Potential Atlassian Confluence CVE-2021-26084 Exploitation Attempt
Detects spawning of suspicious child processes by Atlassian Confluence server which may indicate successful exploitation of CVE-2021-26084
Sigma rule (View on GitHub)
1title: Potential Atlassian Confluence CVE-2021-26084 Exploitation Attempt
2id: 245f92e3-c4da-45f1-9070-bc552e06db11
3status: test
4description: Detects spawning of suspicious child processes by Atlassian Confluence server which may indicate successful exploitation of CVE-2021-26084
5references:
6 - https://nvd.nist.gov/vuln/detail/CVE-2021-26084
7 - https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html
8 - https://github.com/h3v0x/CVE-2021-26084_Confluence
9author: Bhabesh Raj
10date: 2021/09/08
11modified: 2023/02/13
12tags:
13 - attack.initial_access
14 - attack.execution
15 - attack.t1190
16 - attack.t1059
17 - cve.2021.26084
18 - detection.emerging_threats
19logsource:
20 category: process_creation
21 product: windows
22detection:
23 selection:
24 # Monitor suspicious child processes spawned by Confluence
25 ParentImage|endswith: '\Atlassian\Confluence\jre\bin\java.exe'
26 CommandLine|contains:
27 - 'certutil'
28 - 'cmd /c'
29 - 'cmd /k'
30 - 'cscript'
31 - 'curl'
32 - 'ipconfig'
33 - 'powershell'
34 - 'pwsh'
35 - 'regsvr32'
36 - 'rundll32'
37 - 'whoami'
38 - 'wscript'
39 condition: selection
40falsepositives:
41 - Unknown
42level: high
References
-
CVE-2021-26084 Detail Description In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary...
Read More -
-
Confluence Server Webwork OGNL injection. Contribute to hev0x/CVE-2021-26084_Confluence development by creating an account on GitHub.
Read More
Related rules
- DNS RCE CVE-2020-1350
- Exploited CVE-2020-10189 Zoho ManageEngine
- CVE-2010-5278 Exploitation Attempt
- CVE-2020-0688 Exchange Exploitation via Web Log
- CVE-2020-0688 Exploitation Attempt