Adding analytics for CVE-2023-22518

rules-emerging-threats/2023/Exploits/CVE-2023-22518/proc_creation_lnx_exploit_cve_2023_22518_java_child_proc.yml

@@ -0,0 +1,38 @@
+title: CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Linux)
+id: f8987c03-4290-4c96-870f-55e75ee377f4
+status: experimental
+description: Detects exploitation attempt of CVE-2023-22518 (Confluence Data Center / Confluence Server), where an attacker can exploit vulnerable endpoints to e.g. create admin accounts and execute arbitrary commands.
+references:
+    - https://confluence.atlassian.com/security/cve-2023-22518-improper-authorization-vulnerability-in-confluence-data-center-and-server-1311473907.html
+    - https://www.huntress.com/blog/confluence-to-cerber-exploitation-of-cve-2023-22518-for-ransomware-deployment
+    - https://github.com/ForceFledgling/CVE-2023-22518
+author: Andreas Braathen (mnemonic.io)
+date: 2023/11/14
+tags:
+    - detection.emerging_threats
+    - attack.execution
+    - attack.t1059
+    - attack.initial_access
+    - attack.t1190
+    - cve.2023.22518
+logsource:
+    category: process_creation
+    product: linux
+detection:
+    selection_parent:
+        ParentImage|endswith: '/java'
+        ParentCommandLine|contains: 'confluence'
+    selection_child:
+        # Only children associated with known campaigns
+        Image|endswith:
+            - '/bash'
+            - '/echo'
+            - '/curl'
+            - '/wget'
+    filter_ulimit:
+        CommandLine|contains:
+           - 'ulimit -u'
+    condition: all of selection_* and (not 1 of filter_*)
+falsepositives:
+    - Unlikely
+level: high

rules-emerging-threats/2023/Exploits/CVE-2023-22518/proc_creation_win_exploit_cve_2023_22518_tomcat_child_proc.yml

@@ -0,0 +1,39 @@
+title: CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Windows)
+id: 1ddaa9a4-eb0b-4398-a9fe-7b018f9e23db
+status: experimental
+description: Detects exploitation attempt of CVE-2023-22518 (Confluence Data Center / Confluence Server), where an attacker can exploit vulnerable endpoints to e.g. create admin accounts and execute arbitrary commands.
+references:
+    - https://confluence.atlassian.com/security/cve-2023-22518-improper-authorization-vulnerability-in-confluence-data-center-and-server-1311473907.html
+    - https://www.huntress.com/blog/confluence-to-cerber-exploitation-of-cve-2023-22518-for-ransomware-deployment
+    - https://github.com/ForceFledgling/CVE-2023-22518
+author: Andreas Braathen (mnemonic.io)
+date: 2023/11/14
+tags:
+    - detection.emerging_threats
+    - attack.execution
+    - attack.t1059
+    - attack.initial_access
+    - attack.t1190
+    - cve.2023.22518
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_parent:
+        ParentImage|endswith: 
+          - '\tomcat8.exe'
+          - '\tomcat9.exe'
+          - '\tomcat10.exe'
+        ParentCommandLine|contains: 'confluence'
+    selection_child:
+        # Only children associated with known campaigns
+        - Image|endswith:
+              - '\cmd.exe'
+              - '\powershell.exe'
+        - OriginalFileName:
+              - 'Cmd.Exe'
+              - 'PowerShell.EXE'
+    condition: all of selection_*
+falsepositives:
+    - Unlikely
+level: high

rules-emerging-threats/2023/Exploits/CVE-2023-22518/web_exploit_cve_2023_22518_confluence_auth_bypass.yml

@@ -0,0 +1,39 @@
+title: CVE-2023-22518 Exploitation Attempt - Vulnerable Endpoint Connection
+id: a902d249-9b9c-4dc4-8fd0-fbe528ef965c 
+status: experimental
+description: Detects exploitation attempt of CVE-2023-22518 (Confluence Data Center / Confluence Server), where an attacker can exploit vulnerable endpoints to e.g. create admin accounts and execute arbitrary commands.
+references:
+    - https://confluence.atlassian.com/security/cve-2023-22518-improper-authorization-vulnerability-in-confluence-data-center-and-server-1311473907.html
+    - https://www.huntress.com/blog/confluence-to-cerber-exploitation-of-cve-2023-22518-for-ransomware-deployment
+    - https://github.com/ForceFledgling/CVE-2023-22518
+author: Andreas Braathen (mnemonic.io)
+date: 2023/11/14
+tags:
+    - detection.emerging_threats
+    - attack.initial_access
+    - attack.t1190
+    - cve.2023.22518
+logsource:
+    category: webserver # Can also be WAF/Proxy
+    definition: 'Requirements: In order for this detection to trigger, access logs must be collected.'
+detection:
+    selection_method:
+        cs-method: 'POST'
+    selection_uris:
+        c-uri|contains: 
+          # Exploitable endpoints
+          - '/json/setup-restore.action'
+          - '/json/setup-restore-local.action'
+          - '/json/setup-restore-progress.action'
+          - '/server-info.action'
+          - '/setup/setupadministrator.action'
+    selection_status:
+        # Response code may be indicative of exploitation success, but is not always the case
+        sc-status: 
+          - 200
+          - 302
+          - 405
+    condition: all of selection_*
+falsepositives:
+    - Vulnerability scanners
+level: medium