-
-
Notifications
You must be signed in to change notification settings - Fork 2.1k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat: add emerging threats rule related to MOVEit Transfer exploitati…
…on (#4281)
- Loading branch information
Showing
2 changed files
with
53 additions
and
0 deletions.
There are no files selected for viewing
15 changes: 15 additions & 0 deletions
15
rules-emerging-threats/2023/Exploits/MOVEit-Transfer-Unknown-Exploit/README.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,15 @@ | ||
| # MOVEit Transfer Critical Vulnerability (May 2023) | ||
|
|
||
| ## Summary | ||
|
|
||
| Progress has discovered a vulnerability in MOVEit Transfer that could lead to escalated privileges and potential unauthorized access to the environment. | ||
|
|
||
| You can find more information on the threat in the following articles: | ||
|
|
||
| - [New MOVEit Transfer zero-day mass-exploited in data theft attacks](https://www.bleepingcomputer.com/news/security/new-moveit-transfer-zero-day-mass-exploited-in-data-theft-attacks/) | ||
| - [MOVEit Transfer Critical Vulnerability (May 2023)](https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023) | ||
| - [Rapid7 Observed Exploitation of Critical MOVEit Transfer Vulnerability](https://www.rapid7.com/blog/post/2023/06/01/rapid7-observed-exploitation-of-critical-moveit-transfer-vulnerability/) | ||
|
|
||
| ## Rules | ||
|
|
||
| - [Potential MOVEit Transfer Exploitation](./file_event_win_exploit_other_moveit_transfer.yml) |
38 changes: 38 additions & 0 deletions
38
...Exploits/MOVEit-Transfer-Unknown-Exploit/file_event_win_exploit_other_moveit_transfer.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,38 @@ | ||
| title: Potential MOVEit Transfer Exploitation | ||
| id: c3b2a774-3152-4989-83c1-7afc48fd1599 | ||
| status: experimental | ||
| description: | | ||
| Detects the creation of files with unexpected extensions in the web root folder of the MOVEit Transfer service. | ||
| Reports mentioned uncommon file types in the "wwwroot" folder as a sign of potential compromise. Attackers used that folder as a staging directory for the exfiltration. | ||
| references: | ||
| - https://www.bleepingcomputer.com/news/security/new-moveit-transfer-zero-day-mass-exploited-in-data-theft-attacks/ | ||
| - https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023 | ||
| - https://www.rapid7.com/blog/post/2023/06/01/rapid7-observed-exploitation-of-critical-moveit-transfer-vulnerability/ | ||
| - https://www.reddit.com/r/sysadmin/comments/13wxuej/comment/jmhdg55/ | ||
| author: Florian Roth (Nextron Systems) | ||
| date: 2023/06/01 | ||
| tags: | ||
| - attack.initial_access | ||
| - attack.t1190 | ||
| logsource: | ||
| category: file_event | ||
| product: windows | ||
| detection: | ||
| selection_generic: | ||
| TargetFilename|contains: '\MOVEit Transfer\wwwroot\' | ||
| TargetFilename|endswith: | ||
| - '.7z' | ||
| - '.bat' | ||
| - '.dll' | ||
| - '.exe' | ||
| - '.ps1' | ||
| - '.rar' | ||
| - '.vbe' | ||
| - '.vbs' | ||
| - '.zip' | ||
| selection_known_ioc: | ||
| TargetFilename|endswith: '\MOVEit Transfer\wwwroot\human2.aspx' | ||
| condition: 1 of selection_* | ||
| falsepositives: | ||
| - Unlikely | ||
| level: high |