From e886b087556b9587c2f0c004638bff8af69aa351 Mon Sep 17 00:00:00 2001
From: frack113 <62423083+frack113@users.noreply.github.com>
Date: Sat, 4 Jun 2022 08:46:14 +0200
Subject: [PATCH 1/5] add web_java_in_access_log

---
 rules/web/web_java_in_access_log.yml | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)
 create mode 100644 rules/web/web_java_in_access_log.yml

diff --git a/rules/web/web_java_in_access_log.yml b/rules/web/web_java_in_access_log.yml
new file mode 100644
index 000000000..e906757fc
--- /dev/null
+++ b/rules/web/web_java_in_access_log.yml
@@ -0,0 +1,27 @@
+title: Java Payload String
+id: 583aa0a2-30b1-4d62-8bf3-ab73689efe6c
+status: experimental
+description: Detects possible Java payload in web access logs
+author: frack113
+date: 2022/06/04
+references:
+    - https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/
+    - https://www.rapid7.com/blog/post/2021/09/02/active-exploitation-of-confluence-server-cve-2021-26084/
+    - https://github.com/httpvoid/writeups/blob/main/Confluence-RCE.md
+logsource:
+    category: webserver
+detection:
+    keywords:
+      - '%24%7B%28%23a%3D%40'
+      - '${(#a=@'
+      - '%24%7B%40java'
+      - '${@java'
+      - '\u0022java'
+      - '"java'
+    condition: keywords
+falsepositives:
+    - Legitimate apps
+level: medium
+tags:
+    - cve.2022.26134
+    - cve.2021.26084
\ No newline at end of file

From 6af060a91f1198e27ff58a60fb2d953460fea5a0 Mon Sep 17 00:00:00 2001
From: frack113 <62423083+frack113@users.noreply.github.com>
Date: Sat, 4 Jun 2022 10:08:49 +0200
Subject: [PATCH 2/5] Add new string

---
 rules/web/web_java_in_access_log.yml | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/rules/web/web_java_in_access_log.yml b/rules/web/web_java_in_access_log.yml
index e906757fc..660fcc656 100644
--- a/rules/web/web_java_in_access_log.yml
+++ b/rules/web/web_java_in_access_log.yml
@@ -8,6 +8,7 @@ references:
     - https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/
     - https://www.rapid7.com/blog/post/2021/09/02/active-exploitation-of-confluence-server-cve-2021-26084/
     - https://github.com/httpvoid/writeups/blob/main/Confluence-RCE.md
+    - https://twitter.com/httpvoid0x2f/status/1532924261035384832
 logsource:
     category: webserver
 detection:
@@ -18,10 +19,12 @@ detection:
       - '${@java'
       - '\u0022java'
       - '"java'
+      - '%2F%24%7B%23'
+      - '/${#'
     condition: keywords
 falsepositives:
     - Legitimate apps
 level: medium
 tags:
     - cve.2022.26134
-    - cve.2021.26084
\ No newline at end of file
+    - cve.2021.26084

From f4c61c58f69d5027903063f126fa343381a4e24e Mon Sep 17 00:00:00 2001
From: frack113 <62423083+frack113@users.noreply.github.com>
Date: Sat, 4 Jun 2022 13:39:36 +0200
Subject: [PATCH 3/5] Update web_java_in_access_log.yml

---
 rules/web/web_java_in_access_log.yml | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/rules/web/web_java_in_access_log.yml b/rules/web/web_java_in_access_log.yml
index 660fcc656..4af899273 100644
--- a/rules/web/web_java_in_access_log.yml
+++ b/rules/web/web_java_in_access_log.yml
@@ -17,8 +17,7 @@ detection:
       - '${(#a=@'
       - '%24%7B%40java'
       - '${@java'
-      - '\u0022java'
-      - '"java'
+      - 'java.lang.'
       - '%2F%24%7B%23'
       - '/${#'
     condition: keywords

From b3d97060146a08dae0293c27b4ad8b8accb940c3 Mon Sep 17 00:00:00 2001
From: frack113 <62423083+frack113@users.noreply.github.com>
Date: Sat, 4 Jun 2022 15:21:04 +0200
Subject: [PATCH 4/5] Update web_java_in_access_log.yml

---
 rules/web/web_java_in_access_log.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/web/web_java_in_access_log.yml b/rules/web/web_java_in_access_log.yml
index 4af899273..25f763f72 100644
--- a/rules/web/web_java_in_access_log.yml
+++ b/rules/web/web_java_in_access_log.yml
@@ -17,7 +17,7 @@ detection:
       - '${(#a=@'
       - '%24%7B%40java'
       - '${@java'
-      - 'java.lang.'
+      - 'u0022java'
       - '%2F%24%7B%23'
       - '/${#'
     condition: keywords

From 3b4ad16c5f968c2a83ab0f5a568af28b93deb09a Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Mon, 6 Jun 2022 17:32:08 +0200
Subject: [PATCH 5/5] refactor: new expr from honeypot, increased level

---
 rules/web/web_java_in_access_log.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/rules/web/web_java_in_access_log.yml b/rules/web/web_java_in_access_log.yml
index 25f763f72..f9f6ec45b 100644
--- a/rules/web/web_java_in_access_log.yml
+++ b/rules/web/web_java_in_access_log.yml
@@ -20,10 +20,11 @@ detection:
       - 'u0022java'
       - '%2F%24%7B%23'
       - '/${#'
+      - 'new+java.'
     condition: keywords
 falsepositives:
     - Legitimate apps
-level: medium
+level: high
 tags:
     - cve.2022.26134
     - cve.2021.26084