Potential Atlassian Confluence CVE-2021-26084 Exploitation Attempt
Detects spawning of suspicious child processes by Atlassian Confluence server which may indicate successful exploitation of CVE-2021-26084
Sigma rule (View on GitHub)
1title: Potential Atlassian Confluence CVE-2021-26084 Exploitation Attempt
2id: 245f92e3-c4da-45f1-9070-bc552e06db11
3status: test
4description: Detects spawning of suspicious child processes by Atlassian Confluence server which may indicate successful exploitation of CVE-2021-26084
5references:
6 - https://nvd.nist.gov/vuln/detail/CVE-2021-26084
7 - https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html
8 - https://github.com/h3v0x/CVE-2021-26084_Confluence
9author: Bhabesh Raj
10date: 2021-09-08
11modified: 2023-02-13
12tags:
13 - attack.initial-access
14 - attack.execution
15 - attack.t1190
16 - attack.t1059
17 - cve.2021-26084
18 - detection.emerging-threats
19logsource:
20 category: process_creation
21 product: windows
22detection:
23 selection:
24 # Monitor suspicious child processes spawned by Confluence
25 ParentImage|endswith: '\Atlassian\Confluence\jre\bin\java.exe'
26 CommandLine|contains:
27 - 'certutil'
28 - 'cmd /c'
29 - 'cmd /k'
30 - 'cscript'
31 - 'curl'
32 - 'ipconfig'
33 - 'powershell'
34 - 'pwsh'
35 - 'regsvr32'
36 - 'rundll32'
37 - 'whoami'
38 - 'wscript'
39 condition: selection
40falsepositives:
41 - Unknown
42level: high
References
Related rules
- CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Linux)
- CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Windows)
- Atlassian Confluence CVE-2022-26134
- DNS RCE CVE-2020-1350
- Exploited CVE-2020-10189 Zoho ManageEngine