-
-
Notifications
You must be signed in to change notification settings - Fork 2.1k
/
proc_creation_win_exploit_cve_2023_22518_confluence_tomcat_child_proc.yml
43 lines (43 loc) · 1.55 KB
/
proc_creation_win_exploit_cve_2023_22518_confluence_tomcat_child_proc.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
title: CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Windows)
id: 1ddaa9a4-eb0b-4398-a9fe-7b018f9e23db
related:
- id: f8987c03-4290-4c96-870f-55e75ee377f4
type: similar
status: experimental
description: |
Detects exploitation attempt of CVE-2023-22518 (Confluence Data Center / Confluence Server), where an attacker can exploit vulnerable endpoints to e.g. create admin accounts and execute arbitrary commands.
references:
- https://confluence.atlassian.com/security/cve-2023-22518-improper-authorization-vulnerability-in-confluence-data-center-and-server-1311473907.html
- https://www.huntress.com/blog/confluence-to-cerber-exploitation-of-cve-2023-22518-for-ransomware-deployment
- https://github.com/ForceFledgling/CVE-2023-22518
author: Andreas Braathen (mnemonic.io)
date: 2023/11/14
tags:
- detection.emerging_threats
- attack.execution
- attack.t1059
- attack.initial_access
- attack.t1190
- cve.2023.22518
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith:
- '\tomcat8.exe'
- '\tomcat9.exe'
- '\tomcat10.exe'
ParentCommandLine|contains: 'confluence'
selection_child:
# Note: Only children associated with known campaigns
- Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
- OriginalFileName:
- 'Cmd.Exe'
- 'PowerShell.EXE'
condition: all of selection_*
falsepositives:
- Unknown
level: medium