Last active
June 15, 2023 09:49
-
-
Save msuiche/9ee0c53f29b39132c21d6bfef731395b to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| rule MOVEit_Transfer_exploit_webshell_memory { | |
| meta: | |
| date = "2023-06-15" | |
| description = "Hunts for memory IOCs MOVEit Transfer exploitation." | |
| author = "Matt Suiche - Magnet Forensics" | |
| reference1 = "https://www.reddit.com/r/msp/comments/13xjs1y/tracking_emerging_moveit_transfer_critical/" | |
| reference2 = "https://www.bleepingcomputer.com/news/security/new-moveit-transfer-zero-day-mass-exploited-in-data-theft-attacks/" | |
| reference3 = "https://gist.github.com/JohnHammond/44ce8556f798b7f6a7574148b679c643" | |
| reference4 = "https://github.com/AhmetPayaslioglu/YaraRules/blob/main/MOVEit_Transfer_Critical_Vulnerability.yara" | |
| verdict = "dangerous" | |
| mitre = "T1505.003" | |
| platform = "windows" | |
| strings: | |
| $a1 = "SELECT Username FROM users WHERE InstID={0} AND Permission=30 AND Status='active' and Deleted=0" wide | |
| $a2 = "insert into activesessions (SessionID, Username, LastTouch, Timeout, IPAddress) VALUES ('{0}','{1}',CURRENT_TIMESTAMP, 9999, '127.0.0.1')" wide | |
| $a3 = "INSERT INTO users (Username, LoginName, InstID, Permission, RealName, CreateStamp, CreateUsername, HomeFolder, LastLoginStamp, PasswordChangeStamp)" wide | |
| $a4 = "Delete FROM users WHERE RealName='Health Check Service'" wide | |
| condition: | |
| all of them | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment