Note : My advice is now to use the official tool published by fireeye & citrix : https://github.com/fireeye/ioc-scanner-CVE-2019-19781
This little script was created to help security analyst to discover traces of successful CVE-2019-19781 exploits on their systems.
Feel free to fork and improve ! You can find an example of output on a compromised system : output_demo.txt.
1- Login on your Citrix Gateway with nsroot (or other high privileged account).
2- Download the script :
curl -o CVE-2019-19781-Forensic.sh https://raw.githubusercontent.com/onSec-fr/CVE-2019-19781-Forensic/master/script.sh
3- Make it executable :
chmod +x CVE-2019-19781-Forensic.sh
4- Specify an output filename :
./CVE-2019-19781-Forensic.sh <output>
5- Done !