-
Notifications
You must be signed in to change notification settings - Fork 344
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #2874 from splunk/conflu
- Loading branch information
Showing
2 changed files
with
88 additions
and
0 deletions.
There are no files selected for viewing
61 changes: 61 additions & 0 deletions
61
detections/web/confluence_data_center_and_server_privilege_escalation.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,61 @@ | ||
| name: Confluence Data Center and Server Privilege Escalation | ||
| id: 115bebac-0976-4f7d-a3ec-d1fb45a39a11 | ||
| version: 1 | ||
| date: '2023-10-04' | ||
| author: Michael Haag, Splunk | ||
| status: production | ||
| type: TTP | ||
| data_source: [] | ||
| description: The following analytic identifies potential exploitation attempts on a known vulnerability in Atlassian Confluence, targeting the /setup/*.action* URL pattern. By analyzing web logs within the Splunk 'Web' Data Model, it filters for successful accesses (HTTP status 200) to these vulnerable endpoints. Such behavior is crucial for a SOC to monitor, as it suggests attackers might be exploiting a privilege escalation flaw in Confluence. A true positive implies a possible unauthorized access or account creation with escalated privileges. Key details captured include user-agent, HTTP methods, URL length, and source and destination IPs. These insights aid SOCs in swiftly detecting and responding to threats, ensuring vulnerabilities are mitigated before substantial compromise. | ||
| search: '| tstats count min(_time) as firstTime max(_time) | ||
| as lastTime from datamodel=Web where Web.url IN ("/setup/*.action*") Web.status=200 | ||
| by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | ||
| | `drop_dm_object_name("Web")` | ||
| | `security_content_ctime(firstTime)` | ||
| | `security_content_ctime(lastTime)` | `confluence_data_center_and_server_privilege_escalation_filter`' | ||
| how_to_implement: To successfully implement this search you need to be ingesting information | ||
| on Web traffic that include fields relavent for traffic into the `Web` datamodel. | ||
| known_false_positives: False positives may be present with legitimate applications. | ||
| Attempt to filter by dest IP or use Asset groups to restrict to confluence servers. | ||
| references: | ||
| - https://confluence.atlassian.com/security/cve-2023-22515-privilege-escalation-vulnerability-in-confluence-data-center-and-server-1295682276.html | ||
| - https://www.rapid7.com/blog/post/2023/10/04/etr-cve-2023-22515-zero-day-privilege-escalation-in-confluence-server-and-data-center/ | ||
| tags: | ||
| analytic_story: | ||
| - CVE-2023-22515 Privilege Escalation Vulnerability Confluence Data Center and Server | ||
| asset_type: Web server | ||
| atomic_guid: [] | ||
| confidence: 80 | ||
| impact: 90 | ||
| message: Potential exploitation attempts on a known vulnerability in Atlassian Confluence detected. The source IP is $src$ and the destination hostname is $dest$. | ||
| mitre_attack_id: | ||
| - T1190 | ||
| observable: | ||
| - name: dest | ||
| type: Hostname | ||
| role: | ||
| - Victim | ||
| - name: src | ||
| type: IP Address | ||
| role: | ||
| - Attacker | ||
| product: | ||
| - Splunk Enterprise | ||
| - Splunk Enterprise Security | ||
| - Splunk Cloud | ||
| risk_score: 72 | ||
| required_fields: | ||
| - _time | ||
| - Web.http_method | ||
| - Web.url | ||
| - Web.url_length | ||
| - Web.src | ||
| - Web.dest | ||
| - Web.http_user_agent | ||
| security_domain: network | ||
| tests: | ||
| - name: True Positive Test | ||
| attack_data: | ||
| - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/confluence/confluence_cve-2023-22515.log | ||
| source: suricata | ||
| sourcetype: suricata |
27 changes: 27 additions & 0 deletions
27
...s/cve_2023_22515_privilege_escalation_vulnerability_confluence_data_center_and_server.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,27 @@ | ||
| name: CVE-2023-22515 Privilege Escalation Vulnerability Confluence Data Center and | ||
| Server | ||
| id: ead8eb10-9e7c-4a07-a44c-c6e73997a1a3 | ||
| version: 1 | ||
| date: '2023-10-04' | ||
| author: Michael Haag, Splunk | ||
| description: On October 4, 2023, Atlassian disclosed a critical privilege escalation vulnerability, CVE-2023-22515, affecting on-premises instances of Confluence Server and Confluence Data Center. This flaw might allow external attackers to exploit accessible Confluence instances, creating unauthorized Confluence administrator accounts. Indicators suggest the vulnerability is remotely exploitable. The affected versions range from 8.0.0 to 8.5.1, but versions prior to 8.0.0 and Atlassian Cloud sites are unaffected. Atlassian advises customers to update to a fixed version or implement mitigation strategies. Indicators of compromise (IoCs) and mitigation steps, such as blocking access to /setup/* endpoints, are provided. | ||
| narrative: Upon Atlassian's disclosure of CVE-2023-22515, there's an immediate need to assess the threat landscape of on-premises Confluence installations. As the vulnerability affects privilege escalation and may be exploited remotely, SIEM solutions should be poised to detect potential threats. | ||
|
|
||
| By monitoring for specific indicators of compromise, security teams can get ahead of any potential breaches. Key indicators include unexpected members in the 'confluence-administrator' group, newly created user accounts, and specific HTTP requests to /setup/*.action endpoints. Any unusual spikes or patterns associated with these indicators might signify an ongoing or attempted exploitation. \ | ||
|
|
||
| Furthermore, an audit trail of past logs is essential. Analyzing older logs might uncover any unnoticed exploitation, allowing for a post-incident analysis and ensuring affected systems are patched or isolated. An alert mechanism should be established for any access or changes related to /setup/* endpoints. \ | ||
|
|
||
| In parallel, updating the affected Confluence Server and Data Center versions to the fixed releases is paramount. If immediate updates aren't feasible, interim mitigation measures, such as blocking external network access to /setup/*, should be implemented, and logs around this activity should be monitored. | ||
| references: | ||
| - https://confluence.atlassian.com/security/cve-2023-22515-privilege-escalation-vulnerability-in-confluence-data-center-and-server-1295682276.html | ||
| - https://www.rapid7.com/blog/post/2023/10/04/etr-cve-2023-22515-zero-day-privilege-escalation-in-confluence-server-and-data-center/ | ||
| tags: | ||
| analytic_story: CVE-2023-22515 Privilege Escalation Vulnerability Confluence Data | ||
| Center and Server | ||
| category: | ||
| - Adversary Tactics | ||
| product: | ||
| - Splunk Enterprise | ||
| - Splunk Enterprise Security | ||
| - Splunk Cloud | ||
| usecase: Advanced Threat Detection |