Confluence Exploit Activity on Webserver Logs

calendar Jul 13, 2022 · attack.t1190  ·
Share on: linkedin copy

Detection for Confluence server activity found on webserver logs

Sigma rule (View on GitHub)

 1title: Confluence Exploit Activity on Webserver Logs
 2id: 646df676-e77e-4021-9127-2156137919ef
 3description: Detection for Confluence server activity found on webserver logs
 4date: 16/06/2022
 5status: experimental
 6references:
 7  - 'https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/'
 8  - 'https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/'
 9tags:
10     - attack.t1190
11author: System-41
12logsource:
13  category: webserver
14detection: 
15    mal_request:
16       cs-method: 'GET'
17       c-uri|contains: 
18           - '/%24%7B%40java.lang.Runtime%40getRuntime%28%29.exec%28%22'
19           - '${@java.lang.Runtime().exec('
20           - '${@java'
21           - '${'
22    condition : mal_request
23falsepositives: unknown
24level: high

References

  • Zero-Day Exploitation of Atlassian Confluence

    UPDATE: On June 3, 2022, Atlassian updated its security advisory with new information regarding a fix for Confluence Server and Data Center to address CVE-2022-26134. Users are encouraged to update immediately to mitigate their risk. Additional observations after publication of this blog post have been shared here, with guidance on how to verify if you have been impacted by unauthorized access.  Over the Memorial Day weekend in the United States, Volexity conducted an incident response investigation involving two Internet-facing web servers belonging to one of its customers that were running Atlassian Confluence Server software. The investigation began after suspicious activity was detected on the hosts, which included JSP webshells being written to disk. Volexity immediately used Volexity Surge Collect Pro to collect system memory and key files from the Confluence Server systems for analysis. After a thorough review of the collected data, Volexity was able to determine the server compromise stemmed from […]


    Read More

  • Active Exploitation of Confluence CVE-2022-26134 | Rapid7 Blog

    On June 2, 2022, Atlassian published an advisory for CVE-2022-26134, a critical unauthenticated RCE vulnerability in Confluence Serve and Data Center.


    Read More
to-top