CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Windows)

 1title: CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Windows)
 2id: 1ddaa9a4-eb0b-4398-a9fe-7b018f9e23db
 3related:
 4    - id: f8987c03-4290-4c96-870f-55e75ee377f4
 5      type: similar
 6status: experimental
 7description: |
 8        Detects exploitation attempt of CVE-2023-22518 (Confluence Data Center / Confluence Server), where an attacker can exploit vulnerable endpoints to e.g. create admin accounts and execute arbitrary commands.
 9references:
10    - https://confluence.atlassian.com/security/cve-2023-22518-improper-authorization-vulnerability-in-confluence-data-center-and-server-1311473907.html
11    - https://www.huntress.com/blog/confluence-to-cerber-exploitation-of-cve-2023-22518-for-ransomware-deployment
12    - https://github.com/ForceFledgling/CVE-2023-22518
13author: Andreas Braathen (mnemonic.io)
14date: 2023/11/14
15tags:
16    - detection.emerging_threats
17    - attack.execution
18    - attack.t1059
19    - attack.initial_access
20    - attack.t1190
21    - cve.2023.22518
22logsource:
23    category: process_creation
24    product: windows
25detection:
26    selection_parent:
27        ParentImage|endswith:
28            - '\tomcat8.exe'
29            - '\tomcat9.exe'
30            - '\tomcat10.exe'
31        ParentCommandLine|contains: 'confluence'
32    selection_child:
33        # Note: Only children associated with known campaigns
34        - Image|endswith:
35              - '\cmd.exe'
36              - '\powershell.exe'
37        - OriginalFileName:
38              - 'Cmd.Exe'
39              - 'PowerShell.EXE'
40    condition: all of selection_*
41falsepositives:
42    - Unknown
43level: medium

References

• CVE-2023-22518 - Improper Authorization Vulnerability In Confluence Data Center and Server | Atlassian Support | Atlassian Documentation

  Summary of Vulnerability 06 Nov 2023  As part of Atlassian's ongoing monitoring and investigation of this CVE, we observed several active exploits and reports of threat actors using ransomware. We ...

  
  Read More

• Confluence to Cerber: Exploitation of ​​CVE-2023-22518 for Ransomware Deployment

  

  CVE-2023-22518 is being exploited in Confluence for Cerber ransomware deployment. Read up on Huntress’ observations and mitigation guidance.

  
  Read More

• GitHub - ForceFledgling/CVE-2023-22518: Improper Authorization Vulnerability in Confluence Data Center and Server + bonus 🔥

  

  Improper Authorization Vulnerability in Confluence Data Center and Server + bonus 🔥 - ForceFledgling/CVE-2023-22518

  
  Read More

Related rules

• CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Linux)
• Potential Atlassian Confluence CVE-2021-26084 Exploitation Attempt
• CVE-2023-22518 Exploitation Attempt - Vulnerable Endpoint Connection (Proxy)
• CVE-2023-22518 Exploitation Attempt - Vulnerable Endpoint Connection (Webserver)
• Atlassian Confluence CVE-2022-26134