Linux.Detection.ConfluenceLogs :: Velociraptor

Linux.Detection.ConfluenceLogs

This artifact enables grep of Linux logs and targets strings observed in exploitation of CVE-2022-26134.

CVE-2022-26134, a critical unauthenticated remote code execution vulnerability in Confluence Server and Confluence Data Center.


name: Linux.Detection.ConfluenceLogs
author: "Matt Green - @mgreen27"
description: |
  This artifact enables grep of Linux logs and targets strings observed in 
  exploitation of CVE-2022-26134.
  
  CVE-2022-26134, a critical unauthenticated remote code execution vulnerability 
  in Confluence Server and Confluence Data Center. 
  
reference:
  - https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/

parameters:
  - name: TargetFiles
    default: '/{/var/log/**,/opt/atlassian/confluence*/**/logs/*}'
  - name: SearchRegex
    description: "Regex of strings to search in log line."
    default: '%24%7B|(GET|POST).{0,20}\$\{|154\.146\.34\.145|154\.16\.105\.147|156\.146\.34\.46|156\.146\.34\.52|156\.146\.34\.9|156\.146\.56\.136|198\.147\.22\.148|221\.178\.126\.244|45\.43\.19\.91|59\.163\.248\.170|64\.64\.228\.239|66\.115\.182\.102|66\.115\.182\.111|67\.149\.61\.16|98\.32\.230\.38'
    type: regex
  - name: FilterRegex
    description: "Regex of strings to leave out of output."
    default:
    type: regex
  - name: ExcludeDirectoryRegex
    type: regex
    description: "Does not descend into directories that match this Regex."
    default: "^/(shared|proc|snap)"
  - name: ExcludePathRegex
    description: "Regex of paths to exclude from scanning."
    default: '\.journal$'
    type: regex
    
sources:
  - query: |
      LET RecursionCB <= if(condition= ExcludeDirectoryRegex,
         then="x => NOT x.OSPath =~ ExcludeDirectoryRegex",
         else="x => NOT x.OSPath =~ '^/proc' ")
      
      LET files = SELECT OSPath 
        FROM glob(globs=TargetFiles,
            nosymlink=TRUE,
            recursion_callback=RecursionCB)
        WHERE NOT IsDir AND NOT OSPath =~ ExcludePathRegex
          AND log(message="Scanning %v", args=OSPath)
      LET hits = SELECT * FROM foreach(row=files,
          query={
              SELECT OSPath, Line FROM parse_lines(filename=OSPath)
              WHERE Line =~ SearchRegex
          })
          
      SELECT * FROM if(condition=FilterRegex,
        then={ 
           SELECT * FROM hits
           WHERE NOT Line =~ FilterRegex
        },
        else={ 
           SELECT * FROM hits        
        })