From 4e1fc568f1bc1396c5ff08c82a8c073a36ee49ee Mon Sep 17 00:00:00 2001 From: Marty Hernandez Avedon Date: Fri, 28 Aug 2020 15:38:06 -0400 Subject: [PATCH 1/2] added confluence-weblogic-targeted --- Campaigns/confluence-weblogic-targeted.md | 97 +++++++++++++++++++++++ 1 file changed, 97 insertions(+) create mode 100644 Campaigns/confluence-weblogic-targeted.md diff --git a/Campaigns/confluence-weblogic-targeted.md b/Campaigns/confluence-weblogic-targeted.md new file mode 100644 index 00000000..368ab3fd --- /dev/null +++ b/Campaigns/confluence-weblogic-targeted.md @@ -0,0 +1,97 @@ +# Confluence and WebLogic servers targeted by campaign + +This query was originally published in the threat analytics report, *Confluence and WebLogic abuse*. + +2019 has seen several seemingly related campaigns targeting Atlassian Confluence Server and Oracle WebLogic Server. Although these campaigns use different implants and delivery methods, they consistently use the same infrastructure, and exploit the same vulnerabilities. + +The campaigns have specifically targeted: + +* [CVE-2019-3396](https://nvd.nist.gov/vuln/detail/CVE-2019-3396) - [Software update](https://jira.atlassian.com/browse/CONFSERVER-57974) +* [CVE-2019-2725](https://nvd.nist.gov/vuln/detail/CVE-2019-2725) - [Software update](https://www.oracle.com/security-alerts/alert-cve-2019-2725.html) + +The following query detects activity broadly associated with these campaigns. + +## Query + +```Kusto +DeviceProcessEvents +| where Timestamp >= ago(7d) +| where +// "Grandparent" process is Oracle WebLogic or some process loading Confluence +InitiatingProcessParentFileName == "beasvc.exe" or +InitiatingProcessFileName == "beasvc.exe" +or InitiatingProcessCommandLine contains "//confluence" +// Calculate for Base64 in Commandline +| extend Caps = countof(ProcessCommandLine, "[A-Z]", "regex"), +Total = countof(ProcessCommandLine, ".", "regex") +| extend Ratio = todouble(Caps) / todouble(Total) +| where +( + FileName in~ ("powershell.exe" , "powershell_ise.exe") // PowerShell is spawned + // Omit known clean processes + and ProcessCommandLine !startswith "POWERSHELL.EXE -C \"GET-WMIOBJECT -COMPUTERNAME" + and ProcessCommandLine !contains "ApplicationNo" + and ProcessCommandLine !contains "CustomerGroup" + and ProcessCommandLine !contains "Cosmos" + and ProcessCommandLine !contains "Unrestricted" + and + ( + ProcessCommandLine contains "$" // PowerShell variable declaration + or ProcessCommandLine contains "-e " // Alias for "-EncodedCommand" parameter + or ProcessCommandLine contains "encodedcommand" + or ProcessCommandLine contains "wget" + //or ( Ratio > 0.4 and Ratio < 1.0) // Presence of Base64 strings + ) +) +or +( + FileName =~ "cmd.exe" // cmd.exe is spawned + and ProcessCommandLine contains "@echo" and + ProcessCommandLine contains ">" // Echoing commands into a file +) +or +( + FileName =~ "certutil.exe" // CertUtil.exe abuse + and ProcessCommandLine contains "-split" + // the "-split" parameter is required to write files to the disk +) +| project + Timestamp, + InitiatingProcessCreationTime , + DeviceId , + Grandparent_PID = InitiatingProcessParentId, + Grandparent = InitiatingProcessParentFileName, + Parent_Account = InitiatingProcessAccountName, + Parent_PID = InitiatingProcessId, + Parent = InitiatingProcessFileName , + Parent_Commandline = InitiatingProcessCommandLine, + Child_PID = ProcessId, + Child = FileName , + Child_Commandline = ProcessCommandLine +``` + +## Category + +This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. + +| Technique, tactic, or state | Covered? (v=yes) | Notes | +|-|-|-| +| Initial access | | | +| Execution | v | | +| Persistence | v | | +| Privilege escalation | | | +| Defense evasion | v | | +| Credential Access | | | +| Discovery | v | | +| Lateral movement | | | +| Collection | | | +| Command and control | | | +| Exfiltration | | | +| Impact | | | +| Vulnerability | | | +| Misconfiguration | | | +| Malware, component | v | | + +## Contributor info + +**Contributor:** Microsoft Threat Protection team From fe0982dd99535453f29413001d074079653e9386 Mon Sep 17 00:00:00 2001 From: Marty Hernandez Avedon Date: Fri, 28 Aug 2020 15:45:36 -0400 Subject: [PATCH 2/2] corrected chart --- Campaigns/confluence-weblogic-targeted.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/Campaigns/confluence-weblogic-targeted.md b/Campaigns/confluence-weblogic-targeted.md index 368ab3fd..c9cf1d3f 100644 --- a/Campaigns/confluence-weblogic-targeted.md +++ b/Campaigns/confluence-weblogic-targeted.md @@ -77,20 +77,20 @@ This query can be used to detect the following attack techniques and tactics ([s | Technique, tactic, or state | Covered? (v=yes) | Notes | |-|-|-| | Initial access | | | -| Execution | v | | -| Persistence | v | | +| Execution | | | +| Persistence | | | | Privilege escalation | | | -| Defense evasion | v | | +| Defense evasion | | | | Credential Access | | | -| Discovery | v | | +| Discovery | | | | Lateral movement | | | | Collection | | | | Command and control | | | | Exfiltration | | | | Impact | | | -| Vulnerability | | | +| Vulnerability | v | | | Misconfiguration | | | -| Malware, component | v | | +| Malware, component | | | ## Contributor info