Emerging Threathightest

MOVEit CVE-2023-34362 Exploitation Attempt - Potential Web Shell Request

Detects get requests to specific files used during the exploitation of MOVEit CVE-2023-34362

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Nasreddine Bencherchali (Nextron Systems)Created Sat Jun 03Updated Fri Jul 28435e41f2-48eb-4c95-8a2b-ed24b50ec30b2023

Emerging Threat

Active Threat

Developed to detect an active or emerging threat. Prioritize investigation of any alerts and correlate with threat intelligence.

Log Source

Web Server Log

CategoryWeb Server Log← raw: webserver

HTTP access logs from web servers capturing request paths, methods, and status codes.

Detection Logic

detection:
    selection:
        cs-method: 'GET'
        cs-uri-stem|contains:
            - '/human2.aspx'
            - '/_human2.aspx'
    condition: selection

False Positives

Unlikely

False positives are unlikely for most environments. High confidence detection.

References

Resolving title…

community.progress.com

Resolving title…

mandiant.com

MITRE ATT&CK

Tactics

TA0003 · Persistence

Sub-techniques

T1505.003 · Web Shell

Other

cve.2023-34362detection.emerging-threats

Rule Metadata

Rule ID

435e41f2-48eb-4c95-8a2b-ed24b50ec30b

Status

test

Level

high

Type

Emerging Threat

Created

Sat Jun 03

Modified

Fri Jul 28

Author

Nasreddine Bencherchali (Nextron Systems)

Path

rules-emerging-threats/2023/Exploits/CVE-2023-34362-MOVEit-Transfer-Exploit/web_cve_2023_34362_known_payload_request.yml.yml

Raw Tags

attack.persistenceattack.t1505.003cve.2023-34362detection.emerging-threats

View on GitHub