Ivanti Connect Secure Forensics (Part 3): Integrity Checker Tool (ICT) analysis

In Part I and Part II of our Ivanti Connect Secure forensics series, we examined how threat actors exploit Ivanti VPN vulnerabilities and how investigators can extract evidence from LILO-based and GRUB-based appliances.

In Part III, we shift focus to the Integrity Checker Tool (ICT)—a powerful Ivanti-native mechanism that enables investigators to quickly identify post-compromise modifications. ICT snapshot analysis allows responders to isolate changed files, detect stealthy web shells, and accelerate forensic triage during Ivanti incident response engagements.

Integrity Checker Tool (ICT) analysis

The ICT is an Ivanti-developed tool which creates encrypted snapshots containing only modified files since the last integrity check performed on that device by the ICT tool itself.

ICT snapshot extraction steps:

Step 1: Snapshot download
Download ICT snapshots from the Ivanti appliance administrative interface.

Step 2: Decryption preparation
Use community tools created by Stephen Murcott for ICT snapshot decryption:
git clone https://github.com/stephen-murcott/Ivanti-ICT-Snapshot-decryption

python3 Ivanti_ICT-Snapshot_decryption.py decryption ict-snapshot.encrypted

Step 3: Modified File Analysis
Analyze the decrypted ICT snapshot content to identify files that were added, modified, or replaced since the last integrity baseline. ICT snapshots contain only files that differ from the appliance’s known-good state, making them highly valuable for detecting post-exploitation artifacts.
find decrypted_snapshot/ -type f -exec file {} \;

For example, the above Linux command enumerates all files within the decrypted snapshot and identifies their true file type based on content rather than extension. This helps investigators detect:
•    Web shells masquerading as benign files
•    Executables or scripts placed in unexpected directories
•    Files for which their extensions do not match the actual content

Next, search for suspicious strings commonly associated with malicious behavior:
 
grep -r "suspicious_pattern" decrypted_snapshot/

Here, ‘suspicious_pattern’ represents indicators such as hardcoded commands, encoded payloads, IP addresses, domain names, or function calls commonly used by web shells and post-exploitation tooling. This step can also help to quickly make surface high-risk files for deeper manual review.

Web shell detection and analysis

Ivanti Connect Secure appliances are frequently targeted using lightweight and stealthy web shells that blend into legitimate web content. The following families are among the most observed in real-world incidents:

GIFTEDVISITOR

GIFTEDVISITOR is a malicious modification to Ivanti Connect Secure’s ‘visits.py’ component that adds a web shell triggered by POST requests to ‘/api/v1/cav/client/visits’, enabling attackers to execute remote commands and maintain persistence on compromised VPN appliances.

Reference: https://www.volexity.com/blog/2024/01/10/active-exploitation-of-two-zero-day-vulnerabilities-in-ivanti-connect-secure-vpn/ 

China Chopper

China Chopper is an extremely small web shell, consisting of a simple text-based payload and a GUI client, enabling attackers to stealthily gain remote access for file management, database control, and command execution across multiple platforms and web languages.

Reference: 
https://cloud.google.com/blog/topics/threat-intelligence/breaking-down-china-chopper-web-shell-part-i
https://cloud.google.com/blog/topics/threat-intelligence/breaking-down-the-china-chopper-web-shell-part-ii

Custom PHP/ASP Shells

Custom-made web shells developed by attackers to evade signature-based detection and forensic tooling, often incorporating anti-forensic features such as log tampering and encrypted payloads.

These web shell families are common because they’re simple to drop after a remote code execution, they work smoothly with Ivanti’s web framework, and they blend in with normal files so well that defenders need deep file-level checks to spot them.

Web shell identification steps

Search for web-accessible scripts that invoke dangerous execution functions:
find /var/www -name "*.php" -exec grep -l "eval\|exec\|system" {} \;

find /var/www -name "*.aspx" -exec grep -l "eval\|exec\|cmd" {} \;
 
The functions mentioned (eval, exec, system) are commonly abused because they allow attackers to execute any system commands, they help attackers decode and run payloads delivered over HTTP, and they are made to establish interactive access through the web server context.

While not inherently malicious, the presence of these functions in unexpected files or directories is a strong indicator of compromise, especially on hardened appliances where legitimate use is limited.

File timestamp and permission analysis

find /var/www -type f -newermt "2024-01-01" -ls

The date 2024-01-01 is used as a temporal pivot point aligned with the surge in mass exploitation of Ivanti vulnerabilities observed in early 2024. Files modified after this date warrant closer inspection, as they may correlate with:
•    Initial exploitation
•    Web shell deployment
•    Post-exploitation tooling updates

This approach helps narrow analysis to a relevant incident window rather than reviewing the entire filesystem.

Log analysis and evidence correlation

The following log sources are the most critical for Ivanti Connect Secure investigations because they capture activity at different stages of the attack lifecycle:
•    Web Server Logs (/var/log/httpd/access_log, error_log)
Reveal pre-authentication exploitation attempts, malformed requests, and payload delivery attempts, whether successful or not.
•    System Logs (/var/log/messages, /var/log/syslog)
Capture system-level errors, service restarts, and abnormal process behavior.
•    Authentication Logs (/var/log/secure, /var/log/auth.log)
Help identify successful or anomalous authentication events following exploitation.
•    VPN Logs (/var/log/vpn/vpn.log)
Provide insight into session creation, lateral movement, and potential abuse of VPN access.

Together, these logs may allow investigators to attempt to reconstruct the full attack chain, from initial exploitation to persistence and lateral movement.

Summary

Forensic investigations of Ivanti Connect Secure appliances require specialized knowledge of the devices’ custom encryption implementations, bootloader exploitation techniques, and evidence extraction methodologies. The step-by-step procedures outlined above provide incident response teams with comprehensive approaches for collecting and analyzing forensic evidence from both LILO and GRUB-based systems.

Key forensic capabilities include bootloader-level access for encrypted filesystem extraction, memory acquisition for runtime artifact analysis, ICT snapshot decryption for rapid change detection, and specialized tools like lilo-pulse-secure-decrypt for automated evidence processing. The technical complexity of these procedures highlights the sophisticated nature of modern SSL VPN appliances and the advanced techniques required for effective incident response.

Security teams should develop expertise in these specialized forensic methodologies while maintaining awareness of evolving attack techniques and new vulnerability discoveries. The global impact of Ivanti compromises across enterprise networks demonstrates the critical importance of comprehensive incident response capabilities tailored to SSL VPN appliance architecture.

Resources

This forensic investigation guide and vulnerability analysis incorporates research and tools developed by:
Ivanti / Pulse Secure Vulnerability Research
•    watchTowr Labs – Exploitation Walkthrough and Techniques:

Ivanti Connect Secure RCE (CVE-2025-0282)
https://labs.watchtowr.com/exploitation-walkthrough-and-techniques-ivanti-connect-secure-rce-cve-20…
•    watchTowr Labs – CVE-2024-22024 (SAML XXE) Analysis
https://labs.watchtowr.com/are-we-now-part-of-ivanti/

Volexity – Active Exploitation of Ivanti Connect Secure VPNs
https://www.volexity.com/blog/2024/01/10/active-exploitation-of-ivanti-connect-secure-vpn/

Volexity – CVE-2023-46805 Authentication Bypass
https://www.cve.org/CVERecord?id=CVE-2023-46805

Northwave Security – Ivanti/Pulse Secure forensic tooling and analysis
https://northwave-cybersecurity.com/whitepapers-articles/investigating-a-possible-ivanti-compromise
 
Black Hat & historical context

Orange Tsai & Meh Chang – Infiltrating Corporate Intranet Like NSA (Black Hat USA 2019)
https://www.blackhat.com/us-19/briefings/schedule/#infiltrating-corporate-intranet-like-nsa-16202
https://www.youtube.com/watch?v=mKGq8z17Kd4
 
Web shell references
FireEye/Mandiant – China Chopper Web Shell Analysis
https://cloud.google.com/blog/topics/threat-intelligence/breaking-down-china-chopper-web-shell-part-i
https://cloud.google.com/blog/topics/threat-intelligence/breaking-down-the-china-chopper-web-shell-part-ii

Volexity – GIFTEDVISITOR Web Shell and Ivanti Exploitation: https://www.volexity.com/blog/2024/01/15/ivanti-connect-secure-vpn-exploitation-goes-global/

Independent researchers (Stephen Murcott): https://github.com/stephen-murcott/Ivanti-ICT-Snapshot-decryption