Potential MOVEit Transfer CVE-2023-34362 Exploitation - Dynamic Compilation Via Csc.EXE

Detects the execution of "csc.exe" via "w3wp.exe" process. MOVEit affected hosts execute "csc.exe" via the "w3wp.exe" process to dynamically compile malicious DLL files.

MOVEit is affected by a critical vulnerability. Exploited hosts show evidence of dynamically compiling a DLL and writing it under C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files\root\([a-z0-9]{5,12})\([a-z0-9]{5,12})\App_Web_[a-z0-9]{5,12}.dll.

Hunting Opportunity

Events from IIS dynamically compiling binaries via the csc.exe on behalf of the MOVEit application, especially since May 27th should be investigated.

Sigma rule (View on GitHub)

 1title: Potential MOVEit Transfer CVE-2023-34362 Exploitation - Dynamic Compilation Via Csc.EXE
 2id: 39ac1fb0-07f1-474b-b97e-c5c0eace0d79
 3status: test
 4description: |
 5    Detects the execution of "csc.exe" via "w3wp.exe" process. MOVEit affected hosts execute "csc.exe" via the "w3wp.exe" process to dynamically compile malicious DLL files.
 6
 7    MOVEit is affected by a critical vulnerability. Exploited hosts show evidence of dynamically compiling a DLL and writing it under C:\\Windows\\Microsoft\.NET\\Framework64\\v4\.0\.30319\\Temporary ASP\.NET Files\\root\\([a-z0-9]{5,12})\\([a-z0-9]{5,12})\\App_Web_[a-z0-9]{5,12}\.dll.
 8
 9    Hunting Opportunity
10
11    Events from IIS dynamically compiling binaries via the csc.exe on behalf of the MOVEit application, especially since May 27th should be investigated.    
12references:
13    - https://www.huntress.com/blog/moveit-transfer-critical-vulnerability-rapid-response
14    - https://www.trustedsec.com/blog/critical-vulnerability-in-progress-moveit-transfer-technical-analysis-and-recommendations/
15author: '@kostastsale'
16date: 2023-06-01
17tags:
18    - attack.execution
19    - attack.t1059
20    - cve.2023-34362
21    - detection.emerging-threats
22logsource:
23    category: process_creation
24    product: windows
25detection:
26    selection:
27        ParentImage|endswith: '\w3wp.exe'
28        ParentCommandLine|contains: 'moveitdmz pool'
29        Image|endswith: '\csc.exe'
30    condition: selection
31falsepositives:
32    - Initial software installation and software updates.
33level: medium

References

Related rules

to-top