Potential MOVEit Transfer CVE-2023-34362 Exploitation - File Activity
Detects file indicators of potential exploitation of MOVEit CVE-2023-34362.
Sigma rule (View on GitHub)
1title: Potential MOVEit Transfer CVE-2023-34362 Exploitation - File Activity
2id: c3b2a774-3152-4989-83c1-7afc48fd1599
3status: test
4description: Detects file indicators of potential exploitation of MOVEit CVE-2023-34362.
5references:
6 - https://www.bleepingcomputer.com/news/security/new-moveit-transfer-zero-day-mass-exploited-in-data-theft-attacks/
7 - https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023
8 - https://www.rapid7.com/blog/post/2023/06/01/rapid7-observed-exploitation-of-critical-moveit-transfer-vulnerability/
9 - https://www.reddit.com/r/sysadmin/comments/13wxuej/comment/jmhdg55/
10author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
11date: 2023-06-01
12modified: 2024-08-13
13tags:
14 - attack.initial-access
15 - attack.t1190
16 - cve.2023-34362
17 - detection.emerging-threats
18logsource:
19 category: file_event
20 product: windows
21detection:
22 selection_generic:
23 TargetFilename|contains:
24 - '\MOVEit Transfer\wwwroot\'
25 - '\MOVEitTransfer\wwwroot\'
26 TargetFilename|endswith:
27 - '.7z'
28 - '.bat'
29 - '.dll'
30 - '.exe'
31 - '.ps1'
32 - '.rar'
33 - '.vbe'
34 - '.vbs'
35 - '.zip'
36 selection_known_ioc:
37 TargetFilename|endswith:
38 - '\MOVEit Transfer\wwwroot\_human2.aspx.lnk'
39 - '\MOVEit Transfer\wwwroot\_human2.aspx'
40 - '\MOVEit Transfer\wwwroot\human2.aspx.lnk'
41 - '\MOVEit Transfer\wwwroot\human2.aspx'
42 - '\MOVEitTransfer\wwwroot\_human2.aspx.lnk'
43 - '\MOVEitTransfer\wwwroot\_human2.aspx'
44 - '\MOVEitTransfer\wwwroot\human2.aspx.lnk'
45 - '\MOVEitTransfer\wwwroot\human2.aspx'
46 # Uncomment selection if you wanna threat hunt for additional artifacts
47 # selection_cmdline:
48 # TargetFilename|contains: ':\Windows\TEMP\'
49 # TargetFilename|endswith: '.cmdline'
50 selection_compiled_asp:
51 CreationUtcTime|startswith:
52 - '2023-03- '
53 - '2023-04- '
54 - '2023-05- '
55 - '2023-06- '
56 TargetFilename|contains|all:
57 - '\Windows\Microsoft.net\Framework64\v'
58 - '\Temporary ASP.NET Files\'
59 - 'App_Web_'
60 TargetFilename|endswith: '.dll'
61 condition: 1 of selection_*
62falsepositives:
63 - To avoid FP, this rule should only be applied on MOVEit servers.
64level: high
References
Related rules
- ADSelfService Exploitation
- Apache Spark Shell Command Injection - Weblogs
- Arcadyan Router Exploitations
- Atlassian Bitbucket Command Injection Via Archive API
- CVE-2010-5278 Exploitation Attempt