From 30bfdd1dc0b595581d9286ab546e386700a08dd7 Mon Sep 17 00:00:00 2001
From: Sittikorn S <61369934+BlackB0lt@users.noreply.github.com>
Date: Wed, 1 Sep 2021 14:55:55 +0700
Subject: [PATCH] Create CVE-2021-26084 detection

Detects CVE-2021-260841 Confluence Server Webwork OGNL injection
---
 ..._cve_2021_26084_confluence_rce_exploit.yml | 30 +++++++++++++++++++
 1 file changed, 30 insertions(+)
 create mode 100644 rules/web/web_cve_2021_26084_confluence_rce_exploit.yml

diff --git a/rules/web/web_cve_2021_26084_confluence_rce_exploit.yml b/rules/web/web_cve_2021_26084_confluence_rce_exploit.yml
new file mode 100644
index 000000000..a82d39496
--- /dev/null
+++ b/rules/web/web_cve_2021_26084_confluence_rce_exploit.yml
@@ -0,0 +1,30 @@
+title: Atlassian Confluence RCE Exploit CVE-2021-26084
+id: 38825179-3c78-4fed-b222-2e2166b926b1
+description: Detects CVE-2021-260841 Confluence Server Webwork OGNL injection
+status: experimental
+reference:
+    - https://twitter.com/wvuuuuuuuuuuuuu/status/1432918959389614083
+    - https://github.com/httpvoid/writeups/blob/main/Confluence-RCE.md
+    - https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html
+author: Sittikorn S
+date: 2021/09/01
+tags:
+- attack.initial_access
+- attack.t1190
+logsource:
+    category: webserver
+detection:
+    selection_exploit:
+        cs-method: 'POST'
+        sc-status: '200'
+        c-uri|contains|all:
+            - '/doenterpagevariables.action'
+	          - 'queryString='
+	          - 'u0027'
+    condition: selection_exploit and keywords
+fields:
+    - c-ip
+    - c-uri
+falsepositives:
+    - Unknown
+level: critical