Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adding analytics for CVE-2023-22518 #4567

Merged
merged 5 commits into from
Nov 15, 2023
Merged

Adding analytics for CVE-2023-22518 #4567

merged 5 commits into from
Nov 15, 2023

Conversation

netgrain
Copy link
Contributor

@netgrain netgrain commented Nov 13, 2023
edited by nasbench
Loading

Summary of the Pull Request

Adds analytics to detect suspicious activity related to the exploitation of CVE-2023-22518, incl. known vulnerable endpoints.

Observations based on non-public incidents and tested in a real-world environment.

https://confluence.atlassian.com/security/cve-2023-22518-improper-authorization-vulnerability-in-confluence-data-center-and-server-1311473907.html

Changelog

new: CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Linux)
new: CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Windows)
new: CVE-2023-22518 Exploitation Attempt - Vulnerable Endpoint Connection (Proxy)
new: CVE-2023-22518 Exploitation Attempt - Vulnerable Endpoint Connection (Webserver)

Example Log Event

https://www.rapid7.com/blog/post/2023/11/06/etr-rapid7-observed-exploitation-of-atlassian-confluence-cve-2023-22518/

Network

[05/Nov/2023:11:54:54 +0000] - SYSTEMNAME 193.176.179[.]41 POST /json/setup-restore.action?synchronous=true HTTP/1.1 302 44913ms - - Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
[05/Nov/2023:11:56:09 +0000] admin SYSTEMNAME 193.176.179[.]41 GET /rest/plugins/1.0/?os_authType=basic HTTP/1.1 200 153ms 388712 - Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.5938.132 Safari/537.36

Endpoint (Windows)

"DRIVE:\Confluence\Confluence\bin\tomcat9.exe" "//RS//Confluence"
cmd /c whoami

Endpoint (Linux)

/opt/atlassian/confluence/jre//bin/java
/usr/bin/bash -c whoami

@nasbench nasbench self-requested a review November 14, 2023 00:06
@nasbench nasbench self-assigned this Nov 14, 2023
@nasbench nasbench added the Work In Progress Some changes are needed label Nov 14, 2023
@nasbench nasbench removed the Work In Progress Some changes are needed label Nov 14, 2023
@nasbench nasbench requested a review from phantinuss November 14, 2023 10:02
@nasbench nasbench added the 2nd Review Needed PR need a second approval label Nov 14, 2023
@nasbench
Copy link
Member

Thanks for this PR @netgrain

I added another variant using the proxy logsource to cover for proxy or waf's. I also reduced the windows version of the child process rule to medium as to my experience. I've seen Java spawn cmd quite often in some cases.

Cheers.

@netgrain
Copy link
Contributor Author

Thanks for this PR @netgrain

I added another variant using the proxy logsource to cover for proxy or waf's. I also reduced the windows version of the child process rule to medium as to my experience. I've seen Java spawn cmd quite often in some cases.

Cheers.

Excellent @nasbench!

Seems like a good solution. And yeah, quite a few odd cases with legitimate process spawning via Java (and even Tomcat).

@phantinuss phantinuss merged commit c789211 into SigmaHQ:master Nov 15, 2023
11 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@phantinuss phantinuss phantinuss approved these changes

@nasbench nasbench nasbench approved these changes

Assignees

@nasbench nasbench

Labels
2nd Review Needed PR need a second approval Emerging-Threats Rules
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@netgrain @nasbench @phantinuss