Create CVE-2021-26084 detection

Detects CVE-2021-260841 Confluence Server Webwork OGNL injection
2021-09-01 14:55:55 +07:00
parent 3ed7d6e330
commit 30bfdd1dc0
1 changed files with 30 additions and 0 deletions
@@ -0,0 +1,30 @@
+title: Atlassian Confluence RCE Exploit CVE-2021-26084
+id: 38825179-3c78-4fed-b222-2e2166b926b1
+description: Detects CVE-2021-260841 Confluence Server Webwork OGNL injection
+status: experimental
+reference:
+    - https://twitter.com/wvuuuuuuuuuuuuu/status/1432918959389614083
+    - https://github.com/httpvoid/writeups/blob/main/Confluence-RCE.md
+    - https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html
+author: Sittikorn S
+date: 2021/09/01
+tags:
+- attack.initial_access
+- attack.t1190
+logsource:
+    category: webserver
+detection:
+    selection_exploit:
+        cs-method: 'POST'
+        sc-status: '200'
+        c-uri|contains|all:
+            - '/doenterpagevariables.action'
+	          - 'queryString='
+	          - 'u0027'
+    condition: selection_exploit and keywords
+fields:
+    - c-ip
+    - c-uri
+falsepositives:
+    - Unknown
+level: critical