Phoenix
Sigma IntelligenceBeta
Back to Rules
Emerging Threathightest

Potential MOVEit Transfer CVE-2023-34362 Exploitation - File Activity

Detects file indicators of potential exploitation of MOVEit CVE-2023-34362.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)Created Thu Jun 01Updated Tue Aug 13c3b2a774-3152-4989-83c1-7afc48fd15992023
Emerging Threat
Active Threat

Developed to detect an active or emerging threat. Prioritize investigation of any alerts and correlate with threat intelligence.

Log Source
WindowsFile Event
ProductWindows← raw: windows
CategoryFile Event← raw: file_event

Events for file system activity including creation, modification, and deletion.

Detection Logic
Detection Logic3 selectors
detection:
    selection_generic:
        TargetFilename|contains:
            - '\MOVEit Transfer\wwwroot\'
            - '\MOVEitTransfer\wwwroot\'
        TargetFilename|endswith:
            - '.7z'
            - '.bat'
            - '.dll'
            - '.exe'
            - '.ps1'
            - '.rar'
            - '.vbe'
            - '.vbs'
            - '.zip'
    selection_known_ioc:
        TargetFilename|endswith:
            - '\MOVEit Transfer\wwwroot\_human2.aspx.lnk'
            - '\MOVEit Transfer\wwwroot\_human2.aspx'
            - '\MOVEit Transfer\wwwroot\human2.aspx.lnk'
            - '\MOVEit Transfer\wwwroot\human2.aspx'
            - '\MOVEitTransfer\wwwroot\_human2.aspx.lnk'
            - '\MOVEitTransfer\wwwroot\_human2.aspx'
            - '\MOVEitTransfer\wwwroot\human2.aspx.lnk'
            - '\MOVEitTransfer\wwwroot\human2.aspx'
    # Uncomment selection if you wanna threat hunt for additional artifacts
    # selection_cmdline:
    #    TargetFilename|contains: ':\Windows\TEMP\'
    #    TargetFilename|endswith: '.cmdline'
    selection_compiled_asp:
        CreationUtcTime|startswith:
            - '2023-03- '
            - '2023-04- '
            - '2023-05- '
            - '2023-06- '
        TargetFilename|contains|all:
            - '\Windows\Microsoft.net\Framework64\v'
            - '\Temporary ASP.NET Files\'
            - 'App_Web_'
        TargetFilename|endswith: '.dll'
    condition: 1 of selection_*
False Positives

To avoid FP, this rule should only be applied on MOVEit servers.

References
1
Resolving title…
bleepingcomputer.com
2
Resolving title…
community.progress.com
3
Resolving title…
rapid7.com
4
Resolving title…
reddit.com
MITRE ATT&CK

Other

cve.2023-34362detection.emerging-threats
Rule Metadata
Rule ID
c3b2a774-3152-4989-83c1-7afc48fd1599
Status
test
Level
high
Type
Emerging Threat
Created
Thu Jun 01
Modified
Tue Aug 13
Author
Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
Path
rules-emerging-threats/2023/Exploits/CVE-2023-34362-MOVEit-Transfer-Exploit/file_event_win_exploit_cve_2023_34362_moveit_transfer.yml
Raw Tags
attack.initial-accessattack.t1190cve.2023-34362detection.emerging-threats
View on GitHub