Oracle WebLogic Exploit
Detects access to a webshell dropped into a keystore folder on the WebLogic server
Sigma rule (View on GitHub)
1title: Oracle WebLogic Exploit
2id: 37e8369b-43bb-4bf8-83b6-6dd43bda2000
3status: test
4description: Detects access to a webshell dropped into a keystore folder on the WebLogic server
5references:
6 - https://twitter.com/pyn3rd/status/1020620932967223296
7 - https://github.com/LandGrey/CVE-2018-2894
8author: Florian Roth (Nextron Systems)
9date: 2018-07-22
10modified: 2023-01-02
11tags:
12 - attack.t1190
13 - attack.initial-access
14 - attack.persistence
15 - attack.t1505.003
16 - cve.2018-2894
17 - detection.emerging-threats
18logsource:
19 category: webserver
20detection:
21 selection:
22 cs-uri-query: '*/config/keystore/*.js*'
23 condition: selection
24fields:
25 - c-ip
26 - c-dns
27falsepositives:
28 - Unknown
29level: critical
References
-
CVE-2018-2894 WebLogic Unrestricted File Upload Lead To RCE Check Script - LandGrey/CVE-2018-2894
Read More
Related rules
- CVE-2021-40539 Zoho ManageEngine ADSelfService Plus Exploit
- Rejetto HTTP File Server RCE
- Suspicious Child Process Of SQL Server
- Suspicious File Drop by Exchange
- Suspicious MSExchangeMailboxReplication ASPX Write