| Source | Description | URL |
|---|---|---|
| Huntress Labs | Rule to identify a specific malicious webshell (human2.aspx) associated with exploitation of the MOVEit vulnerability | https://github.com/huntresslabs/threat-intel/blob/main/2023/2023-06/1-MOVEit/yara/human2_MOVEit.yar |
| Florian Roth Neo23x0 | Detects compiled ASPX web shells found being used in MOVEit Transfer exploitation | https://github.com/Neo23x0/signature-base/blob/master/yara/vuln_moveit_0day_jun23.yar#L2 |
| Florian Roth Neo23x0 | Detects ASPX web shells as being used in MOVEit Transfer exploitation | https://github.com/Neo23x0/signature-base/blob/master/yara/vuln_moveit_0day_jun23.yar#L2 |
| Florian Roth Neo23x0 | Detects a possible compromise indicator found in MOVEit Transfer logs | https://github.com/Neo23x0/signature-base/blob/master/yara/vuln_moveit_0day_jun23.yar#L2 |
| Mandiant | Detects the compiled DLLs generated from human2.aspx LEMURLOOT payloads. | https://www.mandiant.com/resources/blog/zero-day-moveit-data-theft |
| Mandiant | Detects the LEMURLOOT ASP.NET scripts | https://www.mandiant.com/resources/blog/zero-day-moveit-data-theft |