CVE 2023 34362 MOVEit Transfer Exploit
CVE 2023 34362 MOVEit Transfer Exploit is tracked here as an exploit or named intrusion pattern with 3 Sigma detections spanning 2023. Coverage centers on webserver, windows / file_event, windows / process_creation.
Potential MOVEit Transfer CVE-2023-34362 Exploitation - File Activity
Detects file indicators of potential exploitation of MOVEit CVE-2023-34362.
MOVEit CVE-2023-34362 Exploitation Attempt - Potential Web Shell Request
Detects get requests to specific files used during the exploitation of MOVEit CVE-2023-34362
Potential MOVEit Transfer CVE-2023-34362 Exploitation - Dynamic Compilation Via Csc.EXE
Detects the execution of "csc.exe" via "w3wp.exe" process. MOVEit affected hosts execute "csc.exe" via the "w3wp.exe" process to dynamically compile malicious DLL files. MOVEit is affected by a critical vulnerability. Exploited hosts show evidence of dynamically compiling a DLL and writing it under C:\\Windows\\Microsoft\.NET\\Framework64\\v4\.0\.30319\\Temporary ASP\.NET Files\\root\\([a-z0-9]{5,12})\\([a-z0-9]{5,12})\\App_Web_[a-z0-9]{5,12}\.dll. Hunting Opportunity Events from IIS dynamically compiling binaries via the csc.exe on behalf of the MOVEit application, especially since May 27th should be investigated.