MOVEit exploitation
MOVEit is affected by a critical vulnerability. Exploited hosts show evidence of dynamically compliling a DLL and writing it under C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files\root\([a-z0-9]{5,12})\([a-z0-9]{5,12})\App_Web_[a-z0-9]{5,12}.dll. Hunting Opportunity --- Events from IIS dynamically compiling binaries via the csc.exe on behalf of the MOVEit application, especially since May 27th should be investigated.
Sigma rule (View on GitHub)
1title: MOVEit exploitation
2hypothesis: MOVEit affected hosts execute csc.exe via w3wp.exe process to dynamically compile malicious DLL file.
3description: >
4 MOVEit is affected by a critical vulnerability. Exploited hosts show evidence of dynamically compliling a DLL and writing it under
5 C:\\Windows\\Microsoft\.NET\\Framework64\\v4\.0\.30319\\Temporary ASP\.NET Files\\root\\([a-z0-9]{5,12})\\([a-z0-9]{5,12})\\App_Web_[a-z0-9]{5,12}\.dll.
6
7 Hunting Opportunity
8 ---
9
10 Events from IIS dynamically compiling binaries via the csc.exe on behalf of the MOVEit application, especially since May 27th should be investigated.
11status: experimental
12date: 2023/06/01
13author: '@kostastsale'
14references:
15 - https://www.huntress.com/blog/moveit-transfer-critical-vulnerability-rapid-response
16 - https://www.trustedsec.com/blog/critical-vulnerability-in-progress-moveit-transfer-technical-analysis-and-recommendations/
17logsource:
18 category: process_creation
19 product: windows
20detection:
21 Selection1:
22 Image|endswith:
23 - '\csc.exe'
24 ParentImage|endswith:
25 - '\w3wp.exe'
26 Selection2:
27 ParentCommandLine|contains:
28 - 'moveitdmz pool'
29 condition: Selection1 and Selection2
30falsepositives:
31 - "Initial software installation and software updates"
32level: medium
33tags:
34 - attack.execution
35 - attack.T1623
References
Related rules
- PCRE.NET Package Image Load
- Regsvr32 DLL Execution With Uncommon Extension
- Download From Suspicious TLD - Blacklist
- Alternate PowerShell Hosts - PowerShell Module
- Usage Of Web Request Commands And Cmdlets