Potential MOVEit Transfer CVE-2023-34362 Exploitation - Dynamic Compilation Via Csc.EXE
Detects the execution of "csc.exe" via "w3wp.exe" process. MOVEit affected hosts execute "csc.exe" via the "w3wp.exe" process to dynamically compile malicious DLL files.
MOVEit is affected by a critical vulnerability. Exploited hosts show evidence of dynamically compiling a DLL and writing it under C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files\root\([a-z0-9]{5,12})\([a-z0-9]{5,12})\App_Web_[a-z0-9]{5,12}.dll.
Hunting Opportunity
Events from IIS dynamically compiling binaries via the csc.exe on behalf of the MOVEit application, especially since May 27th should be investigated.
Sigma rule (View on GitHub)
1title: Potential MOVEit Transfer CVE-2023-34362 Exploitation - Dynamic Compilation Via Csc.EXE
2id: 39ac1fb0-07f1-474b-b97e-c5c0eace0d79
3status: test
4description: |
5 Detects the execution of "csc.exe" via "w3wp.exe" process. MOVEit affected hosts execute "csc.exe" via the "w3wp.exe" process to dynamically compile malicious DLL files.
6
7 MOVEit is affected by a critical vulnerability. Exploited hosts show evidence of dynamically compiling a DLL and writing it under C:\\Windows\\Microsoft\.NET\\Framework64\\v4\.0\.30319\\Temporary ASP\.NET Files\\root\\([a-z0-9]{5,12})\\([a-z0-9]{5,12})\\App_Web_[a-z0-9]{5,12}\.dll.
8
9 Hunting Opportunity
10
11 Events from IIS dynamically compiling binaries via the csc.exe on behalf of the MOVEit application, especially since May 27th should be investigated.
12references:
13 - https://www.huntress.com/blog/moveit-transfer-critical-vulnerability-rapid-response
14 - https://www.trustedsec.com/blog/critical-vulnerability-in-progress-moveit-transfer-technical-analysis-and-recommendations/
15author: '@kostastsale'
16date: 2023-06-01
17tags:
18 - attack.execution
19 - attack.t1059
20 - cve.2023-34362
21 - detection.emerging-threats
22logsource:
23 category: process_creation
24 product: windows
25detection:
26 selection:
27 ParentImage|endswith: '\w3wp.exe'
28 ParentCommandLine|contains: 'moveitdmz pool'
29 Image|endswith: '\csc.exe'
30 condition: selection
31falsepositives:
32 - Initial software installation and software updates.
33level: medium
References
Related rules
- DarkGate - Autoit3.EXE Execution Parameters
- DarkGate - Autoit3.EXE File Creation By Uncommon Process
- Ursnif Redirection Of Discovery Commands
- Lazarus Group Activity
- Potential Atlassian Confluence CVE-2021-26084 Exploitation Attempt