diff --git a/Packs/CVE_2023_34362_-_MOVEit_SQLI/.pack-ignore b/Packs/CVE_2023_34362_-_MOVEit_SQLI/.pack-ignore new file mode 100644 index 000000000000..e69de29bb2d1 diff --git a/Packs/CVE_2023_34362_-_MOVEit_SQLI/.secrets-ignore b/Packs/CVE_2023_34362_-_MOVEit_SQLI/.secrets-ignore new file mode 100644 index 000000000000..bcc869aaec1c --- /dev/null +++ b/Packs/CVE_2023_34362_-_MOVEit_SQLI/.secrets-ignore @@ -0,0 +1,11 @@ +https://docs.ipswitch.com +209.222.103.170 +209.97.137.33 +198.27.75.110 +198.12.76.214 +148.113.152.144 +138.197.152.201 +89.39.105.108 +84.234.96.104 +5.252.25.88 +5.252.23.116 \ No newline at end of file diff --git a/Packs/CVE_2023_34362_-_MOVEit_SQLI/Playbooks/playbook-CVE-2023-34362_-_MOVEit_Transfer_SQL_Injection.yml b/Packs/CVE_2023_34362_-_MOVEit_SQLI/Playbooks/playbook-CVE-2023-34362_-_MOVEit_Transfer_SQL_Injection.yml new file mode 100644 index 000000000000..cfa9b5bda3d2 --- /dev/null +++ b/Packs/CVE_2023_34362_-_MOVEit_SQLI/Playbooks/playbook-CVE-2023-34362_-_MOVEit_Transfer_SQL_Injection.yml @@ -0,0 +1,2579 @@ +id: CVE-2023-34362 - MOVEit Transfer SQL Injection +version: -1 +name: CVE-2023-34362 - MOVEit Transfer SQL Injection +description: "### CVE-2023-34362 - Critical SQL Injection vulnerability in MOVEit Transfer.\n\n#### Summary \n\nA critical vulnerability has been identified in MOVEit Transfer, a managed file transfer solution. The vulnerability affects versions prior to the latest release and involves improper input validation. Exploiting this vulnerability can lead to remote execution of arbitrary code, potentially resulting in unauthorized access and compromise of sensitive data.\n\nTo mitigate the risk associated with this vulnerability, it is crucial for users to update to the latest version of MOVEit Transfer that includes necessary security patches.\n\n#### Affected Products \n\n\n| Affected Version | Fixed Version | Documentation |\n|-------------------------------|---------------------------|-------------------------------------|\n| MOVEit Transfer 2023.0.0 (15.0) | MOVEit Transfer 2023.0.1 | [MOVEit 2023 Upgrade Documentation](https://docs.ipswitch.com/MOVEit/2023/Upgrade/) |\n| MOVEit Transfer 2022.1.x (14.1) | MOVEit Transfer 2022.1.5 | [MOVEit 2022 Upgrade Documentation](https://docs.ipswitch.com/MOVEit/2022/Upgrade/) |\n| MOVEit Transfer 2022.0.x (14.0) | MOVEit Transfer 2022.0.4 | [MOVEit 2022 Upgrade Documentation](https://docs.ipswitch.com/MOVEit/2022/Upgrade/) |\n| MOVEit Transfer 2021.1.x (13.1) | MOVEit Transfer 2021.1.4 | [MOVEit 2021 Upgrade Documentation](https://docs.ipswitch.com/MOVEit/2021/Upgrade/) |\n| MOVEit Transfer 2021.0.x (13.0) | MOVEit Transfer 2021.0.6 | [MOVEit 2021 Upgrade Documentation](https://docs.ipswitch.com/MOVEit/2021/Upgrade/) |\n| MOVEit Transfer 2020.1.x (12.1) | Special Patch Available | See [KB 000234559](https://docs.ipswitch.com/MOVEit/2020/234559.htm) |\n| MOVEit Transfer 2020.0.x (12.0) or older | MUST upgrade to a supported version | See [MOVEit Transfer Upgrade and Migration Guide](https://docs.ipswitch.com/MOVEit/Transfer2021/UpgradeGuide/) |\n\n\n**This playbook should be triggered manually or can be configured as a job.** \n\nPlease create a new incident and choose the CVE-2023-34362 - MOVEit SQL Injection playbook and Rapid Breach Response incident type.\n\n**The playbook includes the following tasks:**\n\n**IoCs Collection**\n- Blog IoCs download\n- Yara Rules download\n- Sigma rules download\n\n**Hunting:**\n- Microsoft PowerShell hunting script\n- Advanced SIEM hunting queries\n- Indicators hunting\n\n**Mitigations:**\n- Progress official CVE-2023-34362 patch\n- Progress mitigation measures\n- Detection Rules\n - Yara\n - Sigma\n\n\n**References:**\n\n[MOVEit Transfer Critical Vulnerability (May 2023)](https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023)\n[MOVEit Transfer Critical Vulnerability CVE-2023-34362 Rapid Response](https://www.huntress.com/blog/moveit-transfer-critical-vulnerability-rapid-response)\n\nNote: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve." +starttaskid: "0" +tasks: + "0": + id: "0" + taskid: bf12d27c-1ac2-4fe1-896a-41199b347044 + type: start + task: + id: bf12d27c-1ac2-4fe1-896a-41199b347044 + version: -1 + name: "" + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "1" + - "54" + - "50" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -330, + "y": 130 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "1": + id: "1" + taskid: fa42cf99-3a7c-4eaa-8d7d-f45912174f93 + type: title + task: + id: fa42cf99-3a7c-4eaa-8d7d-f45912174f93 + version: -1 + name: Collect Indicators + type: title + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "20" + - "55" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 540, + "y": 290 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "3": + id: "3" + taskid: 2363610e-9e02-46e1-80d6-9cde602f68eb + type: title + task: + id: 2363610e-9e02-46e1-80d6-9cde602f68eb + version: -1 + name: Tag Indicators + type: title + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "5" + - "22" + - "56" + - "57" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -330, + "y": 600 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "5": + id: "5" + taskid: 6be9c21a-6f77-48fd-87a5-3da4a748ece0 + type: regular + task: + id: 6be9c21a-6f77-48fd-87a5-3da4a748ece0 + version: -1 + name: Tag CVE Indicators + description: Create indicators to the Threat Intel database only if they are not registered. When using the script with many indicators, or when the Threat Intel Management database is highly populated, this script may have low performance issue. + scriptName: CreateNewIndicatorsOnly + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "11" + scriptarguments: + indicator_values: + complex: + root: CVE + accessor: ID + tags: + simple: MOVEit, SQL injection, CVE-2023-34362 + type: + simple: CVE + reputationcalc: 2 + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -560, + "y": 750 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "6": + id: "6" + taskid: 9acb4dad-e9a7-41b3-8c39-e0624c5c67a4 + type: title + task: + id: 9acb4dad-e9a7-41b3-8c39-e0624c5c67a4 + version: -1 + name: Threat Hunting + type: title + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "7" + - "59" + - "48" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -330, + "y": 1210 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "7": + id: "7" + taskid: 597cbcec-ab40-4557-8c3a-20c27804b0cd + type: title + task: + id: 597cbcec-ab40-4557-8c3a-20c27804b0cd + version: -1 + name: SIEM Advanced Hunting + type: title + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "8" + - "9" + - "14" + - "13" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -330, + "y": 1350 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "8": + id: "8" + taskid: 43ee6cdf-703e-4952-8f57-4f6fdd2c321f + type: condition + task: + id: 43ee6cdf-703e-4952-8f57-4f6fdd2c321f + version: -1 + name: Is Splunk Enabled? + description: Check if Splunk instance is enabled. + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "40" + "Yes": + - "17" + separatecontext: false + conditions: + - label: "Yes" + condition: + - - operator: isExists + left: + value: + complex: + root: modules + filters: + - - operator: isEqualString + left: + value: + simple: modules.brand + iscontext: true + right: + value: + simple: SplunkPy + - - operator: isEqualString + left: + value: + simple: modules.state + iscontext: true + right: + value: + simple: active + iscontext: true + continueonerrortype: "" + view: |- + { + "position": { + "x": -110, + "y": 1550 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "9": + id: "9" + taskid: 0ccf2492-c288-4a31-8307-e689064bd2c1 + type: condition + task: + id: 0ccf2492-c288-4a31-8307-e689064bd2c1 + version: -1 + name: Is QRadar Enabled? + description: Check if Splunk instance is enabled. + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "40" + "Yes": + - "23" + separatecontext: false + conditions: + - label: "Yes" + condition: + - - operator: isExists + left: + value: + complex: + root: modules + filters: + - - operator: isEqualString + left: + value: + simple: modules.brand + iscontext: true + right: + value: + simple: QRadar_v2 + - - operator: isEqualString + left: + value: + simple: modules.state + iscontext: true + right: + value: + simple: active + iscontext: true + continueonerrortype: "" + view: |- + { + "position": { + "x": -550, + "y": 1550 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "11": + id: "11" + taskid: db12e671-7c53-449e-8731-441eace92937 + type: title + task: + id: db12e671-7c53-449e-8731-441eace92937 + version: -1 + name: Set Rapid Breach Response Layout + type: title + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "12" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -330, + "y": 920 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "12": + id: "12" + taskid: be39dc74-8a11-48ae-8713-1f225e75269e + type: playbook + task: + id: be39dc74-8a11-48ae-8713-1f225e75269e + version: -1 + name: Rapid Breach Response - Set Incident Info + description: This playbook is responsible for setting up the Rapid Breach Response Incident Info tab in the layout. + playbookName: Rapid Breach Response - Set Incident Info + type: playbook + iscommand: false + brand: "" + nexttasks: + '#none#': + - "6" + scriptarguments: + SourceOfIndicators: + complex: + root: http.parsedBlog + accessor: sourceLink + countTotalIndicators: + complex: + root: CVE + accessor: ID + transformers: + - operator: append + args: + item: + value: + simple: File.SHA256 + iscontext: true + - operator: append + args: + item: + value: + simple: Domain.Name + iscontext: true + - operator: append + args: + item: + value: + simple: IP.Address + iscontext: true + - operator: uniq + - operator: count + playbookDescription: + complex: + root: inputs.PlaybookDescription + separatecontext: true + continueonerrortype: "" + loop: + iscommand: false + exitCondition: "" + wait: 1 + max: 100 + view: |- + { + "position": { + "x": -330, + "y": 1050 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: true + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "13": + id: "13" + taskid: fb680adc-7457-4c78-83f2-f0d65c58257b + type: condition + task: + id: fb680adc-7457-4c78-83f2-f0d65c58257b + version: -1 + name: Is Elasticsearch Enabled? + description: Check whether the values provided in arguments are equal. If either of the arguments are missing, no is returned. + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "40" + "Yes": + - "19" + separatecontext: false + conditions: + - label: "Yes" + condition: + - - operator: isExists + left: + value: + complex: + root: modules + filters: + - - operator: containsGeneral + left: + value: + simple: modules.brand + iscontext: true + right: + value: + simple: Elasticsearch + ignorecase: true + - - operator: isEqualString + left: + value: + simple: modules.state + iscontext: true + right: + value: + simple: active + iscontext: true + right: + value: {} + continueonerrortype: "" + view: |- + { + "position": { + "x": 330, + "y": 1550 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "14": + id: "14" + taskid: 3552fc8b-26e9-4524-82ba-47bb2a709a2a + type: condition + task: + id: 3552fc8b-26e9-4524-82ba-47bb2a709a2a + version: -1 + name: Is Azure Log Analytics Enabled? + description: Returns 'yes' if integration brand is available. Otherwise returns 'no' + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "40" + "yes": + - "15" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isExists + left: + value: + complex: + root: modules + filters: + - - operator: isEqualString + left: + value: + simple: modules.brand + iscontext: true + right: + value: + simple: Azure Log Analytics + ignorecase: true + - - operator: isEqualString + left: + value: + simple: modules.state + iscontext: true + right: + value: + simple: active + ignorecase: true + iscontext: true + continueonerrortype: "" + view: |- + { + "position": { + "x": -990, + "y": 1550 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "15": + id: "15" + taskid: f771f522-4e22-4783-8717-9437c05364fb + type: regular + task: + id: f771f522-4e22-4783-8717-9437c05364fb + version: -1 + name: ASPX file creation by w3wp.exe + description: Detects ASPX file creation by the w3wp.exe process. + tags: + - SIEMResults + script: '|||azure-log-analytics-execute-query' + type: regular + iscommand: true + brand: "" + nexttasks: + '#none#': + - "62" + scriptarguments: + query: + simple: Sysmon | where (Image endswith @'\w3wp.exe' and TargetFilename contains @'.aspx') + timespan: + complex: + root: inputs.LogAnalyticsTimespan + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -990, + "y": 1730 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: true + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "17": + id: "17" + taskid: 4a466f49-4947-4b71-8a0b-12f52a597d06 + type: regular + task: + id: 4a466f49-4947-4b71-8a0b-12f52a597d06 + version: -1 + name: ASPX file creation by w3wp.exe + description: Detects ASPX file creation by the w3wp.exe process. + tags: + - SIEMResults + script: '|||splunk-search' + type: regular + iscommand: true + brand: "" + nexttasks: + '#none#': + - "63" + scriptarguments: + earliest_time: + complex: + root: inputs.SplunkEarliestTime + query: + simple: index=* ((Image="*\\w3wp.exe") AND (TargetFilename="*.aspx*")) + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -110, + "y": 1730 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: true + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "19": + id: "19" + taskid: 17a8638a-6d96-4627-8411-311bac5285e2 + type: regular + task: + id: 17a8638a-6d96-4627-8411-311bac5285e2 + version: -1 + name: ASPX file creation by w3wp.exe + description: Detects ASPX file creation by the w3wp.exe process. + tags: + - SIEMResults + script: '|||es-eql-search' + type: regular + iscommand: true + brand: "" + nexttasks: + '#none#': + - "64" + scriptarguments: + index: + complex: + root: inputs.ElasticIndex + query: + simple: (process.executable.text:"*\\w3wp.exe" AND file.path.text:"*.aspx*") + timestamp_field: + complex: + root: inputs.ElasticEarliestTime + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 330, + "y": 1730 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: true + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "20": + id: "20" + taskid: 06b72db6-e3b8-4cd2-8eb2-0febbed6971e + type: regular + task: + id: 06b72db6-e3b8-4cd2-8eb2-0febbed6971e + version: -1 + name: Collect IoCs from Huntress + description: This script will extract indicators from given HTML and will handle bad top-level domains to avoid false positives caused by file extensions. + scriptName: ParseHTMLIndicators + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "3" + scriptarguments: + url: + simple: https://www.huntress.com/blog/moveit-transfer-critical-vulnerability-rapid-response + reputationcalc: 2 + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 330, + "y": 430 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "22": + id: "22" + taskid: 521f06be-e2d7-41bc-8f07-276fa1464308 + type: regular + task: + id: 521f06be-e2d7-41bc-8f07-276fa1464308 + version: -1 + name: Tag IP Indicators + description: Create indicators to the Threat Intel database only if they are not registered. When using the script with many indicators, or when the Threat Intel Management database is highly populated, this script may have low performance issue. + scriptName: CreateNewIndicatorsOnly + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "11" + scriptarguments: + indicator_values: + complex: + root: IP + accessor: Address + tags: + simple: Outlook, 0-day, Microsoft + type: + simple: IP + reputationcalc: 2 + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -990, + "y": 750 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "23": + id: "23" + taskid: 9d3492f4-1d99-444a-8ed1-d8eac62cb083 + type: playbook + task: + id: 9d3492f4-1d99-444a-8ed1-d8eac62cb083 + version: -1 + name: ASPX file creation by w3wp.exe + description: This playbook runs a QRadar query and return its results to the context. + playbookName: QRadarFullSearch + type: playbook + iscommand: false + brand: "" + nexttasks: + '#none#': + - "65" + scriptarguments: + interval: + simple: "1" + query_expression: + simple: SELECT UTF8(payload) FROM events WHERE LOGSOURCENAME(logsourceid) ILIKE '%sysmon%' AND "Image" ILIKE '%\w3wp.exe' AND "Filename" ILIKE '%.aspx%' + range: + complex: + root: inputs.QRadarTimeRange + timeout: + simple: "600" + separatecontext: true + continueonerrortype: "" + loop: + iscommand: false + exitCondition: "" + wait: 1 + max: 0 + view: |- + { + "position": { + "x": -550, + "y": 1730 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: true + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "34": + id: "34" + taskid: a42e7e2e-00e5-4eef-8105-bfdab412d4e2 + type: condition + task: + id: a42e7e2e-00e5-4eef-8105-bfdab412d4e2 + version: -1 + name: Should continue with the investigation? + description: Whether to continue with the investigation or close it. + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "39" + "Yes": + - "38" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -330, + "y": 3190 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "35": + id: "35" + taskid: 61a214b6-9c1b-4834-8f27-87cb8c193829 + type: condition + task: + id: 61a214b6-9c1b-4834-8f27-87cb8c193829 + version: -1 + name: Should block indicators automatically? + description: Checks whether to block the indicators automatically. + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "37" + "yes": + - "36" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isEqualString + left: + value: + complex: + root: inputs.autoBlockIndicators + iscontext: true + right: + value: + simple: "True" + ignorecase: true + continueonerrortype: "" + view: |- + { + "position": { + "x": -330, + "y": 2390 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "36": + id: "36" + taskid: bcabdbb3-48b4-43bd-82b0-73c15b457d9e + type: playbook + task: + id: bcabdbb3-48b4-43bd-82b0-73c15b457d9e + version: -1 + name: Block Indicators - Generic v3 + description: |+ + This playbook blocks malicious indicators using all integrations that are enabled, using the following sub-playbooks: + + - Block URL - Generic v2 + - Block Account - Generic v2 + - Block IP - Generic v3 + - Block File - Generic v2 + - Block Email - Generic + - Block Domain - Generic + + playbookName: Block Indicators - Generic v3 + type: playbook + iscommand: false + brand: "" + nexttasks: + '#none#': + - "42" + scriptarguments: + AutoBlockIndicators: + simple: "True" + AutoCommit: + simple: "No" + CustomBlockRule: + simple: "True" + CustomURLCategory: + simple: XSOAR Remediation - Malicious URLs + DomainToBlock: + complex: + root: Domain + accessor: Name + transformers: + - operator: uniq + FilesToBlock: + complex: + root: File + accessor: SHA256 + transformers: + - operator: uniq + IP: + complex: + root: IP + accessor: Address + transformers: + - operator: uniq + InputEnrichment: + simple: "False" + MD5: + complex: + root: DBotScore + filters: + - - operator: stringHasLength + left: + value: + simple: DBotScore.Indicator + iscontext: true + right: + value: + simple: "32" + - - operator: greaterThanOrEqual + left: + value: + simple: DBotScore.Score + iscontext: true + right: + value: + simple: "3" + - - operator: isEqualString + left: + value: + simple: DBotScore.Type + iscontext: true + right: + value: + simple: file + - operator: isEqualString + left: + value: + simple: DBotScore.Type + iscontext: true + right: + value: + simple: hash + accessor: Indicator + transformers: + - operator: uniq + RuleDirection: + simple: outbound + RuleName: + simple: XSOAR - Block Indicators playbook - ${incident.id} + SHA256: + complex: + root: File + accessor: SHA256 + transformers: + - operator: uniq + URL: + complex: + root: DBotScore + filters: + - - operator: isEqualString + left: + value: + simple: DBotScore.Type + iscontext: true + right: + value: + simple: url + ignorecase: true + - - operator: greaterThanOrEqual + left: + value: + simple: DBotScore.Score + iscontext: true + right: + value: + simple: "3" + accessor: Indicator + transformers: + - operator: uniq + UserVerification: + simple: "True" + Username: + complex: + root: DBotScore + filters: + - - operator: isEqualString + left: + value: + simple: DBotScore.Type + iscontext: true + right: + value: + simple: username + ignorecase: true + - - operator: greaterThanOrEqual + left: + value: + simple: DBotScore.Score + iscontext: true + right: + value: + simple: "3" + accessor: Indicator + separatecontext: true + continueonerrortype: "" + loop: + iscommand: false + exitCondition: "" + wait: 1 + max: 100 + view: |- + { + "position": { + "x": -110, + "y": 2560 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "37": + id: "37" + taskid: 0345f447-729c-47a3-8e08-5a341df18e89 + type: regular + task: + id: 0345f447-729c-47a3-8e08-5a341df18e89 + version: -1 + name: Handle indicators manually + description: Manual task for indicators handling. + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "42" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -550, + "y": 2560 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "38": + id: "38" + taskid: 8ac741ea-62b7-4a00-883d-67cfc88c2ab1 + type: regular + task: + id: 8ac741ea-62b7-4a00-883d-67cfc88c2ab1 + version: -1 + name: Investigate further + description: Continue with the investigation manually. + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "39" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 110, + "y": 3360 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "39": + id: "39" + taskid: 9a7ff786-dd6a-4a84-82c8-f2de1652322c + type: title + task: + id: 9a7ff786-dd6a-4a84-82c8-f2de1652322c + version: -1 + name: Done + type: title + iscommand: false + brand: "" + description: '' + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -330, + "y": 3530 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "40": + id: "40" + taskid: 84d23e2d-faf3-4672-816c-9f02d2697f4d + type: title + task: + id: 84d23e2d-faf3-4672-816c-9f02d2697f4d + version: -1 + name: Remediation + type: title + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "35" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -330, + "y": 2260 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "42": + id: "42" + taskid: 0a54ed67-5618-4e6f-8fa3-5d0086aac136 + type: title + task: + id: 0a54ed67-5618-4e6f-8fa3-5d0086aac136 + version: -1 + name: Mitigation + type: title + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "47" + - "43" + - "44" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -330, + "y": 2740 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "43": + id: "43" + taskid: 88957532-3350-4dc1-8361-eca8f35b5b72 + type: regular + task: + id: 88957532-3350-4dc1-8361-eca8f35b5b72 + version: -1 + name: Progress mitigation measures + description: | + Recommended Remediation + + To help prevent successful exploitation of the mentioned SQLi vulnerability to your MOVEit Transfer environment, we strongly recommend that you immediately apply the following mitigation measures per the steps below. + + 1. Disable all HTTP and HTTPs traffic to your MOVEit Transfer environment + - More specifically, modify firewall rules to deny HTTP and HTTPs traffic to MOVEit Transfer on ports 80 and 443 until the patch can be applied. + + It is important to note, that until HTTP and HTTPS traffic is enabled again: + - Users will not be able to log on to the MOVEit Transfer web UI + - MOVEit Automation tasks that use the native MOVEit Transfer host will not work + - REST, Java, and .NET APIs will not work + - MOVEit Transfer add-in for Outlook will not work + + Please note: SFTP and FTP/s protocols will continue to work as normal + + Administrators will still be able to access MOVEit Transfer by using a remote desktop to access the Windows machine and then accessing https://localhost/. For more information on localhost connections, please refer to MOVEit Transfer Help. + + 2. Review, Delete and Reset + - Delete Unauthorized Files and User Accounts + - Delete any instances of the human2.aspx and .cmdline script files. + - On the MOVEit Transfer server, look for any new files created in the C:\MOVEitTransfer\wwwroot\ directory. + - On the MOVEit Transfer server, look for new files created in the C:\Windows\TEMP\[random]\ directory with a file extension of [.]cmdline + - Remove any unauthorized user accounts. See Progress MOVEit Users Documentation article. + - Review logs for unexpected downloads of files from unknown IPs or large numbers of files downloaded. For more information on reviewing logs, please refer to MOVEit Transfer Logs guide. + - Review IIS logs for any events including GET /human2.aspx. Large numbers of log entries or entries with large data sizes may indicate unexpected file downloads + - If applicable, review Azure logs for unauthorized access to Azure Blob Storage Keys and consider rotating any potentially affected keys. + + - Reset Credentials + - Reset service account credentials for affected systems and MOVEit Service Account. See KB 000115941. + + 4. Enable all HTTP and HTTPs traffic to your MOVEit Transfer environment + + 5. Verification + - To confirm the files have been successfully deleted and no unauthorized accounts remain, follow steps 2A again. If you do find indicators of compromise, you should reset the service account credentials again. + + 6. Continuous Monitoring + - Monitor network, endpoints, and logs for IoCs (Indicators of Compromise) as listed in the table below. + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "49" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -330, + "y": 2890 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "44": + id: "44" + taskid: 20ffb6c2-720c-488f-8513-6482cfc216b3 + type: regular + task: + id: 20ffb6c2-720c-488f-8513-6482cfc216b3 + version: -1 + name: Patch vulnerable servers + description: | + | Affected Version | Fixed Version | Documentation | + |-------------------------------|---------------------------|-------------------------------------| + | MOVEit Transfer 2023.0.0 (15.0) | MOVEit Transfer 2023.0.1 | [MOVEit 2023 Upgrade Documentation](https://docs.ipswitch.com/MOVEit/2023/Upgrade/) | + | MOVEit Transfer 2022.1.x (14.1) | MOVEit Transfer 2022.1.5 | [MOVEit 2022 Upgrade Documentation](https://docs.ipswitch.com/MOVEit/2022/Upgrade/) | + | MOVEit Transfer 2022.0.x (14.0) | MOVEit Transfer 2022.0.4 | | + | MOVEit Transfer 2021.1.x (13.1) | MOVEit Transfer 2021.1.4 | [MOVEit 2021 Upgrade Documentation](https://docs.ipswitch.com/MOVEit/2021/Upgrade/) | + | MOVEit Transfer 2021.0.x (13.0) | MOVEit Transfer 2021.0.6 | | + | MOVEit Transfer 2020.1.x (12.1) | Special Patch Available | See [KB 000234559](https://docs.ipswitch.com/MOVEit/2020/234559.htm) | + | MOVEit Transfer 2020.0.x (12.0) or older | MUST upgrade to a supported version | See [MOVEit Transfer Upgrade and Migration Guide](https://docs.ipswitch.com/MOVEit/Transfer2021/UpgradeGuide/) | + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "49" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 110, + "y": 2890 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "47": + id: "47" + taskid: 31e9d355-3dc6-42e7-8ff7-1ae06614ca26 + type: regular + task: + id: 31e9d355-3dc6-42e7-8ff7-1ae06614ca26 + version: -1 + name: Deploy Yara and Sigma rules + description: | + The Yara rules file is ready to be used in the incident War Room, you can also find it by filtering for '**Yara**' tag. + + File name: expl_outlook_cve_2023_23397.yar + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "49" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -770, + "y": 2890 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "48": + id: "48" + taskid: bc7b492b-80ec-4cf3-860a-e62ef35c9272 + type: title + task: + id: bc7b492b-80ec-4cf3-860a-e62ef35c9272 + version: -1 + name: Indicators Hunting + type: title + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "79" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -1710, + "y": 1350 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "49": + id: "49" + taskid: 96a79660-ea58-47be-8fe3-b2faf1cffcf6 + type: title + task: + id: 96a79660-ea58-47be-8fe3-b2faf1cffcf6 + version: -1 + name: Resolution + type: title + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "34" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -330, + "y": 3060 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "50": + id: "50" + taskid: 278bb014-3667-4c5b-8379-ab5b0b93e8c9 + type: title + task: + id: 278bb014-3667-4c5b-8379-ab5b0b93e8c9 + version: -1 + name: Download Sigma Rules + type: title + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "52" + - "76" + - "77" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -1390, + "y": 290 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "51": + id: "51" + taskid: 0c2eb88a-cbbf-4aa7-827f-3f4f6f9567e9 + type: regular + task: + id: 0c2eb88a-cbbf-4aa7-827f-3f4f6f9567e9 + version: -1 + name: Download Huntress Yara rules + description: |- + This file contains a Yara rule provided by Huntress. + + Reference: [MOVEit Transfer Critical Vulnerability CVE-2023-34362 Rapid Response](https://www.huntress.com/blog/moveit-transfer-critical-vulnerability-rapid-response) + tags: + - Yara + scriptName: HttpV2 + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "3" + scriptarguments: + filename: + simple: human2_MOVEit.yar + method: + simple: GET + save_as_file: + simple: "yes" + unsecure: + simple: "True" + url: + simple: https://raw.githubusercontent.com/huntresslabs/threat-intel/main/2023/2023-06/1-MOVEit/yara/human2_MOVEit.yar + separatecontext: false + continueonerror: true + continueonerrortype: "" + view: |- + { + "position": { + "x": -120, + "y": 430 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "52": + id: "52" + taskid: 835f353f-d4cd-448f-83b3-e9b0dd975259 + type: regular + task: + id: 835f353f-d4cd-448f-83b3-e9b0dd975259 + version: -1 + name: MOVEit exploitation + description: |- + This file contains a Sigma rule provided by [Kostas](https://twitter.com/Kostastsale/status/1664410827804524544). + + Reference: [MOVEit_exploitation.yml](https://github.com/tsale/Sigma_rules/blob/main/Threat%20Hunting%20Queries/MOVEit_exploitation.yml) + tags: + - Sigma + scriptName: HttpV2 + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "3" + scriptarguments: + filename: + simple: MOVEit_exploitation.yml + method: + simple: GET + save_as_file: + simple: "yes" + unsecure: + simple: "True" + url: + simple: https://raw.githubusercontent.com/tsale/Sigma_rules/main/Threat%20Hunting%20Queries/MOVEit_exploitation.yml + separatecontext: false + continueonerror: true + continueonerrortype: "" + view: |- + { + "position": { + "x": -970, + "y": 430 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "54": + id: "54" + taskid: d4d907a8-97f2-42ad-8631-97e4d0dd9e0c + type: title + task: + id: d4d907a8-97f2-42ad-8631-97e4d0dd9e0c + version: -1 + name: Download Yara Rules + type: title + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "51" + - "78" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -330, + "y": 290 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "55": + id: "55" + taskid: 1fb4964e-edb8-4b52-8a0e-5e47e245f2dd + type: regular + task: + id: 1fb4964e-edb8-4b52-8a0e-5e47e245f2dd + version: -1 + name: Collect IoCs from Progress + description: commands.local.cmd.extract.indicators + script: Builtin|||extractIndicators + type: regular + iscommand: true + brand: Builtin + nexttasks: + '#none#': + - "3" + scriptarguments: + text: + simple: |- + 5.252.23.116 IPv4 01-Jun-2023 + 5.252.25.88 IPv4 01-Jun-2023 + 84.234.96.104 IPv4 01-Jun-2023 + 89.39.105.108 IPv4 01-Jun-2023 + 138.197.152.201 IPv4 01-Jun-2023 + 148.113.152.144 IPv4 01-Jun-2023 + 198.12.76.214 IPv4 01-Jun-2023 + 198.27.75.110 IPv4 03-Jun-2023 + 209.97.137.33 IPv4 01-Jun-2023 + 209.222.103.170 IPv4 01-Jun-2023 + Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/105.0.5195.102+Safari/537.36 User Agent 02-Jun-2023 + dojustit[.]mooo[.]com Domain 02-Jun-2023 + 0b3220b11698b1436d1d866ac07cc90018e59884e91a8cb71ef8924309f1e0e9 SHA256 Hash 01-Jun-2023 + 110e301d3b5019177728010202c8096824829c0b11bb0dc0bff55547ead18286 SHA256 Hash 01-Jun-2023 + 1826268249e1ea58275328102a5a8d158d36b4fd312009e4a2526f0bfbc30de2 SHA256 Hash 01-Jun-2023 + 2ccf7e42afd3f6bf845865c74b2e01e2046e541bb633d037b05bd1cdb296fa59 SHA256 Hash 01-Jun-2023 + 58ccfb603cdc4d305fddd52b84ad3f58ff554f1af4d7ef164007cb8438976166 SHA256 Hash 01-Jun-2023 + 98a30c7251cf622bd4abce92ab527c3f233b817a57519c2dd2bf8e3d3ccb7db8 SHA256 Hash 01-Jun-2023 + a8f6c1ccba662a908ef7b0cb3cc59c2d1c9e2cbbe1866937da81c4c616e68986 SHA256 Hash 01-Jun-2023 + b5ef11d04604c9145e4fe1bedaeb52f2c2345703d52115a5bf11ea56d7fb6b03 SHA256 Hash 01-Jun-2023 + cec425b3383890b63f5022054c396f6d510fae436041add935cd6ce42033f621 SHA256 Hash 01-Jun-2023 + ed0c3e75b7ac2587a5892ca951707b4e0dd9c8b18aaf8590c24720d73aa6b90c SHA256 Hash 01-Jun-2023 + 0b3220b11698b1436d1d866ac07cc90018e59884e91a8cb71ef8924309f1e0e9 SHA256 Hash 01-Jun-2023 + 110e301d3b5019177728010202c8096824829c0b11bb0dc0bff55547ead18286 SHA256 Hash 01-Jun-2023 + 1826268249e1ea58275328102a5a8d158d36b4fd312009e4a2526f0bfbc30de2 SHA256 Hash 01-Jun-2023 + 2ccf7e42afd3f6bf845865c74b2e01e2046e541bb633d037b05bd1cdb296fa59 SHA256 Hash 01-Jun-2023 + 58ccfb603cdc4d305fddd52b84ad3f58ff554f1af4d7ef164007cb8438976166 SHA256 Hash 01-Jun-2023 + 98a30c7251cf622bd4abce92ab527c3f233b817a57519c2dd2bf8e3d3ccb7db8 SHA256 Hash 01-Jun-2023 + a8f6c1ccba662a908ef7b0cb3cc59c2d1c9e2cbbe1866937da81c4c616e68986 SHA256 Hash 01-Jun-2023 + b5ef11d04604c9145e4fe1bedaeb52f2c2345703d52115a5bf11ea56d7fb6b03 SHA256 Hash 01-Jun-2023 + cec425b3383890b63f5022054c396f6d510fae436041add935cd6ce42033f621 SHA256 Hash 01-Jun-2023 + ed0c3e75b7ac2587a5892ca951707b4e0dd9c8b18aaf8590c24720d73aa6b90c SHA256 Hash 01-Jun-2023 + reputationcalc: 2 + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 750, + "y": 430 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "56": + id: "56" + taskid: 69893722-9e32-43fe-8aec-8c2fca977aff + type: regular + task: + id: 69893722-9e32-43fe-8aec-8c2fca977aff + version: -1 + name: Tag Domain Indicators + description: Create indicators to the Threat Intel database only if they are not registered. When using the script with many indicators, or when the Threat Intel Management database is highly populated, this script may have low performance issue. + scriptName: CreateNewIndicatorsOnly + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "11" + scriptarguments: + indicator_values: + complex: + root: Domain + accessor: Name + tags: + simple: MOVEit, SQL injection, CVE-2023-34362 + type: + simple: Domain + reputationcalc: 2 + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -100, + "y": 750 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "57": + id: "57" + taskid: 23352a71-0c5d-4df1-8912-4bff93bd3a44 + type: regular + task: + id: 23352a71-0c5d-4df1-8912-4bff93bd3a44 + version: -1 + name: Tag File Indicators + description: Create indicators to the Threat Intel database only if they are not registered. When using the script with many indicators, or when the Threat Intel Management database is highly populated, this script may have low performance issue. + scriptName: CreateNewIndicatorsOnly + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "11" + scriptarguments: + indicator_values: + complex: + root: File + accessor: SHA256 + tags: + simple: MOVEit, SQL injection, CVE-2023-34362 + type: + simple: File + reputationcalc: 2 + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 330, + "y": 750 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "59": + id: "59" + taskid: 19d4e670-46a1-4906-8064-7b4a76286905 + type: title + task: + id: 19d4e670-46a1-4906-8064-7b4a76286905 + version: -1 + name: Cortex XDR XQL Hunting + type: title + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "60" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 1040, + "y": 1350 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "60": + id: "60" + taskid: 03e43224-79a9-4112-8273-b1f6a580c0f9 + type: condition + task: + id: 03e43224-79a9-4112-8273-b1f6a580c0f9 + version: -1 + name: Is Cortex XDR - XQL Enabled? + description: Check whether the values provided in arguments are equal. If either of the arguments are missing, no is returned. + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "40" + "Yes": + - "61" + separatecontext: false + conditions: + - label: "Yes" + condition: + - - operator: isExists + left: + value: + complex: + root: modules + filters: + - - operator: containsGeneral + left: + value: + simple: modules.brand + iscontext: true + right: + value: + simple: Cortex XDR - XQL Query Engine + ignorecase: true + - - operator: isEqualString + left: + value: + simple: modules.state + iscontext: true + right: + value: + simple: active + iscontext: true + right: + value: {} + continueonerrortype: "" + view: |- + { + "position": { + "x": 1040, + "y": 1550 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "61": + id: "61" + taskid: c20d408e-3d6e-47ba-898a-f64487e2d8bd + type: regular + task: + id: c20d408e-3d6e-47ba-898a-f64487e2d8bd + version: -1 + name: ASPX file creation by w3wp moveitdmz pool + description: |- + Execute an XQL query and retrieve results of an executed XQL query API. The command will be executed every 10 seconds until results are retrieved or until a timeout error is raised. + When more than 1000 results are retrieved, the command will return a compressed gzipped JSON format file, + unless the argument 'parse_result_file_to_context' is set to true and then the results will be extracted to the context. + script: '|||xdr-xql-generic-query' + type: regular + iscommand: true + brand: "" + nexttasks: + '#none#': + - "74" + scriptarguments: + query: + simple: "dataset = xdr_data | filter event_type = 3 \nand event_sub_type in (1,3,6)\nand lowercase(action_file_extension) in (\"aspx\")\nand (causality_actor_process_image_name = \"w3wp.exe\" or actor_process_image_name =\"w3wp.exe\")\nand (lowercase(actor_process_command_line) contains \"%moveitdmz%\" OR lowercase(causality_actor_process_command_line) contains \"%moveitdmz%\")\nand lowercase(action_file_path) contains \"%.aspx%\"" + query_name: + simple: aspx file creation by w3wp moveitdmz + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 1220, + "y": 1720 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: true + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "62": + id: "62" + taskid: bfb17fd1-b1a7-4012-8078-548852e1540e + type: regular + task: + id: bfb17fd1-b1a7-4012-8078-548852e1540e + version: -1 + name: IIS compiling binaries via the csc.exe on behalf of the MOVEit + description: |- + Detects events from IIS dynamically compiling binaries via the csc.exe on behalf of the MOVEit application, based on the following Sigma rule: + + [MOVEit exploitation](https://github.com/tsale/Sigma_rules/blob/main/Threat%20Hunting%20Queries/MOVEit_exploitation.yml) + tags: + - SIEMResults + script: '|||azure-log-analytics-execute-query' + type: regular + iscommand: true + brand: "" + nexttasks: + '#none#': + - "66" + scriptarguments: + query: + simple: SecurityEvent | where EventID == 1 | where (NewProcessName endswith @'\csc.exe' and ParentProcessName endswith @'\w3wp.exe' and ParentCommandLine contains @'moveitdmz pool') + timespan: + complex: + root: inputs.LogAnalyticsTimespan + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -990, + "y": 1900 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: true + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "63": + id: "63" + taskid: 53d66f2e-ca70-4d02-8faa-b7cd7714a979 + type: regular + task: + id: 53d66f2e-ca70-4d02-8faa-b7cd7714a979 + version: -1 + name: IIS compiling binaries via the csc.exe on behalf of the MOVEit + description: |- + Detects events from IIS dynamically compiling binaries via the csc.exe on behalf of the MOVEit application, based on the following Sigma rule: + + [MOVEit exploitation](https://github.com/tsale/Sigma_rules/blob/main/Threat%20Hunting%20Queries/MOVEit_exploitation.yml) + tags: + - SIEMResults + script: '|||splunk-search' + type: regular + iscommand: true + brand: "" + nexttasks: + '#none#': + - "67" + scriptarguments: + earliest_time: + complex: + root: inputs.SplunkEarliestTime + query: + simple: index=* source="WinEventLog:*" AND ((Image="*\\csc.exe") AND (ParentImage="*\\w3wp.exe") AND (ParentCommandLine="*moveitdmz pool*")) + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -110, + "y": 1900 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: true + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "64": + id: "64" + taskid: edb89eae-0866-4d22-85bd-6da433a7e76a + type: regular + task: + id: edb89eae-0866-4d22-85bd-6da433a7e76a + version: -1 + name: IIS compiling binaries via the csc.exe on behalf of the MOVEit + description: |- + Detects events from IIS dynamically compiling binaries via the csc.exe on behalf of the MOVEit application, based on the following Sigma rule: + + [MOVEit exploitation](https://github.com/tsale/Sigma_rules/blob/main/Threat%20Hunting%20Queries/MOVEit_exploitation.yml) + tags: + - SIEMResults + script: '|||es-eql-search' + type: regular + iscommand: true + brand: "" + nexttasks: + '#none#': + - "68" + scriptarguments: + index: + complex: + root: inputs.ElasticIndex + query: + simple: (process.executable.text:"*\\csc.exe" AND process.parent.executable.text:"*\\w3wp.exe" AND process.parent.command_line.text:"*moveitdmz\ pool*") + timestamp_range_start: + complex: + root: inputs.ElasticEarliestTime + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 330, + "y": 1900 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: true + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "65": + id: "65" + taskid: 066878ba-eeb6-4c0a-8ada-8dde93b1447b + type: playbook + task: + id: 066878ba-eeb6-4c0a-8ada-8dde93b1447b + version: -1 + name: IIS compiling binaries via the csc.exe on behalf of the MOVEit + description: This playbook runs a QRadar query and return its results to the context. + playbookName: QRadarFullSearch + type: playbook + iscommand: false + brand: "" + nexttasks: + '#none#': + - "69" + scriptarguments: + interval: + simple: "1" + query_expression: + simple: SELECT UTF8(payload) FROM events WHERE LOGSOURCETYPENAME(devicetype)='Microsoft Windows Security Event Log' AND CATEGORYNAME(category)='Process Creation Success' AND "Image" ILIKE '%\csc.exe' AND "ParentImage" ILIKE '%\w3wp.exe' AND "ParentCommandLine" ILIKE '%moveitdmz pool%' + range: + complex: + root: inputs.QRadarTimeRange + timeout: + simple: "600" + separatecontext: true + continueonerrortype: "" + loop: + iscommand: false + exitCondition: "" + wait: 1 + max: 0 + view: |- + { + "position": { + "x": -550, + "y": 1900 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: true + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "66": + id: "66" + taskid: 1f85bb36-2c8a-4abd-86ba-3c458d56b960 + type: regular + task: + id: 1f85bb36-2c8a-4abd-86ba-3c458d56b960 + version: -1 + name: 'Detects get requests to specific exploitation related files ' + description: |- + Detects get requests to specific files used during the exploitation of MOVEit CVE-2023-34362, based on the following Sigma rule: + + [MOVEit CVE-2023-34362 Exploitation Attempt - Potential Web Shell Request](https://github.com/SigmaHQ/sigma/blob/master/rules-emerging-threats/2023/Exploits/CVE-2023-34362-MOVEit-Transfer-Exploit/web_cve_2023_34362_known_payload_request.yml.yml) + tags: + - SIEMResults + script: '|||azure-log-analytics-execute-query' + type: regular + iscommand: true + brand: "" + nexttasks: + '#none#': + - "40" + scriptarguments: + query: + simple: ApacheHTTPServer | where (HttpRequestMethod =~ @'GET' and cs_uri_stem in~ (@'/human2.aspx', @'/_human2.aspx')) + timespan: + complex: + root: inputs.LogAnalyticsTimespan + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -990, + "y": 2070 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: true + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "67": + id: "67" + taskid: dc6a2a15-9776-4622-8099-a6fedf4f7dc5 + type: regular + task: + id: dc6a2a15-9776-4622-8099-a6fedf4f7dc5 + version: -1 + name: 'Detects get requests to specific exploitation related files ' + description: |- + Detects get requests to specific files used during the exploitation of MOVEit CVE-2023-34362, based on the following Sigma rule: + + [MOVEit CVE-2023-34362 Exploitation Attempt - Potential Web Shell Request](https://github.com/SigmaHQ/sigma/blob/master/rules-emerging-threats/2023/Exploits/CVE-2023-34362-MOVEit-Transfer-Exploit/web_cve_2023_34362_known_payload_request.yml.yml) + tags: + - SIEMResults + script: '|||splunk-search' + type: regular + iscommand: true + brand: "" + nexttasks: + '#none#': + - "40" + scriptarguments: + earliest_time: + complex: + root: inputs.SplunkEarliestTime + query: + simple: index=* (cs-method="GET" AND (cs-uri-stem="/human2.aspx" OR cs-uri-stem="/_human2.aspx")) + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -110, + "y": 2070 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: true + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "68": + id: "68" + taskid: 0a019e3b-4e00-4eea-85b2-7cc13ed7160a + type: regular + task: + id: 0a019e3b-4e00-4eea-85b2-7cc13ed7160a + version: -1 + name: 'Detects get requests to specific exploitation related files' + description: |- + Detects get requests to specific files used during the exploitation of MOVEit CVE-2023-34362, based on the following Sigma rule: + + [MOVEit CVE-2023-34362 Exploitation Attempt - Potential Web Shell Request](https://github.com/SigmaHQ/sigma/blob/master/rules-emerging-threats/2023/Exploits/CVE-2023-34362-MOVEit-Transfer-Exploit/web_cve_2023_34362_known_payload_request.yml.yml) + tags: + - SIEMResults + script: '|||es-eql-search' + type: regular + iscommand: true + brand: "" + nexttasks: + '#none#': + - "40" + scriptarguments: + index: + complex: + root: inputs.ElasticIndex + query: + simple: (http.request.method:"GET" AND cs-uri-stem:("/human2.aspx" OR "/_human2.aspx") + timestamp_range_start: + complex: + root: inputs.ElasticEarliestTime + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 330, + "y": 2070 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: true + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "69": + id: "69" + taskid: d12ea2bb-6755-40fb-8588-74cce0355749 + type: playbook + task: + id: d12ea2bb-6755-40fb-8588-74cce0355749 + version: -1 + name: 'Detects get requests to specific exploitation related files' + description: This playbook runs a QRadar query and return its results to the context. + playbookName: QRadarFullSearch + type: playbook + iscommand: false + brand: "" + nexttasks: + '#none#': + - "40" + scriptarguments: + interval: + simple: "1" + query_expression: + simple: SELECT UTF8(payload) FROM events WHERE UTF8(payload) ILIKE '%GET%' AND (UTF8(payload) ILIKE '%/human2.aspx%' OR UTF8(payload) ILIKE '%/_human2.aspx%') + range: + complex: + root: inputs.QRadarTimeRange + timeout: + simple: "600" + separatecontext: true + continueonerrortype: "" + loop: + iscommand: false + exitCondition: "" + wait: 1 + max: 0 + view: |- + { + "position": { + "x": -550, + "y": 2070 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: true + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "74": + id: "74" + taskid: ab5d1ee4-2b50-423a-8a50-4c671a296290 + type: regular + task: + id: ab5d1ee4-2b50-423a-8a50-4c671a296290 + version: -1 + name: IIS compiling binaries via the csc.exe on behalf of the MOVEit + description: |- + Execute an XQL query and retrieve results of an executed XQL query API. The command will be executed every 10 seconds until results are retrieved or until a timeout error is raised. + When more than 1000 results are retrieved, the command will return a compressed gzipped JSON format file, + unless the argument 'parse_result_file_to_context' is set to true and then the results will be extracted to the context. + script: '|||xdr-xql-generic-query' + type: regular + iscommand: true + brand: "" + nexttasks: + '#none#': + - "75" + scriptarguments: + query: + simple: "dataset = xdr_data\n|filter (causality_actor_process_image_name = \"w3wp.exe\" AND causality_actor_process_command_line contains \"moveit\")\n|filter action_process_image_name = \"csc.exe\"\n|fields _time, agent_hostname, agent_version, actor_effective_username,actor_process_image_name , actor_process_image_sha256, actor_process_command_line,action_process_image_name, action_process_image_sha256 ,action_process_image_command_line, action_process_signature_product " + query_name: + simple: aspx file creation by w3wp moveitdmz + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 1220, + "y": 1890 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: true + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "75": + id: "75" + taskid: 2636a31e-82e4-4138-8a53-e8e7356816b6 + type: regular + task: + id: 2636a31e-82e4-4138-8a53-e8e7356816b6 + version: -1 + name: 'Detects get requests to specific exploitation related files ' + description: |- + Execute an XQL query and retrieve results of an executed XQL query API. The command will be executed every 10 seconds until results are retrieved or until a timeout error is raised. + When more than 1000 results are retrieved, the command will return a compressed gzipped JSON format file, + unless the argument 'parse_result_file_to_context' is set to true and then the results will be extracted to the context. + script: '|||xdr-xql-generic-query' + type: regular + iscommand: true + brand: "" + nexttasks: + '#none#': + - "40" + scriptarguments: + query: + simple: dataset in (*)|filter ((`http_method` = "GET") AND (((`uri` = "/human2.aspx") OR (`uri` contains "/_human2.aspx")))) + query_name: + simple: aspx file creation by w3wp moveitdmz + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 1220, + "y": 2070 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: true + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "76": + id: "76" + taskid: 2dbced88-fb70-46c9-8e60-9c085d30804a + type: regular + task: + id: 2dbced88-fb70-46c9-8e60-9c085d30804a + version: -1 + name: Detects file indicators of potential exploitation + description: |- + This file contains a Sigma rule provided by Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems). + + Reference: [Potential MOVEit Transfer CVE-2023-34362 Exploitation](https://github.com/SigmaHQ/sigma/blob/master/rules-emerging-threats/2023/Exploits/CVE-2023-34362-MOVEit-Transfer-Exploit/file_event_win_exploit_cve_2023_34362_moveit_transfer.yml) + tags: + - Sigma + scriptName: HttpV2 + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "3" + scriptarguments: + filename: + simple: file_event_win_exploit_cve_2023_34362_moveit_transfer.yml + method: + simple: GET + save_as_file: + simple: "yes" + unsecure: + simple: "True" + url: + simple: https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules-emerging-threats/2023/Exploits/CVE-2023-34362-MOVEit-Transfer-Exploit/file_event_win_exploit_cve_2023_34362_moveit_transfer.yml + separatecontext: false + continueonerror: true + continueonerrortype: "" + view: |- + { + "position": { + "x": -1390, + "y": 430 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "77": + id: "77" + taskid: dd87be0f-b4b5-40d1-80ec-d3258ff3b3c4 + type: regular + task: + id: dd87be0f-b4b5-40d1-80ec-d3258ff3b3c4 + version: -1 + name: 'Detects get requests to specific exploitation related files ' + description: |- + This file contains a Sigma rule provided by Nasreddine Bencherchali (Nextron Systems) + + Reference: [MOVEit CVE-2023-34362 Exploitation Attempt - Potential Web Shell Request](https://github.com/SigmaHQ/sigma/blob/master/rules-emerging-threats/2023/Exploits/CVE-2023-34362-MOVEit-Transfer-Exploit/web_cve_2023_34362_known_payload_request.yml.yml) + tags: + - Sigma + scriptName: HttpV2 + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "3" + scriptarguments: + filename: + simple: web_cve_2023_34362_known_payload_request.yml.yml + method: + simple: GET + save_as_file: + simple: "yes" + unsecure: + simple: "True" + url: + simple: https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules-emerging-threats/2023/Exploits/CVE-2023-34362-MOVEit-Transfer-Exploit/web_cve_2023_34362_known_payload_request.yml.yml + separatecontext: false + continueonerror: true + continueonerrortype: "" + view: |- + { + "position": { + "x": -1810, + "y": 430 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "78": + id: "78" + taskid: 5ecc8e8f-fc89-4af9-81a5-4d46514329c5 + type: regular + task: + id: 5ecc8e8f-fc89-4af9-81a5-4d46514329c5 + version: -1 + name: Download Folrian Roth Yara rules + description: |- + This file contains a Yara rule provided by Florian Roth. + + Reference: [MOVEit 0day vulnerability](https://github.com/Neo23x0/signature-base/blob/master/yara/vuln_moveit_0day_jun23.yar) + tags: + - Yara + scriptName: HttpV2 + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "3" + scriptarguments: + filename: + simple: vuln_moveit_0day_jun23.yar + method: + simple: GET + save_as_file: + simple: "yes" + unsecure: + simple: "True" + url: + simple: https://raw.githubusercontent.com/Neo23x0/signature-base/master/yara/vuln_moveit_0day_jun23.yar + separatecontext: false + continueonerror: true + continueonerrortype: "" + view: |- + { + "position": { + "x": -540, + "y": 430 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "79": + id: "79" + taskid: 7e34eb12-a850-4307-809c-bf5449b6e656 + type: playbook + task: + id: 7e34eb12-a850-4307-809c-bf5449b6e656 + version: -1 + name: Threat Hunting - Generic + playbookName: Threat Hunting - Generic + type: playbook + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "40" + scriptarguments: + IPAddress: + complex: + root: IP + accessor: Address + transformers: + - operator: uniq + QRadarTimeFrame: + complex: + root: inputs.QRadarTimeRange + SHA256: + complex: + root: File + accessor: SHA256 + transformers: + - operator: uniq + SplunkEarliestTime: + complex: + root: inputs.SplunkEarliestTime + SplunkLatestTime: + simple: now + URLDomain: + complex: + root: Domain + accessor: Name + transformers: + - operator: uniq + separatecontext: true + continueonerrortype: "" + loop: + iscommand: false + exitCondition: "" + wait: 1 + max: 100 + view: |- + { + "position": { + "x": -1710, + "y": 1550 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: true + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false +view: |- + { + "linkLabelsPosition": { + "13_19_Yes": 0.4, + "13_40_#default#": 0.24, + "14_15_yes": 0.4, + "14_40_#default#": 0.24, + "35_36_yes": 0.41, + "60_40_#default#": 0.13, + "60_61_Yes": 0.36, + "8_17_Yes": 0.42, + "8_40_#default#": 0.2, + "9_23_Yes": 0.4, + "9_40_#default#": 0.2 + }, + "paper": { + "dimensions": { + "height": 3465, + "width": 3410, + "x": -1810, + "y": 130 + } + } + } +inputs: +- key: PlaybookDescription + value: + simple: "### CVE-2023-34362 - Critical SQL Injection vulnerability in MOVEit Transfer.\n\n#### Summary \n\nA critical vulnerability has been identified in MOVEit Transfer, a managed file transfer solution. The vulnerability affects versions prior to the latest release and involves improper input validation. Exploiting this vulnerability can lead to remote execution of arbitrary code, potentially resulting in unauthorized access and compromise of sensitive data.\n\nTo mitigate the risk associated with this vulnerability, it is crucial for users to update to the latest version of MOVEit Transfer that includes necessary security patches.\n\n#### Affected Products \n\n\n| Affected Version | Fixed Version | Documentation |\n|-------------------------------|---------------------------|-------------------------------------|\n| MOVEit Transfer 2023.0.0 (15.0) | MOVEit Transfer 2023.0.1 | [MOVEit 2023 Upgrade Documentation](https://docs.ipswitch.com/MOVEit/2023/Upgrade/) |\n| MOVEit Transfer 2022.1.x (14.1) | MOVEit Transfer 2022.1.5 | [MOVEit 2022 Upgrade Documentation](https://docs.ipswitch.com/MOVEit/2022/Upgrade/) |\n| MOVEit Transfer 2022.0.x (14.0) | MOVEit Transfer 2022.0.4 | [MOVEit 2022 Upgrade Documentation](https://docs.ipswitch.com/MOVEit/2022/Upgrade/) |\n| MOVEit Transfer 2021.1.x (13.1) | MOVEit Transfer 2021.1.4 | [MOVEit 2021 Upgrade Documentation](https://docs.ipswitch.com/MOVEit/2021/Upgrade/) |\n| MOVEit Transfer 2021.0.x (13.0) | MOVEit Transfer 2021.0.6 | [MOVEit 2021 Upgrade Documentation](https://docs.ipswitch.com/MOVEit/2021/Upgrade/) |\n| MOVEit Transfer 2020.1.x (12.1) | Special Patch Available | See [KB 000234559](https://docs.ipswitch.com/MOVEit/2020/234559.htm) |\n| MOVEit Transfer 2020.0.x (12.0) or older | MUST upgrade to a supported version | See [MOVEit Transfer Upgrade and Migration Guide](https://docs.ipswitch.com/MOVEit/Transfer2021/UpgradeGuide/) |\n\n\n**This playbook should be triggered manually or can be configured as a job.** \n\nPlease create a new incident and choose the CVE-2023-34362 - MOVEit SQL Injection playbook and Rapid Breach Response incident type.\n\n**The playbook includes the following tasks:**\n\n**IoCs Collection**\n- Blog IoCs download\n- Yara Rules download\n- Sigma rules download\n\n**Hunting:**\n- Microsoft PowerShell hunting script\n- Advanced SIEM hunting queries\n- Indicators hunting\n\n**Mitigations:**\n- Progress official CVE-2023-34362 patch\n- Progress mitigation measures\n- Detection Rules\n - Yara\n - Sigma\n\n\n**References:**\n\n[MOVEit Transfer Critical Vulnerability (May 2023)](https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023)\n[MOVEit Transfer Critical Vulnerability CVE-2023-34362 Rapid Response](https://www.huntress.com/blog/moveit-transfer-critical-vulnerability-rapid-response)\n\nNote: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve." + required: false + description: The playbook description to be used in the Rapid Breach Response - Set Incident Info sub-playbook. + playbookInputQuery: +- key: autoBlockIndicators + value: + simple: "False" + required: false + description: Wether to block the indicators automatically. + playbookInputQuery: +- key: QRadarTimeRange + value: + simple: Last 10 Days + required: false + description: The time range for the QRadar queries. + playbookInputQuery: +- key: SplunkEarliestTime + value: + simple: -10d@d + required: false + description: The time range for the Splunk queries. + playbookInputQuery: +- key: ElasticEarliestTime + value: + simple: now-7d/d + required: false + description: The time range for the Elastic queries. + playbookInputQuery: +- key: LogAnalyticsTimespan + value: + simple: 10d + required: false + description: The time range for the Azure Log Analytics queries. + playbookInputQuery: +- key: ElasticIndex + value: {} + required: false + description: The elastic index to search in. + playbookInputQuery: +outputs: [] +tests: +- No tests (auto formatted) +fromversion: 6.8.0 diff --git a/Packs/CVE_2023_34362_-_MOVEit_SQLI/Playbooks/playbook-CVE-2023-34362_-_MOVEit_Transfer_SQL_Injection_README.md b/Packs/CVE_2023_34362_-_MOVEit_SQLI/Playbooks/playbook-CVE-2023-34362_-_MOVEit_Transfer_SQL_Injection_README.md new file mode 100644 index 000000000000..17a360a46c29 --- /dev/null +++ b/Packs/CVE_2023_34362_-_MOVEit_SQLI/Playbooks/playbook-CVE-2023-34362_-_MOVEit_Transfer_SQL_Injection_README.md @@ -0,0 +1,108 @@ +### CVE-2023-34362 - Critical SQL Injection vulnerability in MOVEit Transfer. + +#### Summary + +A critical vulnerability has been identified in MOVEit Transfer, a managed file transfer solution. The vulnerability affects versions prior to the latest release and involves improper input validation. Exploiting this vulnerability can lead to remote execution of arbitrary code, potentially resulting in unauthorized access and compromise of sensitive data. + +To mitigate the risk associated with this vulnerability, it is crucial for users to update to the latest version of MOVEit Transfer that includes necessary security patches. + +#### Affected Products + + +| Affected Version | Fixed Version | Documentation | +|-------------------------------|---------------------------|-------------------------------------| +| MOVEit Transfer 2023.0.0 (15.0) | MOVEit Transfer 2023.0.1 | [MOVEit 2023 Upgrade Documentation](https://docs.ipswitch.com/MOVEit/2023/Upgrade/) | +| MOVEit Transfer 2022.1.x (14.1) | MOVEit Transfer 2022.1.5 | [MOVEit 2022 Upgrade Documentation](https://docs.ipswitch.com/MOVEit/2022/Upgrade/) | +| MOVEit Transfer 2022.0.x (14.0) | MOVEit Transfer 2022.0.4 | [MOVEit 2022 Upgrade Documentation](https://docs.ipswitch.com/MOVEit/2022/Upgrade/) | +| MOVEit Transfer 2021.1.x (13.1) | MOVEit Transfer 2021.1.4 | [MOVEit 2021 Upgrade Documentation](https://docs.ipswitch.com/MOVEit/2021/Upgrade/) | +| MOVEit Transfer 2021.0.x (13.0) | MOVEit Transfer 2021.0.6 | [MOVEit 2021 Upgrade Documentation](https://docs.ipswitch.com/MOVEit/2021/Upgrade/) | +| MOVEit Transfer 2020.1.x (12.1) | Special Patch Available | See [KB 000234559](https://docs.ipswitch.com/MOVEit/2020/234559.htm) | +| MOVEit Transfer 2020.0.x (12.0) or older | MUST upgrade to a supported version | See [MOVEit Transfer Upgrade and Migration Guide](https://docs.ipswitch.com/MOVEit/Transfer2021/UpgradeGuide/) | + + +**This playbook should be triggered manually or can be configured as a job.** + +Please create a new incident and choose the CVE-2023-34362 - MOVEit SQL Injection playbook and Rapid Breach Response incident type. + +**The playbook includes the following tasks:** + +**IoCs Collection** +- Blog IoCs download +- Yara Rules download +- Sigma rules download + +**Hunting:** +- Microsoft PowerShell hunting script +- Advanced SIEM hunting queries +- Indicators hunting + +**Mitigations:** +- Progress official CVE-2023-34362 patch +- Progress mitigation measures +- Detection Rules + - Yara + - Sigma + + +**References:** + +[MOVEit Transfer Critical Vulnerability (May 2023)](https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023) + +[MOVEit Transfer Critical Vulnerability CVE-2023-34362 Rapid Response](https://www.huntress.com/blog/moveit-transfer-critical-vulnerability-rapid-response) + +Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve. + +## Dependencies + +This playbook uses the following sub-playbooks, integrations, and scripts. + +### Sub-playbooks + +* Block Indicators - Generic v3 +* QRadarFullSearch +* Threat Hunting - Generic +* Rapid Breach Response - Set Incident Info + +### Integrations + +This playbook does not use any integrations. + +### Scripts + +* HttpV2 +* CreateNewIndicatorsOnly +* ParseHTMLIndicators + +### Commands + +* xdr-xql-generic-query +* associateIndicatorsToIncident +* extractIndicators +* es-eql-search +* azure-log-analytics-execute-query +* splunk-search + +## Playbook Inputs + +--- + +| **Name** | **Description** | **Default Value** | **Required** | +| --- | --- | --- | --- | +| PlaybookDescription | The playbook description to be used in the Rapid Breach Response - Set Incident Info sub-playbook. | ### CVE-2023-34362 - Critical SQL Injection vulnerability in MOVEit Transfer.

#### Summary

A critical vulnerability has been identified in MOVEit Transfer, a managed file transfer solution. The vulnerability affects versions prior to the latest release and involves improper input validation. Exploiting this vulnerability can lead to remote execution of arbitrary code, potentially resulting in unauthorized access and compromise of sensitive data.

To mitigate the risk associated with this vulnerability, it is crucial for users to update to the latest version of MOVEit Transfer that includes necessary security patches.

#### Affected Products


\| Affected Version \| Fixed Version \| Documentation \|
\|-------------------------------\|---------------------------\|-------------------------------------\|
\| MOVEit Transfer 2023.0.0 (15.0) \| MOVEit Transfer 2023.0.1 \| [MOVEit 2023 Upgrade Documentation](https://docs.ipswitch.com/MOVEit/2023/Upgrade/) \|
\| MOVEit Transfer 2022.1.x (14.1) \| MOVEit Transfer 2022.1.5 \| [MOVEit 2022 Upgrade Documentation](https://docs.ipswitch.com/MOVEit/2022/Upgrade/) \|
\| MOVEit Transfer 2022.0.x (14.0) \| MOVEit Transfer 2022.0.4 \| [MOVEit 2022 Upgrade Documentation](https://docs.ipswitch.com/MOVEit/2022/Upgrade/) \|
\| MOVEit Transfer 2021.1.x (13.1) \| MOVEit Transfer 2021.1.4 \| [MOVEit 2021 Upgrade Documentation](https://docs.ipswitch.com/MOVEit/2021/Upgrade/) \|
\| MOVEit Transfer 2021.0.x (13.0) \| MOVEit Transfer 2021.0.6 \| [MOVEit 2021 Upgrade Documentation](https://docs.ipswitch.com/MOVEit/2021/Upgrade/) \|
\| MOVEit Transfer 2020.1.x (12.1) \| Special Patch Available \| See [KB 000234559](https://docs.ipswitch.com/MOVEit/2020/234559.htm) \|
\| MOVEit Transfer 2020.0.x (12.0) or older \| MUST upgrade to a supported version \| See [MOVEit Transfer Upgrade and Migration Guide](https://docs.ipswitch.com/MOVEit/Transfer2021/UpgradeGuide/) \|


**This playbook should be triggered manually or can be configured as a job.**

Please create a new incident and choose the CVE-2023-34362 - MOVEit SQL Injection playbook and Rapid Breach Response incident type.

**The playbook includes the following tasks:**

**IoCs Collection**
- Blog IoCs download
- Yara Rules download
- Sigma rules download

**Hunting:**
- Microsoft PowerShell hunting script
- Advanced SIEM hunting queries
- Indicators hunting

**Mitigations:**
- Progress official CVE-2023-34362 patch
- Progress mitigation measures
- Detection Rules
- Yara
- Sigma


**References:**

[MOVEit Transfer Critical Vulnerability (May 2023)](https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023)
[MOVEit Transfer Critical Vulnerability CVE-2023-34362 Rapid Response](https://www.huntress.com/blog/moveit-transfer-critical-vulnerability-rapid-response)

Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve. | Optional | +| autoBlockIndicators | Wether to block the indicators automatically. | False | Optional | +| QRadarTimeRange | The time range for the QRadar queries. | Last 10 Days | Optional | +| SplunkEarliestTime | The time range for the Splunk queries. | -10d@d | Optional | +| ElasticEarliestTime | The time range for the Elastic queries. | now-7d/d | Optional | +| LogAnalyticsTimespan | The time range for the Azure Log Analytics queries. | 10d | Optional | +| ElasticIndex | The elastic index to search in. | | Optional | + +## Playbook Outputs + +--- +There are no outputs for this playbook. + +## Playbook Image + +--- + +![CVE-2023-34362 - MOVEit Transfer SQL Injection](../doc_files/CVE-2023-34362_-_MOVEit_Transfer_SQL_Injection.png) diff --git a/Packs/CVE_2023_34362_-_MOVEit_SQLI/README.md b/Packs/CVE_2023_34362_-_MOVEit_SQLI/README.md new file mode 100644 index 000000000000..593e90adf6fb --- /dev/null +++ b/Packs/CVE_2023_34362_-_MOVEit_SQLI/README.md @@ -0,0 +1,35 @@ +This pack is part of the [Rapid Breach Response](https://cortex.marketplace.pan.dev/marketplace/details/MajorBreachesInvestigationandResponse/) pack. + +### CVE-2023-34362 - Critical SQL Injection vulnerability in MOVEit Transfer. + +#### Summary + +A critical vulnerability has been identified in MOVEit Transfer, a managed file transfer solution. The vulnerability affects versions prior to the latest release and involves improper input validation. Exploiting this vulnerability can lead to remote execution of arbitrary code, potentially resulting in unauthorized access and compromise of sensitive data. + +To mitigate the risk associated with this vulnerability, it is crucial for users to update to the latest version of MOVEit Transfer that includes necessary security patches. + +**The playbook includes the following tasks:** + +**IoCs Collection** +- Blog IoCs download +- Yara Rules download +- Sigma rules download + +**Hunting:** +- Microsoft PowerShell hunting script +- Advanced SIEM hunting queries +- Indicators hunting + +**Mitigations:** +- Progress official CVE-2023-34362 patch +- Progress mitigation measures +- Detection Rules + - Yara + - Sigma + + +**References:** + +[MOVEit Transfer Critical Vulnerability (May 2023)](https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023) + +[MOVEit Transfer Critical Vulnerability CVE-2023-34362 Rapid Response](https://www.huntress.com/blog/moveit-transfer-critical-vulnerability-rapid-response) \ No newline at end of file diff --git a/Packs/CVE_2023_34362_-_MOVEit_SQLI/doc_files/CVE-2023-34362_-_MOVEit_Transfer_SQL_Injection.png b/Packs/CVE_2023_34362_-_MOVEit_SQLI/doc_files/CVE-2023-34362_-_MOVEit_Transfer_SQL_Injection.png new file mode 100644 index 000000000000..cffe45097b81 Binary files /dev/null and b/Packs/CVE_2023_34362_-_MOVEit_SQLI/doc_files/CVE-2023-34362_-_MOVEit_Transfer_SQL_Injection.png differ diff --git a/Packs/CVE_2023_34362_-_MOVEit_SQLI/pack_metadata.json b/Packs/CVE_2023_34362_-_MOVEit_SQLI/pack_metadata.json new file mode 100644 index 000000000000..8e95c9bc1489 --- /dev/null +++ b/Packs/CVE_2023_34362_-_MOVEit_SQLI/pack_metadata.json @@ -0,0 +1,35 @@ +{ + "name": "CVE-2023-34362 - MOVEit Transfer SQL Injection", + "description": "This pack handles MOVEit Transfer SQL Injection CVE-2023-34362 vulnerability", + "support": "xsoar", + "currentVersion": "1.0.0", + "author": "Cortex XSOAR", + "url": "https://www.paloaltonetworks.com/cortex", + "email": "", + "categories": [ + "Case Management" + ], + "tags": [], + "useCases": [], + "keywords": [ + "zero-day", + "0-day", + "MOVEit", + "SQLI", + "SQL Injection", + "CVE-2023-34362", + "34362", + "SQL", + "Injection" + ], + "dependencies": { + "MajorBreachesInvestigationandResponse": { + "mandatory": true, + "display_name": "Rapid Breach Response" + } + }, + "marketplaces": [ + "xsoar", + "marketplacev2" + ] +} \ No newline at end of file