Emerging Threathightest
Potential CVE-2021-26084 Exploitation Attempt
Detects potential exploitation of CVE-2021-260841 a Confluence RCE using OGNL injection
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Sittikorn S, Nuttakorn TCreated Tue Dec 13Updated Fri Mar 2438825179-3c78-4fed-b222-2e2166b926b12021
Emerging Threat
Active Threat
Developed to detect an active or emerging threat. Prioritize investigation of any alerts and correlate with threat intelligence.
Log Source
Web Server Log
CategoryWeb Server Log← raw: webserver
HTTP access logs from web servers capturing request paths, methods, and status codes.
Definition
Requirements: The POST request body data must be collected in order to make use of certain parts of this detection
Detection Logic
Detection Logic4 selectors
detection:
selection_main:
cs-method: 'POST'
sc-status: 200
cs-username: 'anonymous' # This string is used to reduce possible FP you could remove it to get authenticated attempts
selection_exploit_1:
cs-uri-query|contains|all:
- '/pages/createpage-entervariables.action'
- 'SpaceKey=x' # This URI assume that you can't have a space ID of "X"
selection_exploit_2_uri:
cs-uri-query|contains: '/doenterpagevariables.action'
selection_exploit_2_keyword:
- 'u0027' # This string should appear in the post body as a value of the parameter "queryString"
condition: selection_main and (selection_exploit_1 or all of selection_exploit_2_*)False Positives
Unknown
False positive likelihood has not been assessed. Additional context may be needed during triage.
MITRE ATT&CK
Tactics
Other
cve.2021-26084detection.emerging-threats
Rule Metadata
Rule ID
38825179-3c78-4fed-b222-2e2166b926b1
Status
test
Level
high
Type
Emerging Threat
Created
Tue Dec 13
Modified
Fri Mar 24
Author
Path
rules-emerging-threats/2021/Exploits/CVE-2021-26084/web_cve_2021_26084_confluence_rce_exploit.yml
Raw Tags
attack.initial-accessattack.t1190cve.2021-26084detection.emerging-threats