alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Citrix CVE-2024-6235 Post-Exploitation Activity (Admin Account Creation)"; flow:established,to_server; xbits:isset,ET.CVE-2024-6235,track ip_dst; http.method; content:"POST"; http.uri; bsize:24; content:"/nitro/v1/config/mpsuser"; fast_pattern; http.header; content:"NITRO_WEB_APPLICATION|3a 20|true"; content:"rand_key|3a 20|"; pcre:"/^[a-fA-F0-9]{32}/R"; http.cookie; content:"logged_in_user_name|3d|nsroot|3b|"; content:"SESSID|3d 23 23|"; pcre:"/^[a-fA-F0-9]{60}/R"; http.request_body; content:"object|3d|"; content:"mpsuser"; content:"name"; distance:0; content:"groups"; content:"owner"; distance:0; reference:url,attackerkb.com/topics/7zebEgmGLs/cve-2024-6235; reference:cve,2024-6235; classtype:trojan-activity; sid:2061845; rev:1; metadata:affected_product Citrix, attack_target Web_Server, tls_state plaintext, created_at 2025_04_24, cve CVE_2024_6235, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Unauthorized_Account_Creation, updated_at 2025_04_24; target:dest_ip;)