MOVEit exploitation
MOVEit is affected by a critical vulnerability. Exploited hosts show evidence of dynamically compliling a DLL and writing it under C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files\root\([a-z0-9]{5,12})\([a-z0-9]{5,12})\App_Web_[a-z0-9]{5,12}.dll. Hunting Opportunity --- Events from IIS dynamically compiling binaries via the csc.exe on behalf of the MOVEit application, especially since May 27th should be investigated.
Sigma rule (View on GitHub)
1title: MOVEit exploitation
2id: 39ac1fb0-07f1-474b-b97e-c5c0eace0d79
3hypothesis: MOVEit affected hosts execute csc.exe via w3wp.exe process to dynamically compile malicious DLL file.
4description: >
5 MOVEit is affected by a critical vulnerability. Exploited hosts show evidence of dynamically compliling a DLL and writing it under
6 C:\\Windows\\Microsoft\.NET\\Framework64\\v4\.0\.30319\\Temporary ASP\.NET Files\\root\\([a-z0-9]{5,12})\\([a-z0-9]{5,12})\\App_Web_[a-z0-9]{5,12}\.dll.
7
8 Hunting Opportunity
9 ---
10
11 Events from IIS dynamically compiling binaries via the csc.exe on behalf of the MOVEit application, especially since May 27th should be investigated.
12status: experimental
13date: 2023/06/01
14author: '@kostastsale'
15references:
16 - https://www.huntress.com/blog/moveit-transfer-critical-vulnerability-rapid-response
17 - https://www.trustedsec.com/blog/critical-vulnerability-in-progress-moveit-transfer-technical-analysis-and-recommendations/
18logsource:
19 category: process_creation
20 product: windows
21detection:
22 Selection1:
23 Image|endswith:
24 - '\csc.exe'
25 ParentImage|endswith:
26 - '\w3wp.exe'
27 Selection2:
28 ParentCommandLine|contains:
29 - 'moveitdmz pool'
30 condition: Selection1 and Selection2
31falsepositives:
32 - "Initial software installation and software updates"
33level: medium
34tags:
35 - attack.execution
36 - attack.T1623
References
-
Our team is tracking in-the-wild exploitation of a zero-day vulnerability against Progress' MOVEit Transfer web application that allows for escalated privileges and unauthorized access.
Read More -
On May 31, 2023, Progress Software released a security bulletin concerning a critical vulnerability within MOVEit Transfer, a widely used secure file transfer system. According to Shodan, over 2500...
Read More
Related rules
- Abuse of the Windows Server Update Services (WSUS) for lateral movement.
- ChromeLoader Malware Detection
- Detecting Ammy Admin RMM Agent Execution
- Detection of CMD Execution via AnyViewer RMM
- Detection of Suspicious triggering of ErrorHandler.cmd Execution