Potential MOVEit Transfer CVE-2023-34362 Exploitation - File Activity
Last updated on:
In this page
About the rule
Rule Type
Standard
Rule Description
Detects file indicators of potential exploitation of MOVEit CVE-2023-34362.
Severity
Trouble
Rule Requirement
Criteria
Action1: actionname = "File Created or Modified" AND ((FILENAME contains "\MOVEit Transfer\wwwroot\,\MOVEitTransfer\wwwroot" OR OBJECTNAME contains "\MOVEit Transfer\wwwroot\,\MOVEitTransfer\wwwroot") AND (FILENAME endswith ".7z,.bat,.dll,.exe,.ps1,.rar,.vbe,.vbs,.zip" OR OBJECTNAME endswith ".7z,.bat,.dll,.exe,.ps1,.rar,.vbe,.vbs,.zip")) OR (FILENAME endswith "\MOVEit Transfer\wwwroot\_human2.aspx.lnk,\MOVEit Transfer\wwwroot\_human2.aspx,\MOVEit Transfer\wwwroot\human2.aspx.lnk,\MOVEit Transfer\wwwroot\human2.aspx,\MOVEitTransfer\wwwroot\_human2.aspx.lnk,\MOVEitTransfer\wwwroot\_human2.aspx,\MOVEitTransfer\wwwroot\human2.aspx.lnk,\MOVEitTransfer\wwwroot\human2.aspx" OR OBJECTNAME endswith "\MOVEit Transfer\wwwroot\_human2.aspx.lnk,\MOVEit Transfer\wwwroot\_human2.aspx,\MOVEit Transfer\wwwroot\human2.aspx.lnk,\MOVEit Transfer\wwwroot\human2.aspx,\MOVEitTransfer\wwwroot\_human2.aspx.lnk,\MOVEitTransfer\wwwroot\_human2.aspx,\MOVEitTransfer\wwwroot\human2.aspx.lnk,\MOVEitTransfer\wwwroot\human2.aspx") OR (CREATIONUTCTIME startswith "2023-03- ,2023-04- ,2023-05- ,2023-06- " AND ((FILENAME contains "\Windows\Microsoft.net\Framework64\v" AND FILENAME contains "\Temporary ASP.NET Files" AND FILENAME contains "App_Web_") OR (OBJECTNAME contains "\Windows\Microsoft.net\Framework64\v" AND OBJECTNAME contains "\Temporary ASP.NET Files" AND OBJECTNAME contains "App_Web_")) AND (FILENAME endswith ".dll" OR OBJECTNAME endswith ".dll")) select Action1.HOSTNAME,Action1.MESSAGE,Action1.USERNAME,Action1.DOMAIN,Action1.OBJECTNAME,Action1.FILENAME,Action1.PROCESSNAME
Detection
Execution Mode
realtime
Log Sources
Windows
Author
Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
