MOVEit CVE-2023-34362 Exploitation Attempt - Potential Web Shell Request

 1title: MOVEit CVE-2023-34362 Exploitation Attempt - Potential Web Shell Request
 2id: 435e41f2-48eb-4c95-8a2b-ed24b50ec30b
 3status: experimental
 4description: Detects get requests to specific files used during the exploitation of MOVEit CVE-2023-34362
 5references:
 6    - https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023
 7    - https://www.mandiant.com/resources/blog/zero-day-moveit-data-theft
 8author: Nasreddine Bencherchali (Nextron Systems)
 9date: 2023/06/03
10modified: 2023/07/28
11tags:
12    - cve.2023.34362
13    - detection.emerging_threats
14    - attack.persistence
15    - attack.t1505.003
16logsource:
17    category: webserver
18detection:
19    selection:
20        cs-method: 'GET'
21        cs-uri-stem|contains:
22            - '/human2.aspx'
23            - '/_human2.aspx'
24    condition: selection
25falsepositives:
26    - Unlikely
27level: high

References

• Progress Customer Community

  Loading ×Sorry to interrupt CSS Error Refresh

  
  Read More

• Zero-Day Vulnerability in MOVEit Transfer Exploited for Data Theft | Mandiant

  

  UPDATE (June 9): On June 6, 2023, Mandiant merged UNC4857 into FIN11 based on targeting, infrastructure, certificate and data leak site (DLS) overlaps. This blog post has been updated to reflect th...

  
  Read More

Related rules

• CVE-2021-40539 Zoho ManageEngine ADSelfService Plus Exploit
• DEWMODE Webshell Access
• Oracle WebLogic Exploit
• Solarwinds SUPERNOVA Webshell Access
• Suspicious Computer Account Name Change CVE-2021-42287