Skip to content

Instantly share code, notes, and snippets.

@MHaggis
Created June 5, 2023 15:42
Show Gist options
  • Save MHaggis/faa672b1929a23fc48fc0ee47585cc48 to your computer and use it in GitHub Desktop.
Save MHaggis/faa672b1929a23fc48fc0ee47585cc48 to your computer and use it in GitHub Desktop.

Ref: https://www.rapid7.com/blog/post/2023/06/01/rapid7-observed-exploitation-of-critical-moveit-transfer-vulnerability/

Rapid7 incident response consultants have identified a method to determine what was exfiltrated from compromised MOVEit customer environments. MOVEit writes its own Windows EVTX file, which is located at C:\Windows\System32\winevt\Logs\MOVEit.evtx. The MOVEit event logs contain a single event ID (Event ID 0) that provides a plethora of information, including the following:

  • File name
  • File path
  • File size
  • IP address
  • Username that performed download

Progress Software's engineering team told Rapid7 that while event logging is NOT enabled by default in MOVEit Transfer, it's common for their customers to enable it post-installation. Therefore, many instances of the MOVEit application may have these records available on the host.

[WinEventLog://MoveIT]
disabled = 0
index = win
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment