Oracle WebLogic Exploit

 1title: Oracle WebLogic Exploit
 2id: 37e8369b-43bb-4bf8-83b6-6dd43bda2000
 3status: test
 4description: Detects access to a webshell dropped into a keystore folder on the WebLogic server
 5references:
 6    - https://twitter.com/pyn3rd/status/1020620932967223296
 7    - https://github.com/LandGrey/CVE-2018-2894
 8author: Florian Roth (Nextron Systems)
 9date: 2018/07/22
10modified: 2023/01/02
11tags:
12    - attack.t1190
13    - attack.initial_access
14    - attack.persistence
15    - attack.t1505.003
16    - cve.2018.2894
17    - detection.emerging_threats
18logsource:
19    category: webserver
20detection:
21    selection:
22        cs-uri-query: '*/config/keystore/*.js*'
23    condition: selection
24fields:
25    - c-ip
26    - c-dns
27falsepositives:
28    - Unknown
29level: critical

References

• Something went wrong, but don’t fret — let’s give it another shot.

  
  Read More

• GitHub - LandGrey/CVE-2018-2894: CVE-2018-2894 WebLogic Unrestricted File Upload Lead To RCE Check Script

  

  CVE-2018-2894 WebLogic Unrestricted File Upload Lead To RCE Check Script - LandGrey/CVE-2018-2894

  
  Read More

Related rules

• CVE-2021-40539 Zoho ManageEngine ADSelfService Plus Exploit
• Suspicious MSExchangeMailboxReplication ASPX Write
• CVE-2010-5278 Exploitation Attempt
• CVE-2020-0688 Exchange Exploitation via Web Log
• CVE-2020-0688 Exploitation Attempt