Query Details
MOV Eit Exploit Hunting
Query
# MOVEit exploit hunting ### Description Based on the threat reports presented with regards to MOVEit vulnerability CVE-2023-34362 w3wp.exe spawns csc.exe in order to compile a malicious .dll file. ### References - https://github.com/curated-intel/MOVEit-Transfer - https://github.com/tsale/Sigma_rules/blob/main/Threat%20Hunting%20Queries/MOVEit_exploitation.yml ### Microsoft 365 Defender & Microsoft Sentinel ``` DeviceProcessEvents // Optionally, you can narrow down your hunt based on your MOVEit hosts // | where DeviceName has "DeviceNameHere" | where ActionType == "ProcessCreated" | where InitiatingProcessParentFileName has "w3wp.exe" | where InitiatingProcessFileName has "csc.exe" | where InitiatingProcessCommandLine has "moveitdmz pool" ``` ### MITRE ATT&CK Mapping - Tactic: Execution - Technique ID: T1623 - [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1623/) ### Source ### Versioning | Version | Date | Comments | | ------------- |---------------| ----------------------------------| | 1.0 | 09/06/2023 | Initial publish |
Explanation
The query is designed to identify instances where the MOVEit vulnerability CVE-2023-34362 is being exploited. It looks for events where the process "w3wp.exe" spawns "csc.exe" to compile a malicious .dll file. The query can be used in Microsoft 365 Defender and Microsoft Sentinel to hunt for potential exploits. The MITRE ATT&CK mapping indicates that this query is related to the Execution tactic and Technique ID T1623.
Details
Michalis Michalos
Released: August 14, 2023
Tables
DeviceProcessEvents
Keywords
MOVEit,CVE-2023-34362,w3wp.exe,csc.exe,.dll,DeviceProcessEvents,ActionType,ProcessCreated,InitiatingProcessParentFileName,InitiatingProcessFileName,InitiatingProcessCommandLine,moveitdmzpool,Tactic,Execution,TechniqueID,T1623,CommandandScriptingInterpreter
Operators
DeviceProcessEventswhere|has"DeviceNameHere"=="ProcessCreated"wherehas"w3wp.exe"wherehas"csc.exe"wherehas"moveitdmz pool"