Potential MOVEit Transfer CVE-2023-34362 Exploitation - File Activity

Detects file indicators of potential exploitation of MOVEit CVE-2023-34362.

Sigma rule (View on GitHub)

 1title: Potential MOVEit Transfer CVE-2023-34362 Exploitation - File Activity
 2id: c3b2a774-3152-4989-83c1-7afc48fd1599
 3status: test
 4description: Detects file indicators of potential exploitation of MOVEit CVE-2023-34362.
 5references:
 6    - https://www.bleepingcomputer.com/news/security/new-moveit-transfer-zero-day-mass-exploited-in-data-theft-attacks/
 7    - https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023
 8    - https://www.rapid7.com/blog/post/2023/06/01/rapid7-observed-exploitation-of-critical-moveit-transfer-vulnerability/
 9    - https://www.reddit.com/r/sysadmin/comments/13wxuej/comment/jmhdg55/
10author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
11date: 2023-06-01
12modified: 2024-08-13
13tags:
14    - attack.initial-access
15    - attack.t1190
16    - cve.2023-34362
17    - detection.emerging-threats
18logsource:
19    category: file_event
20    product: windows
21detection:
22    selection_generic:
23        TargetFilename|contains:
24            - '\MOVEit Transfer\wwwroot\'
25            - '\MOVEitTransfer\wwwroot\'
26        TargetFilename|endswith:
27            - '.7z'
28            - '.bat'
29            - '.dll'
30            - '.exe'
31            - '.ps1'
32            - '.rar'
33            - '.vbe'
34            - '.vbs'
35            - '.zip'
36    selection_known_ioc:
37        TargetFilename|endswith:
38            - '\MOVEit Transfer\wwwroot\_human2.aspx.lnk'
39            - '\MOVEit Transfer\wwwroot\_human2.aspx'
40            - '\MOVEit Transfer\wwwroot\human2.aspx.lnk'
41            - '\MOVEit Transfer\wwwroot\human2.aspx'
42            - '\MOVEitTransfer\wwwroot\_human2.aspx.lnk'
43            - '\MOVEitTransfer\wwwroot\_human2.aspx'
44            - '\MOVEitTransfer\wwwroot\human2.aspx.lnk'
45            - '\MOVEitTransfer\wwwroot\human2.aspx'
46    # Uncomment selection if you wanna threat hunt for additional artifacts
47    # selection_cmdline:
48    #    TargetFilename|contains: ':\Windows\TEMP\'
49    #    TargetFilename|endswith: '.cmdline'
50    selection_compiled_asp:
51        CreationUtcTime|startswith:
52            - '2023-03- '
53            - '2023-04- '
54            - '2023-05- '
55            - '2023-06- '
56        TargetFilename|contains|all:
57            - '\Windows\Microsoft.net\Framework64\v'
58            - '\Temporary ASP.NET Files\'
59            - 'App_Web_'
60        TargetFilename|endswith: '.dll'
61    condition: 1 of selection_*
62falsepositives:
63    - To avoid FP, this rule should only be applied on MOVEit servers.
64level: high

References

Related rules

to-top