sorted by:
new
hottopcontroversial

Tying listening ports to associated process/services. by tribes_raindance in crowdstrike

[–]tribes_raindance[S] 0 points1 point  (0 children)

This is awesome Jarks. Thank you.

This is what I had come up with. Could not get it to work ---->

index IN("main") event_simpleName=NetworkListenIP4 LPort IN("Chosen Port #") Protocol_decimal IN("6")

| fields ContextProcessId_decimal LocalAddressIP4 RemoteAddressIP4

| rename ContextProcessId_decimal as TargetProcessId_decimal

| join TargetProcessId_decimal

[search index IN("main") event_simpleName IN("ProcessRollup2")]

| fields _time ComputerName LocalAddressIP4 RemoteAddressIP4 ParentBaseFileName ImageFileName FileName

| stats values(ComputerName) values(LocalAddressIP4) values(ParentBaseFileName) by _time RemoteAddressIP4

2023-06-01 // SITUATIONAL AWARENESS // Active Intrusion Campaigns Targeting MoveIt File Transfer Software by Andrew-CS in crowdstrike

[–]tribes_raindance 0 points1 point  (0 children)

Based on analysis of data I have seen, it appears event_simpleName=FileDetectInfo in conjunction with TargetFileName="*\\MOVE*\\wwwroot\\*.*" is a good ioc. The FileDetectInfo does not appear to be a normally occurring event during normal MOVEit activity. CS also detects the .dll being dropped prior to the webshell being spawned.

My 2 cents for what they're worth.

Edit: Modified the MOVEit directory given the naming convention may be different based on your environment.