id: moveit-sftp-detect

info:
  name: MOVEit Transfer SFTP - Detect
  author: johnk3r
  severity: info
  description: |
    MOVEit Transfer SFTP was detected.
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
    cwe-id: CWE-200
  metadata:
    max-request: 1
    shodan-query: "SSH-2.0-MOVEit"
  tags: network,ssh,detect,moveit,sftp

tcp:
  - host:
      - "{{Hostname}}"
    port: 22

    matchers:
      - type: regex
        regex:
          - '(?i)MOVEit'

    extractors:
      - type: regex
        regex:
          - '(?i)SSH-(.*)-MOVEit[^\r]+'
# digest: 4b0a004830460221008633954c1fc1b554d3d4b2e0c8565146625570f2a602b8d2947c41e04a173a25022100b0d5813e784f44252bf3353a87f8be7184fb7f4b83536b4d02d17427359e7ef1:922c64590222798bb761d5b6d8e72950