Windows.EventLogs.MoveIt :: Velociraptor

Windows.EventLogs.MoveIt

This Artifact enables scoping EventLogs from Progress Software’s MoveIT File Transfer. It is designed to assist in identifying exfiltration resulting from the exploitation of CVE-2023-34362

This artifact parses EvtxHunter output and returns a set of fields in results. An unparsed data field is availible in the hidden _RawData field.

There are several parameter’s available for search leveraging regex.

EvtxGlob glob of EventLogs to target. Default to MoveIt.evtx but can be targeted.
dateAfter enables search for events after this date.
dateBefore enables search for events before this date.
IocRegex enables regex search over the message field.
IgnoreRegex enables a regex whitelist for the Message field.
IdRegex enables a regex query to select specific event Ids.
SearchVSS enables searching over VSS.

NOTE: MoveIT event logging may not be turned on by default.


name:  Windows.EventLogs.MoveIt
author: Rapid7 team -  Ted Samuels, @mgreen27 & @scudette
description: |
  This Artifact enables scoping EventLogs from Progress Software's MoveIT File 
  Transfer. It is designed to assist in identifying exfiltration resulting from
  the exploitation of CVE-2023-34362
  
  This artifact parses EvtxHunter output and returns a set of fields in results.
  An unparsed data field is availible in the hidden _RawData field.
  
  There are several parameter's available for search leveraging regex.  
  
    - EvtxGlob glob of EventLogs to target. Default to MoveIt.evtx but can be targeted.  
    - dateAfter enables search for events after this date.  
    - dateBefore enables search for events before this date.  
    - IocRegex enables regex search over the message field.  
    - IgnoreRegex enables a regex whitelist for the Message field.  
    - IdRegex enables a regex query to select specific event Ids.  
    - SearchVSS enables searching over VSS.  
    
  NOTE: MoveIT event logging may not be turned on by default.

reference:
    - https://www.rapid7.com/blog/post/2023/06/01/rapid7-observed-exploitation-of-critical-moveit-transfer-vulnerability/ 
    - https://www.huntress.com/blog/moveit-transfer-critical-vulnerability-rapid-respons
    - https://www.mandiant.com/resources/blog/zero-day-moveit-data-theft
    - https://nvd.nist.gov/vuln/detail/CVE-2023-34362

precondition: SELECT OS From info() where OS = 'windows'

parameters:
  - name: EvtxGlob
    default: '%SystemRoot%\System32\Winevt\Logs\MOVEit.evtx'
  - name: IocRegex
    type: regex
    description: "IOC Regex"
    default:
  - name: IgnoreRegex
    description: "Regex of string to witelist"
    type: regex
  - name: IdRegex
    default: .
    type: regex
  - name: SearchVSS
    description: "Add VSS into query."
    type: bool
  - name: DateAfter
    type: timestamp
    description: "search for events after this date. YYYY-MM-DDTmm:hh:ssZ"
  - name: DateBefore
    type: timestamp
    description: "search for events before this date. YYYY-MM-DDTmm:hh:ssZ"

sources:
  - query: |
      LET Parse(X) = to_dict(
        item={
           SELECT split(sep=":", string=Column0)[0] AS _key,
                  regex_replace(re="^\\s+|\\s+$", replace="", source=split(sep=":", string=Column0)[1]) AS _value
           FROM split_records(accessor="data", filenames=X, regex="\r\n")
           WHERE Column0 =~ "^[a-zA-Z0-9]+:"
        }) +  parse_string_with_regex(regex="User '(?P<User>[^']+)'", string=X)

      SELECT EventTime,Computer,Channel,Provider,EventID,EventRecordID,
        Parse(X=split(string=EventData.Data[0],sep="\r\n\r\n")[1]) as EventData,
        split(string=EventData.Data[0],sep="\r\n\r\n")[0] as Message,
        FullPath,
        EventData.Data[0] as _RawData
      FROM Artifact.Windows.EventLogs.EvtxHunter(
                        EvtxGlob=EvtxGlob,
                        IocRegex=IocRegex,
                        IdRegex=IdRegex,
                        WhitelistRegex=IgnoreRegex,
                        DateAfter=DateAfter,
                        DateBefore=DateBefore, 
                        SearchVSS=SearchVSS )