-
Notifications
You must be signed in to change notification settings - Fork 3
/
moveit-playbook.yml
60 lines (52 loc) · 3.12 KB
/
moveit-playbook.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
---
- name: MoveIT Response
hosts: '{{moveit_servers|default("all")}}' # The group of hosts you want to remediate
# vars:
# - ansible_connection: winrm
# - ansible_winrm_transport: ntlm
# - ansible_become_method: runas # Since Ansible 2.3, privilege elevation can be used on Windows hosts through the runas method:
# # - https://docs.ansible.com/ansible/2.7/user_guide/become.html#become-and-windows
# # - ansible_become_user: '{{ ansible_user }}'
# - firewall_state: present
# - new: '30w'
tasks:
- name: Identify a Windows and MOVEit host
ansible.builtin.import_role:
name: kushguptarh.moveit_response.moveit_server_check
- name: Disable all inbound and outbound HTTP and HTTPS traffic to your MOVEit Transfer environment
ansible.builtin.import_role:
name: kushguptarh.moveit_response.moveit_firewall_rules
vars:
moveit_firewall_rules_state: '{{ firewall_state }}'
- name: Scan MOVEit server for known vulnerable files across the filesystem
ansible.builtin.import_role:
name: kushguptarh.moveit_response.moveit_server_scan_legacy
- name: Remove any unauthorized user accounts on MOVEit.
ansible.builtin.debug:
msg: 'See Progress MOVEit Users Documentation article - https://docs.progress.com/bundle/moveit-transfer-web-admin-help-2022/page/Users.html'
- name: Remove all active sessions on MOVEit.
ansible.builtin.debug:
msg: |
The steps to remove all active sessions can be found in the Admin Features on the Home Page guide:
https://docs.progress.com/bundle/moveit-transfer-web-admin-help-2022/page/Admin-Features-on-the-Home-Page.html
- name: Review MOVEit logs for unexpected downloads of files from unknown IPs or large numbers of files downloaded.
ansible.builtin.debug:
msg: |
For more information on reviewing logs, please refer to MOVEit Transfer Logs guide:
https://docs.progress.com/bundle/moveit-transfer-web-admin-help-2022/page/Logs.html
- name: Reset service account credentials for affected systems and MOVEit Service Account.
ansible.builtin.debug:
msg: 'See KB 000115941: https://community.progress.com/s/article/Transfer-Automation-Change-Windows-Service-Account-Password'
- name: Patch your system
ansible.builtin.debug:
msg: |
For patching the May 31 and June 9 vulnerabilities, use the installers listed here:
https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-CVE-2023-35036-June-9-2023
To fix the June 15 CVE after applying the previous patch, use this link:
https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-15June2023
- name: Verification
ansible.builtin.debug:
msg: |
To confirm the files have been successfully deleted and no unauthorized accounts remain, follow steps 2A again
(can be accomplished by running this playbook again after patching).
If you do find indicators of compromise, you should reset the service account credentials again.