Query Details

MOV Eit Exploit Hunting

Query

DeviceProcessEvents
// Optionally, you can narrow down your hunt based on your MOVEit hosts
// | where DeviceName has "DeviceNameHere"
| where ActionType == "ProcessCreated"
| where InitiatingProcessParentFileName has "w3wp.exe"
| where InitiatingProcessFileName has "csc.exe"
| where InitiatingProcessCommandLine has "moveitdmz pool"

About this query

MOVEit exploit hunting

Description

Based on the threat reports presented with regards to MOVEit vulnerability CVE-2023-34362 w3wp.exe spawns csc.exe in order to compile a malicious .dll file.

References

Microsoft 365 Defender & Microsoft Sentinel

MITRE ATT&CK Mapping

Source

Versioning

VersionDateComments
1.009/06/2023Initial publish

Explanation

The query is designed to identify instances where the MOVEit vulnerability CVE-2023-34362 is being exploited. It looks for events where the process "w3wp.exe" spawns "csc.exe" to compile a malicious .dll file. The query can be used in Microsoft 365 Defender and Microsoft Sentinel to hunt for potential exploits. The MITRE ATT&CK mapping indicates that this query is related to the Execution tactic and Technique ID T1623.

Details

Michalis Michalos profile picture

Michalis Michalos

Released: August 14, 2023

Tables

DeviceProcessEvents

Keywords

MOVEitCVE-2023-34362w3wp.execsc.exe.dllDeviceProcessEventsActionTypeProcessCreatedInitiatingProcessParentFileNameInitiatingProcessFileNameInitiatingProcessCommandLinemoveitdmz poolTacticExecutionTechnique IDT1623Command and Scripting Interpreter

Operators

DeviceProcessEventswhere|has"DeviceNameHere"=="ProcessCreated""w3wp.exe""csc.exe""moveitdmz pool"

MITRE Techniques

Actions

GitHub