Oracle WebLogic Exploit CVE-2020-14882
Detects exploitation attempts on WebLogic servers
Sigma rule (View on GitHub)
1title: Oracle WebLogic Exploit CVE-2020-14882
2id: 85d466b0-d74c-4514-84d3-2bdd3327588b
3status: test
4description: Detects exploitation attempts on WebLogic servers
5references:
6 - https://isc.sans.edu/diary/26734
7 - https://twitter.com/jas502n/status/1321416053050667009?s=20
8 - https://twitter.com/sudo_sudoka/status/1323951871078223874
9author: Florian Roth (Nextron Systems)
10date: 2020-11-02
11modified: 2023-01-02
12tags:
13 - attack.t1190
14 - attack.initial-access
15 - cve.2020-14882
16 - detection.emerging-threats
17logsource:
18 category: webserver
19detection:
20 selection:
21 cs-uri-query|contains:
22 - '/console/images/%252E%252E%252Fconsole.portal'
23 - '/console/css/%2e'
24 condition: selection
25fields:
26 - c-ip
27 - c-dns
28falsepositives:
29 - Unknown
30level: high
References
-
PATCH NOW: CVE-2020-14882 Weblogic Actively Exploited Against Honeypots - SANS Internet Storm Center
PATCH NOW: CVE-2020-14882 Weblogic Actively Exploited Against Honeypots, Author: Johannes Ullrich
Read More
Related rules
- ADSelfService Exploitation
- Apache Spark Shell Command Injection - Weblogs
- Arcadyan Router Exploitations
- Atlassian Bitbucket Command Injection Via Archive API
- CVE-2010-5278 Exploitation Attempt