Date: 10/22/2024
Severity: Medium
Summary
CVE-2023-22518 is a vulnerability in Confluence that allows for exploitation through the creation of a suspicious child process on Windows systems. Attackers may leverage this vulnerability to execute arbitrary code or escalate privileges within the application. The exploitation attempts are marked by unusual behaviors associated with child processes spawned by Confluence, indicating potential malicious activity. Organizations using Confluence should prioritize patching and monitoring for signs of exploitation to mitigate risks.
Indicators of Compromise (IOC) List
Image | '\cmd.exe' '\powershell.exe' |
ParentImage | '\tomcat8.exe' '\tomcat9.exe' '\tomcat10.exe' |
ParentCommandLine | 'confluence' |
OriginalFileName | 'Cmd.Exe' 'PowerShell.EXE' |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 | ((((resourcename in ("Sysmon") AND eventtype = "1") AND image IN ("\cmd.exe","\powershell.exe")) AND parentimage IN ("\tomcat8.exe","\tomcat9.exe","\tomcat10.exe")) AND parentcommandline = "confluence") AND originalfilename IN ("Cmd.Exe","PowerShell.EXE") |
Detection Query 2 | ((((Technologygroup = "EDR") AND image IN ("\cmd.exe","\powershell.exe")) AND parentimage IN ("\tomcat8.exe","\tomcat9.exe","\tomcat10.exe")) AND parentcommandline = "confluence") AND originalfilename IN ("Cmd.Exe","PowerShell.EXE") |
Reference:
https://github.com/SigmaHQ/sigma/blob/master/rules-emerging-threats/2023/Exploits/CVE-2023-22518/proc_creation_win_exploit_cve_2023_22518_confluence_tomcat_child_proc.yml