feat: more updates to the MOVEit exploitation rules (#4285)

2023-06-04 00:24:22 +02:00
parent 04cf7e9ea3
commit 8bd1e2bc63
3 changed files with 41 additions and 15 deletions
@@ -14,4 +14,5 @@ You can find more information on the threat in the following articles:

 ## Rules

- [Potential MOVEit Transfer Exploitation](./file_event_win_exploit_other_moveit_transfer.yml)
+- [Potential MOVEit Transfer CVE-2023-34362 Exploitation](./file_event_win_exploit_cve_2023_34362_moveit_transfer.yml)
+- [MOVEit CVE-2023-34362 Exploitation Attempt - Potential Web Shell Request](web_cve_2023_34362_known_payload_request.yml.yml)
@@ -1,9 +1,7 @@
-title: Potential MOVEit Transfer Exploitation
+title: Potential MOVEit Transfer CVE-2023-34362 Exploitation
 id: c3b2a774-3152-4989-83c1-7afc48fd1599
 status: experimental
-description: |
-    Detects the creation of files with unexpected extensions in the web root folder of the MOVEit Transfer service.
-    Reports mentioned uncommon file types in the "wwwroot" folder as a sign of potential compromise. Attackers used that folder as a staging directory for the exfiltration.
+description: Detects file indicators of potential exploitation of MOVEit CVE-2023-34362.
 references:
    - https://www.bleepingcomputer.com/news/security/new-moveit-transfer-zero-day-mass-exploited-in-data-theft-attacks/
    - https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023
@@ -11,6 +9,7 @@ references:
    - https://www.reddit.com/r/sysadmin/comments/13wxuej/comment/jmhdg55/
 author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
 date: 2023/06/01
+modified: 2023/06/03
 tags:
    - attack.initial_access
    - attack.t1190
@@ -34,19 +33,24 @@ detection:
            - '.zip'
    selection_known_ioc:
        TargetFilename|endswith:
+            - '\MOVEit Transfer\wwwroot\_human2.aspx.lnk'
+            - '\MOVEit Transfer\wwwroot\_human2.aspx'
+            - '\MOVEit Transfer\wwwroot\human2.aspx.lnk'
            - '\MOVEit Transfer\wwwroot\human2.aspx'
+            - '\MOVEitTransfer\wwwroot\_human2.aspx.lnk'
+            - '\MOVEitTransfer\wwwroot\_human2.aspx'
+            - '\MOVEitTransfer\wwwroot\human2.aspx.lnk'
            - '\MOVEitTransfer\wwwroot\human2.aspx'
+    # Uncomment selection if you wanna threat hunt for additional artifacts
+    #selection_cmdline:
+    #    TargetFilename|contains: ':\Windows\TEMP\'
+    #    TargetFilename|endswith: '.cmdline'
    selection_compiled_asp:
        CreationUtcTime|startswith:
-            - '2023-05-26 '
-            - '2023-05-27 '
-            - '2023-05-28 '
-            - '2023-05-29 '
-            - '2023-05-30 '
-            - '2023-05-31 '
-            - '2023-06-01 '
-            - '2023-06-02 '
-            - '2023-06-03 '
+            - '2023-03- '
+            - '2023-04- '
+            - '2023-05- '
+            - '2023-06- '
        TargetFilename|contains|all:
            - '\Windows\Microsoft.net\Framework64\v'
            - '\Temporary ASP.NET Files\'
@@ -54,5 +58,5 @@ detection:
        TargetFilename|endswith: '.dll'
    condition: 1 of selection_*
 falsepositives:
-    - Unlikely
+    - To avoid FP, this rule should only be applied on MOVEit servers.
 level: high
@@ -0,0 +1,21 @@
+title: MOVEit CVE-2023-34362 Exploitation Attempt - Potential Web Shell Request
+id: 435e41f2-48eb-4c95-8a2b-ed24b50ec30b
+status: experimental
+description: Detects get requests to specific files used during the exploitation of MOVEit CVE-2023-34362
+references:
+    - https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023
+    - https://www.mandiant.com/resources/blog/zero-day-moveit-data-theft
+author: Nasreddine Bencherchali (Nextron Systems)
+date: 2023/06/03
+logsource:
+    category: webserver
+detection:
+    selection:
+        cs-method: 'GET'
+        cs-uri-stem:
+            - '/human2.aspx'
+            - '/_human2.aspx'
+    condition: selection
+falsepositives:
+    - Unlikely
+level: high