Oracle WebLogic Exploit CVE-2020-14882
Detects exploitation attempts on WebLogic servers
Sigma rule (View on GitHub)
1title: Oracle WebLogic Exploit CVE-2020-14882
2id: 85d466b0-d74c-4514-84d3-2bdd3327588b
3status: test
4description: Detects exploitation attempts on WebLogic servers
5references:
6 - https://isc.sans.edu/diary/26734
7 - https://twitter.com/jas502n/status/1321416053050667009?s=20
8 - https://twitter.com/sudo_sudoka/status/1323951871078223874
9author: Florian Roth (Nextron Systems)
10date: 2020/11/02
11modified: 2023/01/02
12tags:
13 - attack.t1190
14 - attack.initial_access
15 - cve.2020.14882
16 - detection.emerging_threats
17logsource:
18 category: webserver
19detection:
20 selection:
21 cs-uri-query|contains:
22 - '/console/images/%252E%252E%252Fconsole.portal'
23 - '/console/css/%2e'
24 condition: selection
25fields:
26 - c-ip
27 - c-dns
28falsepositives:
29 - Unknown
30level: high
References
Related rules
- CVE-2010-5278 Exploitation Attempt
- CVE-2020-0688 Exchange Exploitation via Web Log
- CVE-2020-0688 Exploitation Attempt
- CVE-2020-10148 SolarWinds Orion API Auth Bypass
- CVE-2020-5902 F5 BIG-IP Exploitation Attempt