MOVEit CVE-2023-34362 Exploitation Attempt - Potential Web Shell Request

Detects get requests to specific files used during the exploitation of MOVEit CVE-2023-34362

Sigma rule (View on GitHub)

 1title: MOVEit CVE-2023-34362 Exploitation Attempt - Potential Web Shell Request
 2id: 435e41f2-48eb-4c95-8a2b-ed24b50ec30b
 3status: test
 4description: Detects get requests to specific files used during the exploitation of MOVEit CVE-2023-34362
 5references:
 6    - https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023
 7    - https://www.mandiant.com/resources/blog/zero-day-moveit-data-theft
 8author: Nasreddine Bencherchali (Nextron Systems)
 9date: 2023-06-03
10modified: 2023-07-28
11tags:
12    - cve.2023-34362
13    - detection.emerging-threats
14    - attack.persistence
15    - attack.t1505.003
16logsource:
17    category: webserver
18detection:
19    selection:
20        cs-method: 'GET'
21        cs-uri-stem|contains:
22            - '/human2.aspx'
23            - '/_human2.aspx'
24    condition: selection
25falsepositives:
26    - Unlikely
27level: high

References

Related rules

to-top