This artifact detects Effluence Webshell observed deployed during exploitation of Atlassian Confluence CVE-2023-22515.
name: Generic.Detection.EffluenceWebshell
author: Matt Green - @mgreen27
description: |
This artifact detects Effluence Webshell observed deployed during exploitation
of Atlassian Confluence CVE-2023-22515.
reference:
- https://www.aon.com/cyber-solutions/aon_cyber_labs/detecting-effluence-an-unauthenticated-confluence-web-shell/
type: CLIENT
parameters:
- name: ProcessRegex
default: java
type: regex
- name: PidRegex
default: .
type: regex
- name: YaraRule
type: yara
default: |
rule ConfluencePageIndicator {
meta:
description = "Detects strings indicative of a web shell in Confluence page"
author = "Stroz Friedberg"
date = "2023-11-06"
strings:
$confluence_title = "<title> - Confluence</title>" ascii wide
$hide_plugin_function = "hidePlugin(" ascii wide
$system_plugin_key = "ALWAYS_SYSTEM_PLUGIN_KEYS" ascii wide
$dashes = " ----- " ascii wide
condition:
$confluence_title and $hide_plugin_function and $dashes and $system_plugin_key
}
- name: NumberOfHits
description: THis artifact will stop by default at one hit. This setting allows additional hits
default: 1
type: int
- name: ContextBytes
description: Include this amount of bytes around hit as context.
default: 0
type: int64
sources:
- query: |
LET linux = SELECT * FROM Artifact.Linux.Detection.Yara.Process(
ProcessRegex=ProcessRegex,
PidRegex=PidRegex,
YaraRule=YaraRule,
NumberOfHits=NumberOfHits,
ContextBytes=ContextBytes )
LET windows = SELECT * FROM Artifact.Windows.Detection.Yara.Process(
ProcessRegex=ProcessRegex,
PidRegex=PidRegex,
YaraRule=YaraRule,
NumberOfHits=NumberOfHits,
ContextBytes=ContextBytes )
LET system = SELECT OS From info() where OS
SELECT * FROM if(condition= system[0].OS=windows,
then= windows,
else= linux )
column_types:
- name: HitContext
type: preview_upload