Generic.Detection.Confluence_CVE_2023_22527 :: Velociraptor

Generic.Detection.Confluence_CVE_2023_22527

This artifact detects evidence of exploitation of Confluence RCE CVE-2023-22527.

The artifact checks conf_access logs for a malicious POST request and should return full line of any hit (IP address and http code).

Note: the underlying artifact uses Generic.Detection.Yara.Glob(). Please run he notbook suggestion view hit strings for further analysis.


name: Generic.Detection.Confluence_CVE_2023_22527
author: Matt Green - @mgreen27
description: |
  This artifact detects evidence of exploitation of Confluence RCE CVE-2023-22527.
  
  The artifact checks conf_access logs for a malicious POST request and should 
  return full line of any hit (IP address and http code).
  
  Note: the underlying artifact uses Generic.Detection.Yara.Glob(). 
  Please run he notbook suggestion view hit strings for further analysis.

reference:
    - https://blog.projectdiscovery.io/atlassian-confluence-ssti-remote-code-execution/
    
type: CLIENT

parameters:
   - name: TargetGlob
     default: /**/atlassian/confluence/logs/conf_access*.log
   - name: YaraRule
     default: |
        rule LOG_CVE_2023_22527_Confluence_Jan23 {
            meta:
                description = "Detects exploitation attempts for Confluence RCE CVE-2023-22527"
                author = "Matt Green - @mgreen27"
                reference = "https://blog.projectdiscovery.io/atlassian-confluence-ssti-remote-code-execution/"
                date = "2024-01-25"
            strings:
             $s1 = /\[.{,100} POST \/template\/aui\/text-inline\.vm [^\n]{10,500}/
            condition:
              any of them
        }
   - name: UploadHits
     type: bool
     description: upload any logs with hits.

sources:
  - precondition:
      SELECT OS From info() where OS = 'windows' OR OS = 'linux'

    query: |
      SELECT * FROM Artifact.Generic.Detection.Yara.Glob(
                        PathGlob=TargetGlob,
                        YaraRule=YaraRule,
                        NumberOfHits=999999,
                        UploadHits=UploadHits )
    notebook:
      - type: vql_suggestion
        name: View hit strings
        template: |             
            /*
            ## Show all hit strings for post processing
            */
            LET m <= memoize(query={
                SELECT vfs_path.Base as Key, vfs_path
                FROM uploads()
            }, key='Key')
            
            
            SELECT Fqdn,OSPath,Mtime,Rule,HitOffset,
                read_file(accessor='fs',filename=get(item=m, field=str(str=HitContext.StoredName)).vfs_path) as HitContext
            FROM source()
                           
column_types:
  - name: HitContext
    type: preview_upload