SigmaHQ/rules/web/web_cve_2018_2894_weblogic_exploit.yml

title: Oracle WebLogic Exploit
description: Detects access to a webshell droped into a keytore folder on the WebLogic server
author: Florian Roth
date: 2018/07/22
status: experimental
references: 
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2894
    - https://twitter.com/pyn3rd/status/1020620932967223296
    - https://github.com/LandGrey/CVE-2018-2894
logsource:
    category: webserver
detection:
    selection:
        c-uri-path: 
            - '*/config/keystore/*.js*'
    condition: selection
fields:
    - c-ip
    - c-dns
falsepositives:
    - Unknown
tags:
    - attack.t1100
    - attack.web_shell
    - attack.t1190
    - attack.initial_access
    - attack.persistence
    - attack.privilege_escalation
    - cve.2018-2894
level: critical
Rule: CVE-2018-2894 Oracle WebLogic exploit and webshell drop 2018-07-22 21:09:19 +00:00			`title: Oracle WebLogic Exploit`
			`description: Detects access to a webshell droped into a keytore folder on the WebLogic server`
			`author: Florian Roth`
			`date: 2018/07/22`
			`status: experimental`
			`references:`
			`- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2894`
			`- https://twitter.com/pyn3rd/status/1020620932967223296`
			`- https://github.com/LandGrey/CVE-2018-2894`
			`logsource:`
			`category: webserver`
			`detection:`
			`selection:`
Update web_cve_2018_2894_weblogic_exploit.yml We try to avoid false positives 2018-07-23 12:18:38 +00:00			`c-uri-path:`
Update web_cve_2018_2894_weblogic_exploit.yml Ah, we could do it this way .js 2018-07-23 12:19:25 +00:00			`- '/config/keystore/.js*'`
Rule: CVE-2018-2894 Oracle WebLogic exploit and webshell drop 2018-07-22 21:09:19 +00:00			`condition: selection`
			`fields:`
			`- c-ip`
			`- c-dns`
			`falsepositives:`
			`- Unknown`
			`tags:`
			`- attack.t1100`
			`- attack.web_shell`
			`- attack.t1190`
			`- attack.initial_access`
			`- attack.persistence`
			`- attack.privilege_escalation`
			`- cve.2018-2894`
			`level: critical`