id: moveit-sftp-detect

info:
  name: MOVEit Transfer SFTP - Detect
  author: johnk3r
  severity: info
  description: |
    MOVEit Transfer SFTP was detected.
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
    cwe-id: CWE-200
  metadata:
    max-request: 1
    shodan-query: "SSH-2.0-MOVEit"
  tags: network,ssh,detect,moveit,sftp,detection,tcp

tcp:
  - host:
      - "{{Hostname}}"
    port: 22

    matchers:
      - type: regex
        regex:
          - '(?i)MOVEit'

    extractors:
      - type: regex
        regex:
          - '(?i)SSH-(.*)-MOVEit[^\r]+'
# digest: 4a0a00473045022100956c55e3f7c116adea37026c65372ea27c2018bd6590689e36cf9ea2ae53256d02205862d14af97dcfac8fe51543b746b799544df13e2188db5ef32914387781d436:922c64590222798bb761d5b6d8e72950