LoFP / tune based on assets if possible, or restrict to known confluence servers. remove the ${ for a more broad query. to identify more exec, remove everything up to the last parameter (runtime().exec) for a broad query.

Techniques

• T1133
• T1190
• T1505

Sample rules

Confluence Unauthenticated Remote Code Execution CVE-2022-26134

• source: splunk
• technicques:
  • T1505
  • T1190
  • T1133

Description

The following analytic assists with identifying CVE-2022-26134 based exploitation utilizing the Web datamodel to cover network and CIM compliant web logs. The parameters were captured from live scanning and the POC provided by Rapid7. This analytic is written against multiple proof of concept codes released and seen in the wild (scanning). During triage, review any endpoint based logs for further activity including writing a jsp file to disk and commands/processes spawning running as root from the Confluence process.

Detection logic

| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN ("*${*", "*%2F%7B*") (Web.url="*org.apache.commons.io.IOUtils*" Web.url="*java.lang.Runtime@getRuntime().exec*") OR (Web.url="*java.lang.Runtime%40getRuntime%28%29.exec*") OR (Web.url="*getEngineByName*" AND Web.url="*nashorn*" AND Web.url="*ProcessBuilder*") by Web.http_user_agent Web.http_method, Web.url,Web.url_length Web.src, Web.dest sourcetype 
| `drop_dm_object_name("Web")` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `confluence_unauthenticated_remote_code_execution_cve_2022_26134_filter`