-
Notifications
You must be signed in to change notification settings - Fork 605
/
vuln_moveit_0day_jun23.yar
94 lines (86 loc) · 3.71 KB
/
vuln_moveit_0day_jun23.yar
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
rule WEBSHELL_ASPX_DLL_MOVEit_Jun23_1 {
meta:
description = "Detects compiled ASPX web shells found being used in MOVEit Transfer exploitation"
author = "Florian Roth"
reference = "https://www.trustedsec.com/blog/critical-vulnerability-in-progress-moveit-transfer-technical-analysis-and-recommendations/?utm_content=251159938&utm_medium=social&utm_source=twitter&hss_channel=tw-403811306"
date = "2023-06-01"
score = 85
hash1 = "6cbf38f5f27e6a3eaf32e2ac73ed02898cbb5961566bb445e3c511906e2da1fa"
id = "47db8602-9a9e-5efc-b8b9-fbc4f3c8d4e9"
strings:
$x1 = "human2_aspx" ascii fullword
$x2 = "X-siLock-Comment" wide
$x3 = "x-siLock-Step1" wide
$a1 = "MOVEit.DMZ.Core.Data" ascii fullword
condition:
uint16(0) == 0x5a4d and
filesize < 40KB and (
1 of ($x*) and $a1
) or all of them
}
rule WEBSHELL_ASPX_MOVEit_Jun23_1 {
meta:
description = "Detects ASPX web shells as being used in MOVEit Transfer exploitation"
author = "Florian Roth"
reference = "https://www.rapid7.com/blog/post/2023/06/01/rapid7-observed-exploitation-of-critical-moveit-transfer-vulnerability/"
date = "2023-06-01"
score = 85
hash1 = "2413b5d0750c23b07999ec33a5b4930be224b661aaf290a0118db803f31acbc5"
hash2 = "48367d94ccb4411f15d7ef9c455c92125f3ad812f2363c4d2e949ce1b615429a"
hash3 = "e8012a15b6f6b404a33f293205b602ece486d01337b8b3ec331cd99ccadb562e"
id = "2c789b9c-5ec5-5fd1-84e3-6bf7735a9488"
strings:
$s1 = "X-siLock-Comment" ascii fullword
$s2 = "]; string x = null;" ascii
$s3 = "; if (!String.Equals(pass, " ascii
condition:
filesize < 150KB and 2 of them
}
rule LOG_EXPL_MOVEit_Exploitation_Indicator_Jun23_1 {
meta:
description = "Detects a potential compromise indicator found in MOVEit Transfer logs"
author = "Florian Roth"
reference = "https://www.huntress.com/blog/moveit-transfer-critical-vulnerability-rapid-response"
date = "2023-06-01"
score = 70
id = "a7c521b8-c654-51dd-9d5b-4ba883feffe3"
strings:
$x1 = "POST /moveitisapi/moveitisapi.dll action=m2 " ascii
$x2 = " GET /human2.aspx - 443 " ascii
condition:
1 of them
}
rule LOG_EXPL_MOVEit_Exploitation_Indicator_Jun23_2 {
meta:
description = "Detects a potential compromise indicator found in MOVEit Transfer logs"
author = "Florian Roth"
reference = "https://www.huntress.com/blog/moveit-transfer-critical-vulnerability-rapid-response"
date = "2023-06-03"
score = 70
id = "1527f5e3-071d-5152-9452-9c4472d258f2"
strings:
$a1 = "Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/105.0.5195.102+Safari/537.36" ascii
$a2 = "Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/105.0.5195.54+Safari/537.36" ascii
$s1 = " POST /moveitisapi/moveitisapi.dll" ascii
$s2 = " POST /guestaccess.aspx"
$s3 = " POST /api/v1/folders/"
$s4 = "/files uploadType=resumable&"
$s5 = " action=m2 "
condition:
1 of ($a*) and 3 of ($s*)
or all of ($s*)
}
rule LOG_EXPL_MOVEit_Exploitation_Indicator_Jun23_3 {
meta:
description = "Detects a potential compromise indicator found in MOVEit DMZ Web API logs"
author = "Nasreddine Bencherchali"
reference = "https://attackerkb.com/topics/mXmV0YpC3W/cve-2023-34362/rapid7-analysis"
date = "2023-06-13"
score = 70
id = "113a501f-d9ed-51fd-82cd-ccb6f02833bd"
strings:
$s1 = "TargetInvocationException" ascii
$s2 = "MOVEit.DMZ.Application.Folders.ResumableUploadFilePartHandler.DeserializeFileUploadStream" ascii
condition:
all of ($s*)
}