This pack is part of the Rapid Breach Response pack.
CVE-2023-34362 - Critical SQL Injection vulnerability in MOVEit Transfer.
A critical vulnerability has been identified in MOVEit Transfer, a managed file transfer solution. The vulnerability affects versions prior to the latest release and involves improper input validation. Exploiting this vulnerability can lead to remote execution of arbitrary code, potentially resulting in unauthorized access and compromise of sensitive data.
To mitigate the risk associated with this vulnerability, it is crucial for users to update to the latest version of MOVEit Transfer that includes necessary security patches.
The playbook includes the following tasks:
- Blog IoCs download
- Yara Rules download
- Sigma rules download
- Cortex XDR XQL exploitation patterns hunting
- Cortex Xpanse external facing instances hunting
- Advanced SIEM exploitation patterns hunting
- Indicators hunting
The hunting queries are searching for the following activities:
- ASPX file creation by w3wp.exe
- IIS compiling binaries via the csc.exe on behalf of the MOVEit
- Detects get requests to specific exploitation related files
- Progress official CVE-2023-34362 patch
- Progress mitigation measures
- Detection Rules