Velociraptor - Hunting for MOVEit IOCs

Late May / Early June the cyber security community was made aware of active exploitation attempts against MOVEit Transfer, a software application used for secure managed file transfer marketed towards enterprise organisations. The vulnerability has been given CVE-2023-34362.

Shodan analysis revealed a large number of internet exposed servers running this software that could potentially be vulnerable without mitigation.

Despite typically having a small deployment foot print where manual assessment could be possible, I through this could also be a good opportunity to showcase Velociraptors capabilities despite being limited to a small number of hosts.

If you’re new to Velociraptor check out this post for how to get started https://www.bizarrebinaries.com/blog/velociraptor-setup

TL;DR - Stop reading this and go patch. If you can’t immediately patch at least block HTTP(s) access to your MOVEit servers.

Hunting for MOVEit IOCs

There are a number of IOCs that have been released by the community we can use for huntring, a list of IOCs available at the time of writing this can be found in the Indicators of Compromise section. Follow the references for up to date posts from vendors and community members alike to get the latest IOCs and other relevant information.

We will use Velociraptor to quickly search our MOVEit server for the existence of .aspx, .lnk and .dll files with specific names. We will also look for a specific .dll file indicating complete execution of attack chain and likely compilation of backdoor signifying compromise.

Randomly generated passwords used by the threat actors within the webshell means that searching based on hashes may prove challenging.

Hunting with Velociraptor

Folders and FIles

To perform a quick hunt for files on disk that may indicate that would MOVEit server has been compoprmised is looking for .aspx and .dll files created during exploitation.

To do this we will use the Windows.Search.FileFinder artifact within Velociraptor. Using publically available IOCs we will setup our parameters to search for multiple files using the folloiw glob syntax/.

C:\Windows\Microsoft.NET\Framework64\*\Temporary ASP.NET Files\root\*\*\*.dll
C:\Windows\Microsoft.NET\Framework64\*\Temporary ASP.NET Files\root\*\*\App_Web_*.dll
C:\MOVEitTransfer\wwwroot\human2.aspx.lnk
C:\MOVEitTransfer\wwwroot\human2.aspx
C:\Windows\TEMP\*\*.cmdline

Below is a view of our configured parameters, keep in mind that the glob syntax used assumes default install directories. If your MOVEit Transfer deployment exists in a different location glob syntax will need to be updated accordingly.

Take particular note of timestamps of returned files. If any results are returned. Investigate further.

IIS Logs

Another IOC we can hunt for is the existence of specific GET and POST requests in IIS access logs on the MOVEit server. Looking for the presence of .aspx and .dll files seen previously in logs could be an indication of attack and warrant further investigation.

One way of doing it is just to collect the relevant logs files in the ISS logs directory and parse manually however we are in Velociraptor and have better ways of doing this using yara.

There is a fantastic module in Velociraptor called Windows.Detection.Yara.NTFS written by Matt Green - @mgreen27. It allows us to located files via regex and parse them using yara to detect, in this case, the presence of GET and POST requests containing specific file names (human2.aspx, moveitisapi.dll and guestaccess.aspx).

To get started we will need to create a new collection

From here we select the Windows.Detection.Yara.NTFS artifact.

Figure 4: Windows.Detection.Yara.NTFS artifact

We will need to modify our parameters to search for what we are after, at a high level we need to look for all IIS logs typically found in C:\inetpub\logs\LogFiles\<subfolder>\*.log. We will need a regex pattern to match the folder structure and the log name structure.

We will also need a simple yara rule to look for strings (human2.aspx, moveitisapi.dll and guestaccess.aspx) within the log files. I’ll keep the regex fairly loose however if false positives do occur these can be further tuned to closely match the GET and POST requests.

Regex for our log files

The following regex can be used within the artifact parameters to find the IIS log files we are interested in (well all the log files in the IIS logs folder. Again, this regex is quick and dirty, you could tune and get more specific here.

FileNameRegex: ^.*.log$
PathRegex: inetpub\\logs\\LogFiles\\.*\\

Within the artifact parameters in Velociraptor it will look like this.

The below Yara rule can be used to find ascii text within the log files retrieved as part of our regex. It is a simple rule that I based on a rule created by Florian Roth - @cyb3rops. I made mine a little more generic and added an additional .aspx file based on the post released by Progress containing additional IOCs.

rule MoveitMoveit:FileFind {
     meta:
        description = "MOVEit MOVEit File Hunting in IIS Logs"
        author = "BB"
        reference = "https://www.huntress.com/blog/moveit-transfer-critical-vulnerability-rapid-response and https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023"
        strings:
            $x1 = " /human2.aspx" ascii
            $x2 = " /moveitisapi.dll" ascii
            $x3 = " /guestaccess.aspx" ascii
        condition:
            1 of them
}

Within the artifact parameters in Velociraptor it will look like this.

This should yield results if GET and POST requests are within any log files parsed. If results are seen further investigation is warranted.

Conclusion

In this post we have seen how we can hunt for files on disk and for ascii text within files using Yara rules. Despite it being a simple hunt potentially limited to a single server it showcases Velociraptors flexibility and ease of use. We have been able to quickly transform IOCs published by the community into threat hunts across our environment.

A few things to note with the above approach:

Using file hashes as a means for hunting in this case may not be effective due to unique passwords within .aspx file.
Ideally the above stand alone searches for files on disk and strings within IIS log files are rolled up into one artifact. The Velociraptor team is pretty quick with this so its worth keep an eye out of the Artifact Exchange (https://docs.velociraptor.app/exchange/).
This is just one way of hunting for IOCs, regex can be tuned, Yara rules can be modified.

The approach doesn’t have to be limited to MOVEIt hunting, these techniques can be used for other hunts across environments with minor adaption.

Happy hunting.

Indicators of Compromise

Indicator	Type
C:\Windows\TEMP\[random]\[random].cmdline	Folder Path
Health Check Service	User Account
human2.aspx	Filename
human2.aspx.lnk	Filename
POST /moveitisapi/moveitisapi.dll	HTTP Request
POST /guestaccess.aspx	HTTP Request
POST /api/v1/folders/[random]/files	HTTP Request
Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/105.0.5195.102+Safari/537.36	User Agent
dojustit[.]mooo[.]com	Domain
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files\root\[random]\[random\App_Web_[random].dll	Filename
GET /human2.aspx	HTTP Request