Atlassian Confluence CVE-2022-26134

calendar Oct 17, 2023 · attack.initial_access attack.execution attack.t1190 attack.t1059 cve.2022.26134  ·
Share on: linkedin copy

Detects spawning of suspicious child processes by Atlassian Confluence server which may indicate successful exploitation of CVE-2022-26134

Sigma rule (View on GitHub)

 1title: Atlassian Confluence CVE-2022-26134
 2id: 7fb14105-530e-4e2e-8cfb-99f7d8700b66
 3related:
 4    - id: 245f92e3-c4da-45f1-9070-bc552e06db11
 5      type: derived
 6status: test
 7description: Detects spawning of suspicious child processes by Atlassian Confluence server which may indicate successful exploitation of CVE-2022-26134
 8references:
 9    - https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/
10author: Nasreddine Bencherchali (Nextron Systems)
11date: 2022/06/03
12tags:
13    - attack.initial_access
14    - attack.execution
15    - attack.t1190
16    - attack.t1059
17    - cve.2022.26134
18logsource:
19    category: process_creation
20    product: linux
21detection:
22    selection:
23        # Monitor suspicious child processes spawned by Confluence
24        ParentImage|startswith: '/opt/atlassian/confluence/'
25        ParentImage|endswith: '/java'
26        CommandLine|contains:
27            - '/bin/sh'
28            - 'bash'
29            - 'dash'
30            - 'ksh'
31            - 'zsh'
32            - 'csh'
33            - 'fish'
34            - 'curl'
35            - 'wget'
36            - 'python'
37    condition: selection
38falsepositives:
39    - Unknown
40level: high

References

  • Zero-Day Exploitation of Atlassian Confluence

    UPDATE: On June 3, 2022, Atlassian updated its security advisory with new information regarding a fix for Confluence Server and Data Center to address CVE-2022-26134. Users are encouraged to update immediately to mitigate their risk. Additional observations after publication of this blog post have been shared here, with guidance on how to verify if you have been impacted by unauthorized access.  Over the Memorial Day weekend in the United States, Volexity conducted an incident response investigation involving two Internet-facing web servers belonging to one of its customers that were running Atlassian Confluence Server software. The investigation began after suspicious activity was detected on the hosts, which included JSP webshells being written to disk. Volexity immediately used Volexity Surge Collect Pro to collect system memory and key files from the Confluence Server systems for analysis. After a thorough review of the collected data, Volexity was able to determine the server compromise stemmed from […]


    Read More

Related rules

to-top