Merge pull request #2949 from splunk/gitlab_release_v4.22.0

Gitlab release v4.22.0

contentctl.yml

@@ -6,7 +6,7 @@ build:
   path_root: dist
   prefix: ESCU
   build: 004210
-  version: 4.21.0
+  version: 4.22.0
   label: ES Content Updates
   author_name: Splunk Threat Research Team
   author_email: research@splunk.com

detections/web/confluence_data_center_and_server_privilege_escalation.yml

@@ -23,6 +23,7 @@ references:
 tags:
   analytic_story:
   - CVE-2023-22515 Privilege Escalation Vulnerability Confluence Data Center and Server
+  - Confluence Data Center and Confluence Server Vulnerabilities
   cve:
   - CVE-2023-22518
   asset_type: Web server

detections/web/confluence_pre_auth_rce_via_ognl_injection_cve_2023_22527.yml

@@ -0,0 +1,59 @@
+name: Confluence Pre-Auth RCE via OGNL Injection CVE-2023-22527
+id: f56936c0-ae6f-4eeb-91ff-ecc1448c6105
+version: 1
+date: '2024-01-22'
+author: Michael Haag, Splunk
+status: production
+type: TTP
+data_source: []
+description: This analytic identifies a critical template injection vulnerability (CVE-2023-22527) in outdated versions of Confluence Data Center and Server, which allows an unauthenticated attacker to execute arbitrary code remotely. The vulnerability is exploited by injecting OGNL (Object-Graph Navigation Language) expressions into the application, as evidenced by POST requests to the "/template/aui/text-inline.vm" endpoint with specific content types and payloads. The search looks for POST requests with HTTP status codes 200 or 202, which may indicate successful exploitation attempts. Immediate patching to the latest version of Confluence is strongly recommended, as there are no known workarounds. This detection is crucial for identifying and responding to potential RCE attacks, ensuring that affected Confluence instances are secured against this critical threat.
+search: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url="*/template/aui/text-inline.vm*" Web.http_method=POST Web.status IN (200, 202) by Web.src, Web.dest, Web.http_user_agent, Web.url, Web.status
+  | `drop_dm_object_name("Web")`
+  | `security_content_ctime(firstTime)` 
+  | `security_content_ctime(lastTime)` | `confluence_pre_auth_rce_via_ognl_injection_cve_2023_22527_filter`'
+how_to_implement: To successfully implement this search you need to be ingesting information
+  on Web traffic that include fields relavent for traffic into the `Web` datamodel.
+known_false_positives: False positives may be present with legitimate applications.
+  Attempt to filter by dest IP or use Asset groups to restrict to confluence servers.
+references:
+- https://github.com/cleverg0d/CVE-2023-22527
+- https://confluence.atlassian.com/security/cve-2023-22527-rce-remote-code-execution-vulnerability-in-confluence-data-center-and-confluence-server-1333990257.html
+tags:
+  cve:
+  - CVE-2023-22527
+  analytic_story:
+  - Confluence Data Center and Confluence Server Vulnerabilities
+  asset_type: Web Application
+  atomic_guid: []
+  confidence: 90
+  impact: 90
+  message: Exploitation attempts on a known vulnerability in Atlassian Confluence detected. The source IP is $src$ and the destination hostname is $dest$.
+  mitre_attack_id:
+  - T1190
+  observable:
+  - name: dest
+    type: Hostname
+    role:
+    - Victim
+  - name: src
+    type: IP Address
+    role:
+    - Attacker
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  risk_score: 81
+  required_fields:
+  - Web.src
+  - Web.dest
+  - Web.http_user_agent
+  - Web.url
+  - Web.status
+  security_domain: network
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/confluence/suricata_confluence_cve-2023-22527.log
+    source: suricata
+    sourcetype: suricata

detections/web/confluence_unauthenticated_remote_code_execution_cve_2022_26134.yml

@@ -34,6 +34,7 @@ references:
 tags:
   analytic_story:
   - Atlassian Confluence Server and Data Center CVE-2022-26134
+  - Confluence Data Center and Confluence Server Vulnerabilities
   asset_type: Web Server
   confidence: 100
   cve:

detections/web/ivanti_connect_secure_command_injection_attempts.yml

@@ -1,13 +1,13 @@
 name: Ivanti Connect Secure Command Injection Attempts
 id: 1f32a7e0-a060-4545-b7de-73fcf9ad536e
-version: 1
-date: '2024-01-16'
+version: 2
+date: '2024-01-17'
 author: Michael Haag, Splunk
 status: production
 type: TTP
 data_source: []
 description: This analytic is designed to identify the exploit phase of the CVE-2023-46805 and CVE-2024-21887 vulnerabilities. During this phase, a POST request is made to the /api/v1/totp/user-backup-code/../../system/maintenance/archiving/cloud-server-test-connection URI. This request exploits the command injection vulnerability to execute arbitrary commands. A successful request, indicated by a 200 OK response, suggests that the system is vulnerable.
-search: '| tstats count min(_time) as firstTime max(__time) as lastTime from datamodel=Web where Web.url="*/api/v1/totp/user-backup-code/../../system/maintenance/archiving/cloud-server-test-connection*" Web.http_method=POST Web.status=200 by Web.src, Web.dest, Web.http_user_agent, Web.url
+search: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN("*/api/v1/totp/user-backup-code/../../system/maintenance/archiving/cloud-server-test-connection*","*/api/v1/totp/user-backup-code/../../license/keys-status/*") Web.http_method IN ("POST", "GET") Web.status=200 by Web.src, Web.dest, Web.http_user_agent, Web.url, Web.http_method, Web.status
   | `drop_dm_object_name("Web")`
   | `security_content_ctime(firstTime)` 
   | `security_content_ctime(lastTime)`
@@ -20,6 +20,7 @@ references:
 - https://github.com/rapid7/metasploit-framework/pull/18708/files
 - https://attackerkb.com/topics/AdUh6by52K/cve-2023-46805/rapid7-analysis
 - https://labs.watchtowr.com/welcome-to-2024-the-sslvpn-chaos-continues-ivanti-cve-2023-46805-cve-2024-21887/
+- https://twitter.com/GreyNoiseIO/status/1747711939466453301
 tags:
   cve:
   - CVE-2023-46805

dist/DA-ESS-ContentUpdate/app.manifest

@@ -5,7 +5,7 @@
     "id": {
       "group": null, 
       "name": "DA-ESS-ContentUpdate", 
-      "version": "4.21.0"
+      "version": "4.22.0"
     }, 
     "author": [
       {

dist/DA-ESS-ContentUpdate/default/analyticstories.conf

@@ -1,6 +1,6 @@
 #############
 # Automatically generated by generator.py in splunk/security_content
-# On Date: 2024-01-22T23:37:39 UTC
+# On Date: 2024-01-24T22:03:46 UTC
 # Author: Splunk Threat Research Team - Splunk
 # Contact: research@splunk.com
 #############
@@ -14923,6 +14923,16 @@ annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_at
 known_false_positives = False positives may be present with legitimate applications. Attempt to filter by dest IP or use Asset groups to restrict to confluence servers.
 providing_technologies = null
 
+[savedsearch://ESCU - Confluence Pre-Auth RCE via OGNL Injection CVE-2023-22527 - Rule]
+type = detection
+asset_type = Web Application
+confidence = medium
+explanation = This analytic identifies a critical template injection vulnerability (CVE-2023-22527) in outdated versions of Confluence Data Center and Server, which allows an unauthenticated attacker to execute arbitrary code remotely. The vulnerability is exploited by injecting OGNL (Object-Graph Navigation Language) expressions into the application, as evidenced by POST requests to the "/template/aui/text-inline.vm" endpoint with specific content types and payloads. The search looks for POST requests with HTTP status codes 200 or 202, which may indicate successful exploitation attempts. Immediate patching to the latest version of Confluence is strongly recommended, as there are no known workarounds. This detection is crucial for identifying and responding to potential RCE attacks, ensuring that affected Confluence instances are secured against this critical threat.
+how_to_implement = To successfully implement this search you need to be ingesting information on Web traffic that include fields relavent for traffic into the `Web` datamodel.
+annotations = {"cis20": ["CIS 13"], "kill_chain_phases": ["Delivery"], "mitre_attack": ["T1190"], "nist": ["DE.CM"]}
+known_false_positives = False positives may be present with legitimate applications. Attempt to filter by dest IP or use Asset groups to restrict to confluence servers.
+providing_technologies = null
+
 [savedsearch://ESCU - Confluence Unauthenticated Remote Code Execution CVE-2022-26134 - Rule]
 type = detection
 asset_type = Web Server
@@ -15913,6 +15923,17 @@ searches = ["ESCU - PingID Mismatch Auth Source and Verification Response - Rule
 description = Monitor for activities and techniques associated with Compromised User Account attacks.
 narrative = Compromised User Account occurs when cybercriminals gain unauthorized access to accounts by using different techniques like brute force, social engineering, phishing & spear phishing, credential stuffing, etc. By posing as the real user, cyber-criminals can change account details, send out phishing emails, steal financial information or sensitive data, or use any stolen information to access further accounts within the organization. This analytic storic groups detections that can help security operations teams identify the potential signs of Compromised User Accounts.
 
+[analytic_story://Confluence Data Center and Confluence Server Vulnerabilities]
+category = Adversary Tactics
+last_updated = 2024-01-22
+version = 1
+references = ["https://confluence.atlassian.com/security/cve-2023-22527-rce-remote-code-execution-vulnerability-in-confluence-data-center-and-confluence-server-1333990257.html"]
+maintainers = [{"company": "Splunk", "email": "-", "name": "Michael Haag"}]
+spec_version = 3
+searches = ["ESCU - Confluence Data Center and Server Privilege Escalation - Rule", "ESCU - Confluence Pre-Auth RCE via OGNL Injection CVE-2023-22527 - Rule", "ESCU - Confluence Unauthenticated Remote Code Execution CVE-2022-26134 - Rule"]
+description = The following analytic story covers use cases for detecting and investigating potential attacks against Confluence Data Center and Confluence Server.
+narrative = The analytic story of Confluence Data Center and Confluence Server encompasses a comprehensive approach to safeguarding these platforms from a variety of threats. By leveraging the analytics created in the project, security teams are equipped to detect, investigate, and respond to potential attacks that target Confluence environments.
+
 [analytic_story://Credential Dumping]
 category = Adversary Tactics
 last_updated = 2020-02-04

dist/DA-ESS-ContentUpdate/default/app.conf

@@ -1,6 +1,6 @@
 #############
 # Automatically generated by generator.py in splunk/security_content
-# On Date: 2024-01-22T23:37:39 UTC
+# On Date: 2024-01-24T22:03:46 UTC
 # Author: Splunk Threat Research Team - Splunk
 # Contact: research@splunk.com
 #############
@@ -10,7 +10,7 @@
 is_configured = false
 state = enabled
 state_change_requires_restart = false
-build = 20240122233501
+build = 20240124220001
 
 [triggers]
 reload.analytic_stories = simple
@@ -26,7 +26,7 @@ reload.es_investigations = simple
 
 [launcher]
 author = Splunk
-version = 4.21.0 
+version = 4.22.0 
 description = Explore the Analytic Stories included with ES Content Updates.
 
 [ui]

dist/DA-ESS-ContentUpdate/default/collections.conf

@@ -1,6 +1,6 @@
 #############
 # Automatically generated by generator.py in splunk/security_content
-# On Date: 2024-01-22T23:37:39 UTC
+# On Date: 2024-01-24T22:03:46 UTC
 # Author: Splunk Threat Research Team - Splunk
 # Contact: research@splunk.com
 #############

dist/DA-ESS-ContentUpdate/default/content-version.conf

@@ -1,8 +1,8 @@
 #############
 # Automatically generated by generator.py in splunk/security_content
-# On Date: 2024-01-22T23:37:39 UTC
+# On Date: 2024-01-24T22:03:46 UTC
 # Author: Splunk Threat Research Team - Splunk
 # Contact: research@splunk.com
 #############
 [content-version]
-version = 4.21.0 
+version = 4.22.0 

dist/DA-ESS-ContentUpdate/default/es_investigations.conf

@@ -1,6 +1,6 @@
 #############
 # Automatically generated by generator.py in splunk/security_content
-# On Date: 2024-01-22T23:37:39 UTC
+# On Date: 2024-01-24T22:03:46 UTC
 # Author: Splunk Threat Research Team - Splunk
 # Contact: research@splunk.com
 #############

dist/DA-ESS-ContentUpdate/default/macros.conf

@@ -1,6 +1,6 @@
 #############
 # Automatically generated by generator.py in splunk/security_content
-# On Date: 2024-01-22T23:37:39 UTC
+# On Date: 2024-01-24T22:03:46 UTC
 # Author: Splunk Threat Research Team - Splunk
 # Contact: research@splunk.com
 #############
@@ -5837,6 +5837,10 @@ description = Update this macro to limit the output results to filter out false
 definition = search *
 description = Update this macro to limit the output results to filter out false positives.
 
+[confluence_pre_auth_rce_via_ognl_injection_cve_2023_22527_filter]
+definition = search *
+description = Update this macro to limit the output results to filter out false positives.
+
 [confluence_unauthenticated_remote_code_execution_cve_2022_26134_filter]
 definition = search *
 description = Update this macro to limit the output results to filter out false positives.