CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Windows)
Detects exploitation attempt of CVE-2023-22518 (Confluence Data Center / Confluence Server), where an attacker can exploit vulnerable endpoints to e.g. create admin accounts and execute arbitrary commands.
Sigma rule (View on GitHub)
1title: CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Windows)
2id: 1ddaa9a4-eb0b-4398-a9fe-7b018f9e23db
3related:
4 - id: f8987c03-4290-4c96-870f-55e75ee377f4
5 type: similar
6status: experimental
7description: |
8 Detects exploitation attempt of CVE-2023-22518 (Confluence Data Center / Confluence Server), where an attacker can exploit vulnerable endpoints to e.g. create admin accounts and execute arbitrary commands.
9references:
10 - https://confluence.atlassian.com/security/cve-2023-22518-improper-authorization-vulnerability-in-confluence-data-center-and-server-1311473907.html
11 - https://www.huntress.com/blog/confluence-to-cerber-exploitation-of-cve-2023-22518-for-ransomware-deployment
12 - https://github.com/ForceFledgling/CVE-2023-22518
13author: Andreas Braathen (mnemonic.io)
14date: 2023-11-14
15tags:
16 - detection.emerging-threats
17 - attack.execution
18 - attack.t1059
19 - attack.initial-access
20 - attack.t1190
21 - cve.2023-22518
22logsource:
23 category: process_creation
24 product: windows
25detection:
26 selection_parent:
27 ParentImage|endswith:
28 - '\tomcat8.exe'
29 - '\tomcat9.exe'
30 - '\tomcat10.exe'
31 ParentCommandLine|contains: 'confluence'
32 selection_child:
33 # Note: Only children associated with known campaigns
34 - Image|endswith:
35 - '\cmd.exe'
36 - '\powershell.exe'
37 - OriginalFileName:
38 - 'Cmd.Exe'
39 - 'PowerShell.EXE'
40 condition: all of selection_*
41falsepositives:
42 - Unknown
43level: medium
References
Related rules
- CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Linux)
- Potential Atlassian Confluence CVE-2021-26084 Exploitation Attempt
- Atlassian Confluence CVE-2022-26134
- CVE-2023-22518 Exploitation Attempt - Vulnerable Endpoint Connection (Proxy)
- CVE-2023-22518 Exploitation Attempt - Vulnerable Endpoint Connection (Webserver)