/
MOVEit_exploitation.yml
35 lines (33 loc) · 1.34 KB
/
MOVEit_exploitation.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
title: MOVEit exploitation
hypothesis: MOVEit affected hosts execute csc.exe via w3wp.exe process to dynamically compile malicious DLL file.
description: >
MOVEit is affected by a critical vulnerability. Exploited hosts show evidence of dynamically compliling a DLL and writing it under
C:\\Windows\\Microsoft\.NET\\Framework64\\v4\.0\.30319\\Temporary ASP\.NET Files\\root\\([a-z0-9]{5,12})\\([a-z0-9]{5,12})\\App_Web_[a-z0-9]{5,12}\.dll.
Hunting Opportunity
---
Events from IIS dynamically compiling binaries via the csc.exe on behalf of the MOVEit application, especially since May 27th should be investigated.
status: experimental
date: 2023/06/01
author: '@kostastsale'
references:
- https://www.huntress.com/blog/moveit-transfer-critical-vulnerability-rapid-response
- https://www.trustedsec.com/blog/critical-vulnerability-in-progress-moveit-transfer-technical-analysis-and-recommendations/
logsource:
category: process_creation
product: windows
detection:
Selection1:
Image|endswith:
- '\csc.exe'
ParentImage|endswith:
- '\w3wp.exe'
Selection2:
ParentCommandLine|contains:
- 'moveitdmz pool'
condition: Selection1 and Selection2
falsepositives:
- "Initial software installation and software updates"
level: medium
tags:
- attack.execution
- attack.T1623