vpatch-CVE-2023-34362 AppSec Rule

« vpatch-CVE-2023-34362 »
v0.6 by crowdsecurity
AppSec rule

MOVEit Transfer RCE (CVE-2023-34362)

Installation

cscli appsec-rules install crowdsecurity/vpatch-CVE-2023-34362

YAML Configuration

1
2name: crowdsecurity/vpatch-CVE-2023-34362
3description: "MOVEit Transfer RCE (CVE-2023-34362)"
4rules:
5  - and:
6    - zones:
7      - URI
8      transform:
9      - lowercase
10      match:
11        type: equals
12        value: /moveitisapi/moveitisapi.dll
13    - zones:
14      - ARGS
15      variables:
16      - action
17      match:
18        type: equals
19        value: m2
20      transform:
21      - lowercase
22    - zones:
23      - METHOD
24      match:
25        type: equals
26        value: POST
27    - zones:
28      - HEADERS_NAMES
29      transform:
30        - lowercase
31      match:
32        type: equals
33        value: 'x-silock-transaction'
34    - zones:
35      - HEADERS_NAMES
36      transform:
37       - lowercase
38      match:
39        type: regex
40        value: '.+x-silock-transaction'
41labels:
42  type: exploit
43  service: http
44  confidence: 3
45  spoofable: 0
46  behavior: "http:exploit"
47  label: "MOVEit Transfer RCE"
48  classification:
49   - cve.CVE-2023-34362
50   - attack.T1595
51   - attack.T1190
52   - cwe.CWE-89

Hub Appsec rule

« vpatch-CVE-2023-34362 »v0.6 by crowdsecurityAppSec rule

« vpatch-CVE-2023-34362 »
v0.6 by crowdsecurity
AppSec rule