Try in Splunk Security Cloud

Description

The following analytic assists with identifying CVE-2022-26134 based exploitation utilizing the Web datamodel to cover network and CIM compliant web logs. The parameters were captured from live scanning and the POC provided by Rapid7. This analytic is written against multiple proof of concept codes released and seen in the wild (scanning). During triage, review any endpoint based logs for further activity including writing a jsp file to disk and commands/processes spawning running as root from the Confluence process.

  • Type: TTP
  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • Last Updated: 2022-06-03
  • Author: Michael Haag, Splunk
  • ID: fcf4bd3f-a79f-4b7a-83bf-2692d60b859c

Annotations

ATT&CK
ID Technique Tactic
T1505 Server Software Component Persistence
T1190 Exploit Public-Facing Application Initial Access
Kill Chain Phase
  • Exploitation
NIST
  • DE.CM
CIS20
  • CIS 3
  • CIS 5
  • CIS 16
CVE
ID Summary CVSS
CVE-2022-26134 In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance. The affected versions are from 1.3.0 before 7.4.17, from 7.13.0 before 7.13.7, from 7.14.0 before 7.14.3, from 7.15.0 before 7.15.2, from 7.16.0 before 7.16.4, from 7.17.0 before 7.17.4, and from 7.18.0 before 7.18.1. 7.5
1
2
3
4
5
6
| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN ("*${*", "*%2F%7B*") (Web.url="*org.apache.commons.io.IOUtils*" Web.url="*java.lang.Runtime@getRuntime().exec*") OR (Web.url="*java.lang.Runtime%40getRuntime%28%29.exec*") OR (Web.url="*getEngineByName*" AND Web.url="*nashorn*" AND Web.url="*ProcessBuilder*") by Web.http_user_agent Web.http_method, Web.url,Web.url_length Web.src, Web.dest sourcetype 
| `drop_dm_object_name("Web")` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `confluence_unauthenticated_remote_code_execution_cve_2022_26134_filter`

Macros

The SPL above uses the following Macros:

:information_source: confluence_unauthenticated_remote_code_execution_cve-2022-26134_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Required field

  • _time
  • Web.http_method
  • Web.url
  • Web.url_length
  • Web.src
  • Web.dest
  • Web.http_user_agent

How To Implement

This detection requires the Web datamodel to be populated from a supported Technology Add-On like Splunk for Apache or Splunk for Nginx. In addition, network based logs or event data like PAN Threat.

Known False Positives

Tune based on assets if possible, or restrict to known Confluence servers. Remove the ${ for a more broad query. To identify more exec, remove everything up to the last parameter (Runtime().exec) for a broad query.

Associated Analytic story

RBA

Risk Score Impact Confidence Message
100.0 100 100 A URL was requested related to CVE-2022-26134, a unauthenticated remote code execution vulnerability, on $dest$ by $src$.

:information_source: The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.

Reference

Test Dataset

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

source | version: 1