Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Rule: MOVEit Transfer 0day - file creation event #4281

Merged
merged 8 commits into from
Jun 1, 2023
Merged

Rule: MOVEit Transfer 0day - file creation event #4281

Show file tree
Hide file tree
Changes from 7 commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
9168512
rule: MOVEit Transfer 0day
Neo23x0 Jun 1, 2023
7da406a
Merge branch 'rule-devel' of https://github.com/SigmaHQ/sigma into ru…
Neo23x0 Jun 1, 2023
e587d7f
Merge branch 'master' into rule-devel
Neo23x0 Jun 1, 2023
74949ed
doc: fix typo
Neo23x0 Jun 1, 2023
c7cd7d0
refactor: update with info from Rapid7 post
Neo23x0 Jun 1, 2023
5e54aab
fix: condition
Neo23x0 Jun 1, 2023
e98d480
chore: update metadata
nasbench Jun 1, 2023
714d603
Update README.md
nasbench Jun 1, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
15 changes: 15 additions & 0 deletions rules-emerging-threats/2023/Exploits/MOVEit-Transfer-Unknown-Exploit/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
# MOVEit Transfer Critical Vulnerability (May 2023)

## Summary

Progress has discovered a vulnerability in MOVEit Transfer that could lead to escalated privileges and potential unauthorized access to the environment.

You can find more information on the threat in the following articles:

- [New MOVEit Transfer zero-day mass-exploited in data theft attacks](https://www.bleepingcomputer.com/news/security/new-moveit-transfer-zero-day-mass-exploited-in-data-theft-attacks/)
- [MOVEit Transfer Critical Vulnerability (May 2023)](https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023)
- [Rapid7 Observed Exploitation of Critical MOVEit Transfer Vulnerability](https://www.rapid7.com/blog/post/2023/06/01/rapid7-observed-exploitation-of-critical-moveit-transfer-vulnerability/)

## Rules

- []()
38 changes: 38 additions & 0 deletions ...Exploits/MOVEit-Transfer-Unknown-Exploit/file_event_win_exploit_other_moveit_transfer.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
title: Potential MOVEit Transfer Exploitation
id: c3b2a774-3152-4989-83c1-7afc48fd1599
status: experimental
description: |
Detects the creation of files with unexpected extensions in the web root folder of the MOVEit Transfer service.
Reports mentioned uncommon file types in the "wwwroot" folder as a sign of potential compromise. Attackers used that folder as a staging directory for the exfiltration.
references:
- https://www.bleepingcomputer.com/news/security/new-moveit-transfer-zero-day-mass-exploited-in-data-theft-attacks/
- https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023
- https://www.rapid7.com/blog/post/2023/06/01/rapid7-observed-exploitation-of-critical-moveit-transfer-vulnerability/
- https://www.reddit.com/r/sysadmin/comments/13wxuej/comment/jmhdg55/
author: Florian Roth (Nextron Systems)
date: 2023/06/01
tags:
- attack.initial_access
- attack.t1190
logsource:
category: file_event
product: windows
detection:
selection_generic:
TargetFilename|contains: '\MOVEit Transfer\wwwroot\'
TargetFilename|endswith:
- '.7z'
- '.bat'
- '.dll'
- '.exe'
- '.ps1'
- '.rar'
- '.vbe'
- '.vbs'
- '.zip'
selection_known_ioc:
TargetFilename|endswith: '\MOVEit Transfer\wwwroot\human2.aspx'
condition: 1 of selection_*
falsepositives:
- Unlikely
level: high