

This is the strongest supporting Elastic rule for session or token reuse after memory-derived artifact exposure.

Logical Notes

Conditional

· Requires source-IP fidelity

· Stronger with geo or device enrichment

· Must be tuned against local mobility and proxy behavior

Rule Regret Check

· Deployment caution
Account for proxy and VPN environments before enabling production alerting.

· Confidence caution
Distributed access may still be legitimate in some architectures.

· Coverage value
High-value identity misuse detection for exposed session or token reuse.

Execution Validity Status

Conditional production-ready

System-Ready Code

FROM logs-*,filebeat-*,winlogbeat-*,auditbeat-*
| WHERE event.category == "authentication"
| EVAL artifact_id = COALESCE(session.id, authentication.id, related.session, token.id, assertion.id)
| EVAL src_ip = COALESCE(source.ip, client.ip, src_ip)
| EVAL src_geo = COALESCE(source.geo.country_name, source.geo.country_iso_code)
| EVAL action = LOWER(event.action)
| WHERE action IN ("session_validate","token_use","assertion_consume")
| WHERE NOT IS_NULL(artifact_id) AND NOT IS_NULL(src_ip)
| STATS src_count = COUNT_DISTINCT(src_ip),
        geo_count = COUNT_DISTINCT(src_geo),
        event_count = COUNT(*),
        values(src_ip) AS src_ips,
        values(src_geo) AS geos
BY artifact_id
| WHERE event_count > 3 AND (src_count > 1 OR geo_count > 1)

QRadar

System Positioning

QRadar provides supporting identity-layer detection for this report.

Detection scope is strictly limited to:

· T1555 – Credentials from Password Stores (Adapted to Application Memory Exposure Context)

No additional behaviors are introduced. No privilege, persistence, or generic anomaly detections are included.

Mandatory Implementation Requirement

Custom Property

CYBERDAX_ARTIFACT_ID

Extraction Priority

· session_id

· authentication_id

· assertion_id

· token_id

If a stable artifact identifier cannot be extracted, do not deploy these rules.

Global Implementation Constraint

The following event categories are logical detection classes, not guaranteed DSM values:

· Authentication Success

· Token Issue

· Assertion Issue

· Session Validate

· Token Use

· Assertion Consume

These must be mapped to local DSM values before deployment.

Failure to do so results in non-functional rules.

Rule Name

CyberDax NetScaler Session Artifact Use Without Recent Authentication

Purpose

Detect session, token, or assertion use that occurs without a corresponding recent authentication or issuance event, indicating likely misuse of exposed authentication artifacts.

ATT&CK Technique

T1555 – Credentials from Password Stores (Adapted)

Telemetry Dependency

· Identity or authentication logs in QRadar

· Reliable DSM mapping for authentication and session activity

· Custom property: CYBERDAX_ARTIFACT_ID

· Event timestamp fidelity

Tuning Explanation

· Validate artifact extraction before deployment

· Validate DSM event mappings before deployment

· Suppress:

o federation brokers

o service accounts

o automation identities

· Use a 60-minute correlation window

· If CRE correlation is unreliable, implement as AQL scheduled search instead

Detection Logic

· Artifact-use event occurs

· Artifact identifier is present

· No matching authentication or issuance event exists within prior 60 minutes

Operational Context

Primary identity-layer detection for authentication artifact misuse following memory exposure.

Logical Notes

Conditional

· Requires artifact normalization

· Requires DSM mapping correctness

· Requires event sequencing fidelity

· May require AQL implementation depending on CRE capability

Rule Regret Check

· Deployment caution
Do not deploy without verified artifact extraction and DSM mapping.

· Confidence caution
Missing authentication may reflect telemetry gaps if identity logging is incomplete.

· Coverage value
Direct detection of authentication artifact misuse outside expected authentication flow.

Execution Validity Status

Conditional production-ready

System-Ready Code (CRE-Compatible Approach)

Building Block: Artifact Use

Event Category IN (Session Validate, Token Use, Assertion Consume)
AND CYBERDAX_ARTIFACT_ID IS NOT NULL

Building Block: Expected Authentication

Event Category IN (Authentication Success, Token Issue, Assertion Issue)
AND CYBERDAX_ARTIFACT_ID IS NOT NULL

Rule Logic

WHEN events match BB:Artifact_Use
AND there are no events matching BB:Expected_Authentication
with the same CYBERDAX_ARTIFACT_ID
in the previous 60 minutes
THEN CREATE OFFENSE
Severity: 7
Relevance: 7
Credibility: 7

CRE Limitation Note (Critical)

If the QRadar CRE engine cannot reliably enforce negative correlation (“no prior event”), implement this rule as:

· Scheduled AQL search, or

· Reference-set backed correlation model

Do not rely on unsupported CRE behavior.

Rule Name

CyberDax NetScaler Authentication Artifact Multi-Source Reuse

Purpose

Detect reuse of the same authentication artifact across multiple source IPs, indicating likely session or token compromise.

ATT&CK Technique

T1555 – Credentials from Password Stores (Adapted)

Telemetry Dependency

· Identity or authentication logs

· Source IP fidelity

· Custom property: CYBERDAX_ARTIFACT_ID

Tuning Explanation

Maintain reference set:

CYBERDAX_TRUSTED_IDENTITY_PROXIES

· Suppress:

o VPN gateways

o proxy infrastructure

o federation brokers

· Require:

o multiple events

o bounded 24-hour window

· Validate that source IP reflects true client identity

Detection Logic

· Artifact identifier present

· Same artifact used across multiple distinct source IPs

· Activity exceeds minimum threshold

Operational Context

Primary QRadar detection for distributed reuse of exposed authentication artifacts.

Logical Notes

Conditional

· Requires source-IP fidelity

· Requires proxy suppression

· Requires artifact normalization

Rule Regret Check

· Deployment caution
Account for VPN and proxy concentration before enabling alerting.

· Confidence caution
Multiple source IPs may be legitimate without proper tuning.

· Coverage value
High-value detection for real-world session or token reuse.

Execution Validity Status

Conditional production-ready

System-Ready Code

Reference Set: CYBERDAX_TRUSTED_IDENTITY_PROXIES

WHEN Event Category IN (Session Validate, Token Use, Assertion Consume)
AND CYBERDAX_ARTIFACT_ID IS NOT NULL
AND source IP NOT IN CYBERDAX_TRUSTED_IDENTITY_PROXIES
GROUP BY CYBERDAX_ARTIFACT_ID OVER 24 hours
AND DISTINCT COUNT(source IP) > 1
AND COUNT(*) > 3
THEN CREATE OFFENSE
Severity: 7
Relevance: 6
Credibility: 7

Sigma

System Positioning

Sigma provides portable identity-layer detection logic for this report.

Scope is strictly limited to:

· T1555 – Credentials from Password Stores (Adapted to Application Memory Exposure Context)

Rule Name

CyberDax NetScaler Session Artifact Use Without Recent Authentication

Purpose

Detect session validation, token use, or assertion consumption events that may indicate misuse of exposed authentication artifacts when no corresponding recent authentication or issuance event exists for the same artifact.

ATT&CK Technique

T1555 – Credentials from Password Stores (Adapted to Application Memory Exposure Context)

Telemetry Dependency

· Authentication-category logs

· Normalized artifact identifier field

· Normalized action field

· Backend capable of correlation or rule chaining

Tuning Explanation

· Map local action field to EventAction or equivalent before deployment

· Map local artifact field to ArtifactId before deployment

· Suppress:

o federation brokers

o service accounts

o trusted identity intermediaries

· This rule is not valid as a standalone detection

· It must be implemented with backend-specific correlation logic

Detection Logic

· Identify session validation, token use, or assertion consumption events

· Require presence of normalized artifact identifier

· Use backend correlation to determine whether a recent authentication or issuance event exists for the same artifact within 60 minutes

Operational Context

This rule is a portable building block for identity-artifact misuse detection. It should only be used in backends that can implement event-sequence or missing-prior-event logic.

Logical Notes
Local adaptation required

· Not deployable as a standalone Sigma rule

· Requires backend correlation support

· Requires normalized identity event taxonomy

· Must not be used without backend sequence logic

Rule Regret Check

· Deployment caution
Do not deploy without verified artifact normalization and backend correlation capability.

· Confidence caution
Apparent missing authentication may reflect telemetry gaps or backend limitations rather than true misuse.

· Coverage value
Provides a portable expression of one of the most important practical consequences of authentication artifact exposure.

Execution Validity Status

Local adaptation required (correlation template)

System-Ready Code

title: CyberDax NetScaler Session Artifact Use Without Recent Authentication
id: 7a7f4f11-4a2d-41be-9001-cyberdax-sigma-artifact-use-without-auth
status: test
description: Portable correlation template for session, token, or assertion use events tied to exposed authentication artifacts.
logsource:
category: authentication
product: any
detection:
artifact_use:
    EventAction|contains:
      - session_validate
      - token_use
      - assertion_consume
has_artifact:
    ArtifactId|exists: true
condition: artifact_use and has_artifact
fields:
- EventAction
- ArtifactId
- User
- SourceIp
- Timestamp
falsepositives:
- federation brokers
- service accounts
- delayed or incomplete identity telemetry
level: high
tags:
- attack.t1555

Implementation Hardening Note

This rule must be implemented with backend-specific correlation logic equivalent to:

· artifact-use event occurs

· same ArtifactId

· no matching authentication_success, token_issue, or assertion_issue

· within the prior 60 minutes

If the backend cannot support that correlation model, do not deploy this rule.

Rule Name

CyberDax NetScaler Authentication Artifact Multi-Source Reuse

Purpose

Detect reuse of the same authentication artifact across multiple source IPs, indicating likely session or token misuse following authentication artifact exposure.

ATT&CK Technique

T1555 – Credentials from Password Stores (Adapted to Application Memory Exposure Context)

Telemetry Dependency

· Authentication-category logs

· Normalized artifact identifier field

· Normalized source IP field

· Backend capable of aggregation

Tuning Explanation

· Map local action field to EventAction before deployment

· Map local artifact field to ArtifactId before deployment

· Map local source IP field to SourceIp before deployment

· Suppress trusted:

o proxies

o VPN gateways

o federation infrastructure

· Use bounded observation window of 24 hours

· This rule requires backend aggregation support and is not universally executable as raw Sigma alone

Detection Logic

· Identify session validation, token use, or assertion consumption events

· Require presence of normalized artifact identifier

· Group by artifact identifier over a bounded time window

· Detect use across multiple distinct source IPs with minimum activity threshold

Operational Context

This rule provides portable detection logic for one of the strongest identity-layer signals in this report: reuse of the same exposed authentication artifact across multiple client contexts.

Logical Notes

Local adaptation required

· Requires backend aggregation support

· Requires normalized artifact and source fields

· Stronger where trusted proxy and broker paths are well known and excluded

Rule Regret Check

· Deployment caution
Validate source-IP fidelity and trusted infrastructure suppression before production use.

· Confidence caution
Multiple source IPs may still be legitimate without careful proxy and mobility tuning.

· Coverage value
Provides a practical portable analytic for exposed session or token reuse across distinct source contexts.

Execution Validity Status

Local adaptation required (aggregation template)

System-Ready Code

title: CyberDax NetScaler Authentication Artifact Multi-Source Reuse
id: 7c28f8a2-5f1c-46c3-9002-cyberdax-sigma-artifact-multisource-reuse
status: test
description: Portable aggregation template for detecting reuse of the same authentication artifact across multiple source IPs.
logsource:
category: authentication
product: any
detection:
artifact_use:
    EventAction|contains:
      - session_validate
      - token_use
      - assertion_consume
has_artifact:
    ArtifactId|exists: true
condition: artifact_use and has_artifact
timeframe: 24h
fields:
- ArtifactId
- SourceIp
- User
- EventAction
falsepositives:
- VPN or proxy aggregation
- mobile or roaming users
- shared identity infrastructure
level: high
tags:
- attack.t1555

Implementation Hardening Note

This rule requires backend aggregation equivalent to:

· group by ArtifactId

· count distinct SourceIp

· require distinct(SourceIp) > 1

· require total event count > 3

If the backend does not support aggregation or threshold logic, implement this as a SIEM-native query or rule instead.

YARA

System Positioning

YARA is not used as a detection system for this report because the underlying threat behavior does not produce stable artifacts that YARA is designed to detect.

Why YARA Is Not Applicable

This CVE is driven by:

· T1190 – Exploit Public-Facing Application

· T1555 – Credentials from Password Stores (Adapted to Application Memory Exposure Context)

The exploit operates as:

· a crafted HTTP request

· targeting a NetScaler SAML IdP endpoint

· causing a memory disclosure condition

· exposing authentication artifacts (tokens, session data)

This behavior has three critical characteristics:

1. No Stable File Artifact

· The exploit does not require dropping a file

· No payload binary is required for initial success

· No consistent on-disk artifact is produced

YARA is fundamentally designed for file and binary pattern matching, so there is nothing reliable to match here.

AWS

Rule Name

CyberDax AWS Authenticated API Activity From Unmatched Source Context

Hardening Fixes Applied

· excludes common AWS service-role and assumed-role noise patterns in code

· restricts to likely human or federated identities

· tightens recent-auth correlation logic

· removes broad unscoped management-event grouping

Execution Validity Status
Conditional production-ready

System-Ready Code (Athena / CloudTrail Lake SQL)

WITH auth_events AS (
SELECT
    userIdentity.arn AS principal,
    sourceIPAddress AS src_ip,
    eventTime AS auth_time
FROM cloudtrail_logs
WHERE eventName IN ('ConsoleLogin','AssumeRole','AssumeRoleWithSAML','AssumeRoleWithWebIdentity')
    AND userIdentity.arn IS NOT NULL
    AND sourceIPAddress IS NOT NULL
    AND userIdentity.type IN ('IAMUser','AssumedRole')
    AND userIdentity.arn NOT LIKE '%:role/aws-service-role/%'
    AND userIdentity.arn NOT LIKE '%:assumed-role/AWSReservedSSO_%'
),
api_events AS (
SELECT
    userIdentity.arn AS principal,
    sourceIPAddress AS src_ip,
    eventName,
    eventSource,
    eventTime AS api_time,
    userAgent
FROM cloudtrail_logs
WHERE userIdentity.arn IS NOT NULL
    AND sourceIPAddress IS NOT NULL
    AND eventCategory = 'Management'
    AND eventName NOT IN ('ConsoleLogin','AssumeRole','AssumeRoleWithSAML','AssumeRoleWithWebIdentity')
    AND userIdentity.type IN ('IAMUser','AssumedRole')
    AND userIdentity.arn NOT LIKE '%:role/aws-service-role/%'
    AND userIdentity.arn NOT LIKE '%:assumed-role/AWSReservedSSO_%'
    AND userAgent NOT LIKE '%internal.amazonaws.com%'
)
SELECT
a.principal,
a.src_ip,
a.eventSource,
a.eventName,
a.api_time,
a.userAgent
FROM api_events a
LEFT JOIN auth_events b
ON a.principal = b.principal
AND a.src_ip = b.src_ip
AND b.auth_time BETWEEN a.api_time - INTERVAL '60' MINUTE AND a.api_time
WHERE b.principal IS NULL;

Rule Name

CyberDax AWS Multi-Source Authenticated Activity for Single Principal

Hardening Fixes Applied

· restricts to likely human or federated identities

· suppresses common service-role and internal AWS patterns

· tightens bucket from one hour to thirty minutes

· preserves minimum event threshold

Execution Validity Status
Conditional production-ready

System-Ready Code (Athena / CloudTrail Lake SQL)

SELECT
userIdentity.arn AS principal,
date_trunc('minute', eventTime) - INTERVAL '1' MINUTE (minute(eventTime) % 30) AS window_bucket,
COUNT() AS event_count,
COUNT(DISTINCT sourceIPAddress) AS distinct_src_ip_count,
ARRAY_AGG(DISTINCT sourceIPAddress) AS src_ips
FROM cloudtrail_logs
WHERE eventCategory = 'Management'
AND userIdentity.arn IS NOT NULL
AND sourceIPAddress IS NOT NULL
AND eventName NOT IN ('ConsoleLogin','AssumeRole','AssumeRoleWithSAML','AssumeRoleWithWebIdentity')
AND userIdentity.type IN ('IAMUser','AssumedRole')
AND userIdentity.arn NOT LIKE '%:role/aws-service-role/%'
AND userIdentity.arn NOT LIKE '%:assumed-role/AWSReservedSSO_%'
AND userAgent NOT LIKE '%internal.amazonaws.com%'
GROUP BY 1,2
HAVING COUNT(*) > 3
AND COUNT(DISTINCT sourceIPAddress) > 1;

Azure

Rule Name

CyberDax Azure Activity Without Matching Recent Sign-In From Same Source Context

Hardening Fixes Applied

· filters out service principals and managed identities in code

· normalizes principal more carefully

· excludes blank or untrusted source contexts

· keeps strict sixty-minute recent-sign-in model

Execution Validity Status
Conditional production-ready

System-Ready Code (KQL)

let Signins =
SigninLogs
| where ResultType == 0
| where isnotempty(UserPrincipalName) and isnotempty(IPAddress)
| project principal = tolower(UserPrincipalName), src_ip = tostring(IPAddress), signin_time = TimeGenerated;
let Activity =
AzureActivity
| where isnotempty(Caller) and isnotempty(CallerIpAddress)
| where Caller !contains "@"
| extend principal = tolower(Caller), src_ip = tostring(CallerIpAddress), activity_time = TimeGenerated
| project principal, src_ip, activity_time, OperationNameValue, ResourceGroup, ResourceProviderValue;
Activity
| join kind=leftouter Signins on principal, src_ip
| summarize latest_signin = max(signin_time) by principal, src_ip, activity_time, OperationNameValue, ResourceGroup, ResourceProviderValue
| where isnull(latest_signin) or latest_signin < activity_time - 60m

Implementation Hardening Note

If Caller contains mixed identity types in your tenant, restrict this rule to known human-user patterns or join against an identity inventory table before production deployment.

Rule Name

CyberDax Azure Multi-Source Authenticated Activity for Single Identity

Hardening Fixes Applied

· limits to successful human sign-ins

· excludes blank IPs

· tightens bucket to thirty minutes

· preserves distinct-IP threshold and minimum event count

Execution Validity Status
Conditional production-ready

System-Ready Code (KQL)

SigninLogs
| where ResultType == 0
| where isnotempty(UserPrincipalName) and isnotempty(IPAddress)
| extend principal = tolower(UserPrincipalName), src_ip = tostring(IPAddress)
| summarize signin_count = count(), distinct_src_ip_count = dcount(src_ip), src_ips = make_set(src_ip, 20) by principal, bin(TimeGenerated, 30m)
| where signin_count > 3 and distinct_src_ip_count > 1

GCP

Rule Name

CyberDax GCP API Activity Without Matching Recent Identity Context

Hardening Fixes Applied

· limits to likely human principals by excluding service accounts in code

· requires caller IP presence

· preserves sixty-minute recent-identity-context check

· keeps explicit cross-dataset dependency honest

Execution Validity Status

Local adaptation required (cross-dataset correlation)

System-Ready Code (BigQuery SQL)

WITH signin_events AS (
SELECT
    principalEmail AS principal,
    callerIp AS src_ip,
    event_timestamp AS signin_time
FROM `project.dataset.identity_signin_logs`
WHERE principalEmail IS NOT NULL
    AND callerIp IS NOT NULL
    AND principalEmail NOT LIKE '%gserviceaccount.com'
),
api_events AS (
SELECT
    protoPayload.authenticationInfo.principalEmail AS principal,
    protoPayload.requestMetadata.callerIp AS src_ip,
    timestamp AS api_time,
    protoPayload.methodName AS method_name,
    resource.type AS resource_type
FROM `project.dataset.gcp_audit_logs`
WHERE protoPayload.authenticationInfo.principalEmail IS NOT NULL
    AND protoPayload.requestMetadata.callerIp IS NOT NULL
    AND protoPayload.authenticationInfo.principalEmail NOT LIKE '%gserviceaccount.com'
)
SELECT
a.principal,
a.src_ip,
a.api_time,
a.method_name,
a.resource_type
FROM api_events a
LEFT JOIN signin_events b
ON a.principal = b.principal
AND a.src_ip = b.src_ip
AND b.signin_time BETWEEN TIMESTAMP_SUB(a.api_time, INTERVAL 60 MINUTE) AND a.api_time
WHERE b.principal IS NULL;

S26 Threat-to-Rule Traceability Matrix

Behavior 1

ATT&CK Technique
T1190 – Exploit Public-Facing Application

Threat Behavior Description
Crafted HTTP POST requests targeting NetScaler SAML Identity Provider endpoints to trigger vulnerable request-processing behavior associated with memory disclosure.

Mapped Rules

· Suricata — Oversized POST

· Suricata — Repeated POST Targeting

· Suricata — Burst Targeting

· Splunk — Request Size Deviation

Coverage Disposition
Detected

Telemetry Dependency

· HTTP method

· URI

· request size / content length

· IdP endpoint visibility

Coverage Rationale
Exploit delivery is fully covered through request-shaping and targeting behavior at the network and logging layer.

Behavior 2

ATT&CK Technique
T1555 – Credentials from Password Stores (Adapted to Application Memory Exposure Context)

Threat Behavior Description
Exposure and reuse of authentication artifacts, including session tokens or assertion data, resulting from abnormal response behavior and subsequent identity misuse.

Mapped Rules

· Splunk — Request-to-Response Size Asymmetry

· Splunk — Session Without Authentication

· Splunk — Token Reuse Across Source Contexts

· Elastic — Artifact Use Without Auth

· Elastic — Multi-Source Artifact Reuse

· QRadar — Artifact Use Without Auth

· QRadar — Multi-Source Artifact Reuse

· Sigma — Artifact Use Template

· Sigma — Multi-Source Template

Coverage Disposition
Detected

Telemetry Dependency

· request/response byte visibility

· identity logs

· session/token identifiers

· source IP

Coverage Rationale
Both artifact exposure signals and artifact misuse behaviors are directly covered across SIEM and identity telemetry layers.

Conditional Behavior (Allowed)

ATT&CK Technique
T1555 – Credentials from Password Stores (Adapted)

Threat Behavior Description
Not observed in currently available reporting; may occur during post-exploitation depending on attacker objectives and target environment. Host-observable NetScaler deployments may show service-lineage process anomalies.

Mapped Rules

· SentinelOne — Service-Lineage Execution

Coverage Disposition
Partially Detected

Telemetry Dependency

· host process telemetry

· parent-child lineage

Coverage Rationale
Applies only to VPX or host-observable deployments and is not universal coverage.

Not Applicable

Behavior
File-based or malware artifact detection

Mapped Rules
None — YARA intentionally not used

Coverage Disposition
Not Applicable

S27 Behavior & Log Artifacts

Network Log Artifacts

· HTTP POST requests to SAML IdP endpoints with abnormal content-length values relative to historical baselines

· Discrepancies between request size and response size indicating abnormal data return behavior

· Repeated requests to authentication endpoints without successful session establishment

Identity Log Artifacts

· Session creation events without corresponding successful SAML authentication flows

· Token validation events occurring without preceding assertion issuance

· Session reuse across multiple IP addresses without re-authentication

NetScaler / Appliance Artifacts

· Error logs or anomalies during SAML request parsing

· Indicators of unexpected request handling outcomes within authentication workflows

· Resource anomalies correlated with request processing events

Infrastructure Artifacts

· Clusters of IP addresses repeatedly targeting SAML IdP endpoints

· Recurrent access patterns indicating automated exploitation attempts

· Reuse of source infrastructure across multiple authentication endpoints

S28 Detection Strategy and SOC Implementation Guidance

SOC teams should implement correlation-driven detection workflows combining:

· network-level SAML request anomalies

· identity-layer authentication inconsistencies

· session behavior deviations

Alerting should prioritize cases where:

· abnormal SAML request patterns coincide with authentication irregularities

· session activity occurs without expected authentication sequences

Detection tuning should focus on baseline-aware anomaly detection specific to SAML authentication workflows rather than generic web traffic analysis.

S29 Detection Coverage Summary

Detected Behaviors

· Exploit attempts characterized by abnormal SAML request structure and request-response anomalies

· Authentication inconsistencies indicating potential exposure of authentication artifacts

· Session misuse patterns inconsistent with standard SAML authentication flows

Conditional Post-Exploitation Behaviors

· Unauthorized access using exposed authentication artifacts

· Session reuse or hijacking depending on validity of retrieved data

· Follow-on activity dependent on attacker objectives and target environment

S30 Intelligence Maturity Assessment

Detection Maturity

Moderate — detection is achievable through correlation of SAML-specific network anomalies and identity-layer inconsistencies but lacks direct exploit indicators

Telemetry Coverage

Dependent on availability of TLS inspection and detailed SAML request logging; environments without payload visibility have reduced detection capability

Detection Engineering Capability

Requires development of protocol-aware anomaly detection tuned to SAML authentication workflows rather than reliance on signature-based methods

Control Effectiveness Score

Medium — controls are effective when TLS inspection and identity telemetry are available but degrade significantly without payload visibility

Audit Evidence Statement

Detection capability can be demonstrated through network logs capturing SAML request anomalies, identity logs showing session inconsistencies, and correlation between these telemetry sources

Security Program Integration Note

Detection and response for this vulnerability should be integrated into identity security monitoring programs, with emphasis on SAML workflow visibility, session integrity validation, and coordinated network and identity telemetry analysis

S31 Mitigation and Remediation

· Apply vendor patches addressing CVE-2026-3055 across all affected NetScaler ADC systems immediately

· Identify all NetScaler ADC instances configured as SAML Identity Providers and validate whether SAML endpoints are externally accessible

· Remove or restrict external access to SAML IdP endpoints using network segmentation or access control enforcement

· Invalidate all active SAML sessions and authentication tokens following remediation to prevent reuse of exposed artifacts

· Perform targeted credential rotation for privileged accounts and federated identity integrations where exposure is suspected

· Review authentication and session logs for anomalous activity indicative of token misuse or unauthorized access

S32 Security Control Recommendations

· Deploy inspection controls capable of analyzing SAML request structure at ingress points, including reverse proxy, WAF, or load balancer layers

· Establish baseline-aware monitoring of SAML IdP request characteristics, including request size, encoding, and endpoint usage patterns

· Enforce session integrity controls to detect reuse of authentication tokens across IP addresses, devices, or geographic locations

· Integrate identity telemetry (SAML assertions, session creation, token validation) with network telemetry to enable correlation-based detection

· Apply rate limiting and anomaly detection controls on SAML IdP endpoints to reduce exposure to automated exploitation attempts

· Enable continuous monitoring of SAML authentication workflows to detect deviations from expected request and response behavior

S33 Strategic Defensive Improvements

· Transition SAML IdP exposure from network-based accessibility to controlled access models using identity-aware access controls and conditional access policies

· Implement protocol-aware monitoring for SAML authentication workflows to detect deviations in assertion structure, request formatting, and response characteristics

· Establish centralized correlation pipelines linking network-layer request anomalies with identity-layer authentication and session events

· Treat SAML IdP infrastructure as a high-risk external attack surface requiring dedicated monitoring, segmentation, and governance

Control Impact Mapping

· Initial Access — T1190 Exploit Public-Facing Application
Reduced through restriction of SAML IdP exposure and enforcement of request inspection controls

· Credential Access — T1555 Credentials from Password Stores
Reduced through session invalidation, token lifecycle enforcement, and monitoring of authentication artifact usage

S34 Defensive Architecture Overview

Effective defense requires layered controls aligned to identity-boundary exposure in NetScaler SAML deployments:

Network Layer

· Inspection of inbound HTTP/S requests targeting SAML IdP endpoints

· Detection of anomalous request structure, size, and frequency

Identity Layer

· Monitoring of SAML assertion generation, validation, and session creation

· Detection of inconsistencies between authentication events and session usage

Application / Appliance Layer

· Secure configuration and patch management of NetScaler ADC systems

· Monitoring of request processing behavior within SAML authentication workflows

Correlation Layer

· Integration of network and identity telemetry

· Detection of multi-stage activity combining exploit attempts and authentication anomalies

S35 Security Hardening Guidance

· Restrict exposure of SAML IdP endpoints to required network paths and eliminate unnecessary external accessibility

· Disable unused SAML configurations or identity services on NetScaler systems where not operationally required

· Configure detailed logging for SAML request handling, authentication workflows, and session activity

· Enforce strict session timeout, token lifecycle, and re-authentication controls for federated identity services

· Regularly audit NetScaler configurations to ensure only required identity endpoints and services are enabled

S36 Security Program Maturity Assessment

Detection Maturity

· Moderate — detection depends on correlation of SAML-specific network anomalies and identity-layer inconsistencies; absence of payload inspection limits visibility into exploit activity

Telemetry Coverage

· Variable — effective detection requires visibility into SAML request payloads and authentication telemetry; environments without TLS inspection have reduced coverage

Response Readiness

· Moderate — response requires validation of session integrity, authentication activity, and potential exposure of federated identity trust relationships

Hardening Maturity

· Variable — effectiveness depends on whether identity infrastructure is treated as a distinct security boundary with dedicated monitoring and access controls

Control Effectiveness Score

· Medium — controls are effective when SAML traffic inspection and identity telemetry correlation are implemented, but degrade in environments lacking payload visibility

Audit Evidence Statement

Control effectiveness can be demonstrated through:

· network logs capturing SAML request anomalies and endpoint access patterns

· identity logs showing session creation, token validation, and authentication flows

· correlation of network anomalies with authentication inconsistencies

Security Program Integration Note

Detection and mitigation for this vulnerability should be integrated into identity security programs, with emphasis on SAML workflow visibility, session integrity monitoring, and coordinated analysis of network and identity telemetry

S37 Residual Risk and Forward Outlook

· Residual risk remains in environments lacking visibility into encrypted SAML traffic, limiting detection of exploit attempts

· Organizations with incomplete inventory of NetScaler ADC deployments may retain unrecognized exposure

· Federated identity infrastructure will continue to present high-value targets due to its role in authentication and access control

· Continued emphasis on identity-layer monitoring, protocol-aware detection, and rapid patching is required to maintain defensive posture

S38 Intelligence Confidence Assessment

Confidence Level

High

Confidence Rationale

· Vendor advisory confirms out-of-bounds memory read behavior within NetScaler ADC SAML Identity Provider request processing, directly supporting the identified vulnerability mechanism

· Exploitation conditions are clearly defined, including unauthenticated interaction with externally exposed SAML IdP endpoints

· The attack surface is constrained to identity federation infrastructure, where NetScaler ADC commonly operates as an external authentication boundary

· Detection and mitigation approaches are grounded in observable SAML request handling behavior and identity session anomalies specific to federated authentication workflows

Confidence Limitations

· Public reporting does not disclose precise exploit payload structure or request formatting required to reliably trigger memory disclosure

· Variability in process memory exposure introduces uncertainty regarding the consistency and usability of retrieved authentication artifacts

· No confirmed in-the-wild exploitation reporting is currently available to validate adversary operational patterns beyond modeled tradecraft

· EEP is a forward-looking analytic measure of operational exploitation potential, not a statement of confirmed exploitation, KEV inclusion, or incident activity

S39 Analytical Notes and Limitations

· Not observed in currently available reporting; may occur during post-exploitation depending on attacker objectives and target environment:

o Use of exposed authentication artifacts to access federated services without re-authentication

o Session reuse or impersonation within identity trust relationships

· Detection effectiveness depends on visibility into SAML request payloads; environments without TLS inspection are limited to indirect behavioral indicators

· NetScaler ADC logging may not provide sufficient granularity to directly observe memory disclosure events or request parsing anomalies

· Analysis assumes NetScaler ADC is deployed as an externally accessible SAML Identity Provider; environments with restricted exposure may have reduced attack surface

S40 References

Vendor Advisory

· Citrix advisory addressing memory disclosure vulnerability in NetScaler ADC SAML Identity Provider processing (CVE-2026-3055)

· hxxps://support[.]citrix[.]com/security-advisory-netscaler-cve-2026-3055

Vulnerability Records

· National Vulnerability Database entry describing CVE-2026-3055 memory disclosure conditions in NetScaler ADC

· hxxps://nvd[.]nist[.]gov/vuln/detail/CVE-2026-3055

Known Exploited Vulnerabilities (KEV)

· CVE-2026-3055 is not listed in the CISA KEV catalog at the time of reporting; exploitation likelihood is assessed as high based on exposure conditions and attack surface characteristics

· hxxps://www[.]cisa[.]gov/known-exploited-vulnerabilities-catalog

Analytical Framework

· MITRE ATT&CK Framework (Enterprise) — reference model for adversary behavior mapping and detection alignment

· hxxps://attack[.]mitre[.]org

· CyberDax Threat Intelligence Analytical Framework v2.6 — structured methodology for threat modeling, detection engineering, and risk quantification

· Internal CyberDax methodology reference

[CVE] CVE-2026-3055 Citrix NetScaler ADC Memory Disclosure Unauthenticated Edge Exploitation

BLUF

Executive Risk Translation

S3 Why This Matters Now

S4 Key Judgments

S5 Executive Risk Summary

Business Risk

Technical Cause

Threat Posture

Executive Decision Requirement

S6 Executive Cost Summary

S6A Key Cost Drivers

S6B Compliance and Risk Context

Compliance Exposure Indicator

Risk Register Entry

Annualized Risk Exposure

Risk Drivers

S8 Bottom Line for Executives

S9 Board-Level Takeaway

S10 Vulnerability Overview

Vulnerability Type

Affected Systems

Exposure Conditions

Privilege Requirements

Attack Vector

S11 Technical Vulnerability Details

Root Cause

Vulnerable Component

Trigger Mechanism

Exploitable Condition

S12 Exploitability Assessment

Exploit Complexity

Authentication Requirements

Network Exposure

Operational Constraints

S13 KEV Status and Patch Availability

KEV Status

Patch Availability

Remediation Priority

KEV Likelihood Assessment (EEP)

S14 Sectors / Countries Affected

Sectors Affected

Countries Affected

S15 Adversary Capability Profiling

Skill Level

Tooling Requirements

Infrastructure Needs

Operational Scale

S16 Targeting Probability Assessment

S17 MITRE ATT&CK Chain Flow Mapping

Initial Access — T1190 Exploit Public-Facing Application

Credential Access — T1555 Credentials from Password Stores (Adapted to Application Memory Exposure Context)

S18 Attack Path Narrative

S19 Attack Chain Risk Amplification Summary

S20 Tactics, Techniques, and Procedures

S20A Adversary Tradecraft Summary

S21 Detection Strategy Overview

S22 Primary Detection Signals

Network Telemetry (Primary Signal Source)

Identity / Authentication Telemetry (Secondary Signal Source)

Network Behavior Correlation Signals

S23 Telemetry Requirements

Network / Proxy / Load Balancer Logs

TLS Inspection Capability (Critical Dependency)

Identity Provider Logs

NetScaler ADC Logs

Network Flow Telemetry

S24 Detection Opportunities and Gaps

Detection Opportunities

Detection Gaps

S25 Ultra-Tuned Detection Engineering Rules

S25 Group 1 — Initial Access and Credential Exposure

Suricata

Rule Name

Purpose

ATT&CK Technique

Telemetry Dependency

Tuning Explanation

Detection Logic

Operational Context

Execution Validity Status
Conditional production-ready

Logical Notes
Conditional