MOV Eit Exploit Hunting
Query
DeviceProcessEvents
// Optionally, you can narrow down your hunt based on your MOVEit hosts
// | where DeviceName has "DeviceNameHere"
| where ActionType == "ProcessCreated"
| where InitiatingProcessParentFileName has "w3wp.exe"
| where InitiatingProcessFileName has "csc.exe"
| where InitiatingProcessCommandLine has "moveitdmz pool"About this query
MOVEit exploit hunting
Description
Based on the threat reports presented with regards to MOVEit vulnerability CVE-2023-34362 w3wp.exe spawns csc.exe in order to compile a malicious .dll file.
References
- https://github.com/curated-intel/MOVEit-Transfer
- https://github.com/tsale/Sigma_rules/blob/main/Threat%20Hunting%20Queries/MOVEit_exploitation.yml
Microsoft 365 Defender & Microsoft Sentinel
MITRE ATT&CK Mapping
- Tactic: Execution
- Technique ID: T1623
- Command and Scripting Interpreter
Source
Versioning
| Version | Date | Comments |
|---|---|---|
| 1.0 | 09/06/2023 | Initial publish |
Explanation
The query is designed to identify instances where the MOVEit vulnerability CVE-2023-34362 is being exploited. It looks for events where the process "w3wp.exe" spawns "csc.exe" to compile a malicious .dll file. The query can be used in Microsoft 365 Defender and Microsoft Sentinel to hunt for potential exploits. The MITRE ATT&CK mapping indicates that this query is related to the Execution tactic and Technique ID T1623.
Details

Michalis Michalos
Released: August 14, 2023
Tables
DeviceProcessEvents
Keywords
MOVEitCVE-2023-34362w3wp.execsc.exe.dllDeviceProcessEventsActionTypeProcessCreatedInitiatingProcessParentFileNameInitiatingProcessFileNameInitiatingProcessCommandLinemoveitdmz poolTacticExecutionTechnique IDT1623Command and Scripting Interpreter
Operators
DeviceProcessEventswhere|has"DeviceNameHere"=="ProcessCreated""w3wp.exe""csc.exe""moveitdmz pool"
MITRE Techniques