Rapid7 incident response consultants have identified a method to determine what was exfiltrated from compromised MOVEit customer environments. MOVEit writes its own Windows EVTX file, which is located at C:\Windows\System32\winevt\Logs\MOVEit.evtx. The MOVEit event logs contain a single event ID (Event ID 0) that provides a plethora of information, including the following:
- File name
- File path
- File size
- IP address
- Username that performed download
Progress Software's engineering team told Rapid7 that while event logging is NOT enabled by default in MOVEit Transfer, it's common for their customers to enable it post-installation. Therefore, many instances of the MOVEit application may have these records available on the host.
[WinEventLog://MoveIT]
disabled = 0
index = win