Emerging Threathightest

Atlassian Bitbucket Command Injection Via Archive API

Detects attempts to exploit the Atlassian Bitbucket Command Injection CVE-2022-36804

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Nasreddine Bencherchali (Nextron Systems)Created Thu Sep 29Updated Mon Jan 0265c0a0ab-d675-4441-bd6b-d3db226a26852022

Emerging Threat

Active Threat

Developed to detect an active or emerging threat. Prioritize investigation of any alerts and correlate with threat intelligence.

Log Source

Web Server Log

CategoryWeb Server Log← raw: webserver

HTTP access logs from web servers capturing request paths, methods, and status codes.

Detection Logic

detection:
    selection:
        cs-uri-query|contains|all:
            - '/rest/api/latest/projects/'
            - 'prefix='
            - '%00--exec'
    condition: selection

False Positives

Web vulnerability scanners

References

confluence.atlassian.com

Resolving title…

blog.assetnote.io

MITRE ATT&CK

Tactics

TA0001 · Initial Access

Techniques

T1190 · Exploit Public-Facing Application

Other

cve.2022-36804detection.emerging-threats

Rule Metadata

Rule ID

65c0a0ab-d675-4441-bd6b-d3db226a2685

Status

test

Level

high

Type

Emerging Threat

Created

Thu Sep 29

Modified

Mon Jan 02

Author

Nasreddine Bencherchali (Nextron Systems)

Path

rules-emerging-threats/2022/Exploits/CVE-2022-36804/web_cve_2022_36804_atlassian_bitbucket_command_injection.yml

Raw Tags

attack.initial-accessattack.t1190cve.2022-36804detection.emerging-threats

View on GitHub