LoFP LoFP / some legitimate administrative or development activities may create executable files in the confluence directory. review and filter based on approved maintenance processes.

Techniques

Sample rules

Windows Unusual File Creation in Confluence Directory

Description

Detects executable file formats being created within the Confluence main directory. This can be indicative of exploitation of the Confluence web services to stage malware. This won’t catch adversaries who modify the output location outside the Confluence directory when exploiting.

Detection logic


| tstats `security_content_summariesonly`
  count min(_time) as firstTime
        max(_time) as lastTime

from datamodel=Endpoint.Filesystem where

Filesystem.file_path="*\\Atlassian\\Confluence\\*"
Filesystem.file_path IN (
    "*.bat",
    "*.cmd",
    "*.dat",
    "*.dll",
    "*.exe",
    "*.msc",
    "*.ps1",
    "*.vbe",
    "*.vbs"
)

by Filesystem.dest Filesystem.file_create_time Filesystem.process_path
   Filesystem.process_guid Filesystem.process_id Filesystem.file_path Filesystem.action
   Filesystem.file_name Filesystem.user Filesystem.vendor_product


| `drop_dm_object_name(Filesystem)`

| `security_content_ctime(firstTime)`

| `security_content_ctime(lastTime)`

| `windows_unusual_file_creation_in_confluence_directory_filter`