detection.wiki

Detection rules › Splunk

Windows MOVEit Transfer Writing ASPX

Status
production
Severity
medium
Group by
CreationUtcTime, computer_name, event_action, file_access_time, file_acl, file_hash, file_modify_time, file_name, file_size, process_guid, process_id, target_filename, user, vendor_product
Author
Michael Haag, Splunk
Source
github.com/splunk/security_content

The following analytic detects the creation of new ASPX files in the MOVEit Transfer application's "wwwroot" directory. It leverages endpoint data on process and filesystem activity to identify processes responsible for creating these files. This activity is significant as it may indicate exploitation of a critical zero-day vulnerability in MOVEit Transfer, used by threat actors to install malicious ASPX files. If confirmed malicious, this could lead to exfiltration of sensitive data, including user credentials and file metadata, posing a severe risk to the organization's security.

MITRE ATT&CK coverage

TacticTechniques
Initial AccessT1133 External Remote Services, T1190 Exploit Public-Facing Application
PersistenceT1133 External Remote Services

Event coverage

ProviderEventTitle
SysmonEvent ID 11FileCreate

Rule body splunk

name: Windows MOVEit Transfer Writing ASPX
id: c0ed2aca-5666-45b3-813f-ddfac3f3eda0
version: 12
creation_date: '2023-06-01'
modification_date: '2026-05-13'
author: Michael Haag, Splunk
status: production
type: TTP
description: The following analytic detects the creation of new ASPX files in the MOVEit Transfer application's "wwwroot" directory. It leverages endpoint data on process and filesystem activity to identify processes responsible for creating these files. This activity is significant as it may indicate exploitation of a critical zero-day vulnerability in MOVEit Transfer, used by threat actors to install malicious ASPX files. If confirmed malicious, this could lead to exfiltration of sensitive data, including user credentials and file metadata, posing a severe risk to the organization's security.
data_source:
    - Sysmon EventID 11
search: |
    | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
    as lastTime FROM datamodel=Endpoint.Filesystem where
      Filesystem.file_path IN ("*\\MOVEitTransfer\\wwwroot\\*") AND
      Filesystem.file_name IN("*.ashx", "*.asp*")
    by Filesystem.action Filesystem.dest Filesystem.file_access_time Filesystem.file_create_time
    Filesystem.file_hash Filesystem.file_modify_time Filesystem.file_name Filesystem.file_path
    Filesystem.file_acl Filesystem.file_size Filesystem.process_guid Filesystem.process_id
    Filesystem.user Filesystem.vendor_product
    | `drop_dm_object_name(Filesystem)`
    | `security_content_ctime(firstTime)`
    | `security_content_ctime(lastTime)`
    | `windows_moveit_transfer_writing_aspx_filter`
how_to_implement: |
    To successfully implement this search you need to be ingesting information
    on process that include the name of the process responsible for the changes from
    your endpoints into the `Endpoint` datamodel in the `Processes` node and `Filesystem`
    node.
known_false_positives: |
    The query is structured in a way that `action` (read, create)
    is not defined. Review the results of this query, filter, and tune as necessary.
    It may be necessary to generate this query specific to your endpoint product.
references:
    - https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023
    - https://www.reddit.com/r/sysadmin/comments/13wxuej/critical_vulnerability_moveit_file_transfer/
    - https://www.bleepingcomputer.com/news/security/new-moveit-transfer-zero-day-mass-exploited-in-data-theft-attacks/
    - https://www.reddit.com/r/sysadmin/comments/13wxuej/critical_vulnerability_moveit_file_transfer/
    - https://www.mandiant.com/resources/blog/zero-day-moveit-data-theft
drilldown_searches:
    - name: View the detection results for - "$dest$"
      search: '%original_detection_search% | search  dest = "$dest$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$dest$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: 7d
      latest_offset: "0"
finding:
    title: The MOVEit application on $dest$ has written a new ASPX file $file_name$ to disk.
    entity:
        field: dest
        type: system
        score: 50
threat_objects:
    - field: file_name
      type: file_name
analytic_story:
    - MOVEit Transfer Critical Vulnerability
    - Hellcat Ransomware
asset_type: Endpoint
mitre_attack_id:
    - T1190
    - T1133
product:
    - Splunk Enterprise
    - Splunk Enterprise Security
    - Splunk Cloud
category: endpoint
security_domain: endpoint
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.003/moveit_windows-sysmon.log
          source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
          sourcetype: XmlWinEventLog
      test_type: unit

Stages and Predicates

Stage 1: tstats

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
as lastTime FROM datamodel=Endpoint.Filesystem where
  Filesystem.file_path IN ("*\\MOVEitTransfer\\wwwroot\\*") AND
  Filesystem.file_name IN("*.ashx", "*.asp*")
by Filesystem.action Filesystem.dest Filesystem.file_access_time Filesystem.file_create_time
Filesystem.file_hash Filesystem.file_modify_time Filesystem.file_name Filesystem.file_path
Filesystem.file_acl Filesystem.file_size Filesystem.process_guid Filesystem.process_id
Filesystem.user Filesystem.vendor_product

Stage 2: search

| `drop_dm_object_name(Filesystem)`

Stage 3: search

| `security_content_ctime(firstTime)`

Stage 4: search

| `security_content_ctime(lastTime)`

Stage 5: search

| `windows_moveit_transfer_writing_aspx_filter`

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
Filesystem.file_namein
  • "*.ashx"
  • "*.asp*"
Filesystem.file_pathin
  • "*\\MOVEitTransfer\\wwwroot\\*"