alert tcp $EXTERNAL_NET any → $HOME_NET $HTTP_PORTS (msg:“MoveIt File Transfer WebShell Interaction X-siLock-Comment Header”; flow:established,to_server; content:“X-siLock-Comment|3A|”; http_header; fast_pattern:only; classtype:trojan-activity; reference:url,MOVEit Transfer Critical Vulnerability Rapid Response; sid:155111; rev:1;)
Thanks Kevin!
We’ll get this out today. Hopefully as more details on the vuln itself come out we’ll get coverage for that too!
1 Like
Hey Kevin!
Got a revision of your rule (2046047) and a handful of others published in todays release!
I continue to monitor for more information around the exploit itself and will adjust/create rules as needed.
2046047 - ET WEB_SERVER LEMURLOOT WebShell Interaction Header (X-siLock-Comment) - Observed in MOVEit File Transfer - INBOUND (web_server.rules)
2046048 - ET WEB_SERVER LEMURLOOT WebShell Interaction Header (X-siLock-Comment) - Observed in MOVEit File Transfer - OUTBOUND (Active Compromise) (web_server.rules)
2046049 - ET WEB_SERVER LEMURLOOT WebShell Interaction Header - X-siLock-Step1 -1 Data Exfil Request - Observed in MOVEit File Transfer - INBOUND (web_server.rules)
2046050 - ET WEB_SERVER LEMURLOOT WebShell Interaction Header - X-siLock-Step1 -1 Data Exfil Response - Observed in MOVEit File Transfer - OUTBOUND (Active Compromise) (web_server.rules)
2046051 - ET WEB_SERVER LEMURLOOT WebShell Interaction Header - X-siLock-Step1 -2 Health Check User Delete Request - Observed in MOVEit File Transfer - INBOUND (web_server.rules)
2046052 - ET WEB_SERVER LEMURLOOT WebShell Interaction Header - X-siLock-Step2/3 File Retrieval Request- Observed in MOVEit File Transfer - INBOUND (web_server.rules)
2046053 - ET WEB_SPECIFIC_APPS MOVEit File Transfer - HTTP POST to /moveitaspi.dll (CVE-2023-34362) (web_specific_apps.rules)
2046054 - ET WEB_SPECIFIC_APPS MOVEit File Transfer - HTTP POST to /guestaccess.aspx (CVE-2023-34362) (web_specific_apps.rules)
2046055 - ET WEB_SPECIFIC_APPS MOVEit File Transfer - HTTP POST to /api/v1/folders (CVE-2023-34362) (web_specific_apps.rules)
Just an FYI - The following signatures were created based on the writeups and proof of concept code
Some of them, such as API Token Request, Folder Request and Payload Trigger Request are set to informational under the assumption they can be observed in benign traffic not associated with the exploitation. “Clusters” of alerts would be indicative of exploitation.
2046188 - ET WEB_SPECIFIC_APPS MOVEit File Transfer - Set Session Variables - Guest Account Creation - CVE-2023-34362 Stage 1a (web_specific_apps.rules)
2046189 - ET WEB_SPECIFIC_APPS MOVEit File Transfer - Set Session Variables - SQLi Payload Creation - CVE-2023-34362 Stage 1b (web_specific_apps.rules)
2046190 - ET WEB_SPECIFIC_APPS MOVEit File Transfer - CSRF Token Request on guestaccess.aspx - CVE-2023-34362 Stage 1b (web_specific_apps.rules)
2046191 - ET WEB_SPECIFIC_APPS MOVEit File Transfer - Successful CSRF Token Request on guestaccess.aspx - CVE-2023-34362 Stage 1b (web_specific_apps.rules)
2046192 - ET WEB_SPECIFIC_APPS MOVEit File Transfer - Trigger SQL Injection via guestaccess.aspx - CVE-2023-34362 Stage 2 (web_specific_apps.rules)
2046193 - ET WEB_SPECIFIC_APPS MOVEit File Transfer - API Token Request - CVE-2023-34362 Stage 3 (web_specific_apps.rules)
2046194 - ET WEB_SPECIFIC_APPS MOVEit File Transfer - Successful API Token Request - CVE-2023-34362 Stage 3 (web_specific_apps.rules)
2046195 - ET WEB_SPECIFIC_APPS MOVEit File Transfer - Folder Request - CVE-2023-34362 Stage 4 (web_specific_apps.rules)
2046196 - ET WEB_SPECIFIC_APPS MOVEit File Transfer - Successful Folder Request - CVE-2023-34362 Stage 4 (web_specific_apps.rules)
2046197 - ET WEB_SPECIFIC_APPS MOVEit File Transfer - Set Session Variables - SQLi Payload Creation - CVE-2023-34362 Stage 5a (web_specific_apps.rules)
2046198 - ET WEB_SPECIFIC_APPS MOVEit File Transfer - Payload Trigger Request - CVE-2023-34362 Stage 5b (web_specific_apps.rules)
1 Like