MOVEit CVE-2023-34362 Exploitation Attempt - Potential Web Shell Request
Detects get requests to specific files used during the exploitation of MOVEit CVE-2023-34362
Sigma rule (View on GitHub)
1title: MOVEit CVE-2023-34362 Exploitation Attempt - Potential Web Shell Request
2id: 435e41f2-48eb-4c95-8a2b-ed24b50ec30b
3status: test
4description: Detects get requests to specific files used during the exploitation of MOVEit CVE-2023-34362
5references:
6 - https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023
7 - https://www.mandiant.com/resources/blog/zero-day-moveit-data-theft
8author: Nasreddine Bencherchali (Nextron Systems)
9date: 2023-06-03
10modified: 2023-07-28
11tags:
12 - cve.2023-34362
13 - detection.emerging-threats
14 - attack.persistence
15 - attack.t1505.003
16logsource:
17 category: webserver
18detection:
19 selection:
20 cs-method: 'GET'
21 cs-uri-stem|contains:
22 - '/human2.aspx'
23 - '/_human2.aspx'
24 condition: selection
25falsepositives:
26 - Unlikely
27level: high
References
Related rules
- CVE-2021-40539 Zoho ManageEngine ADSelfService Plus Exploit
- DEWMODE Webshell Access
- Oracle WebLogic Exploit
- Solarwinds SUPERNOVA Webshell Access
- Antivirus Web Shell Detection