SigmaHQ/rules/web/web_cve_2020_14882_weblogic_exploit.yml

title: Oracle WebLogic Exploit CVE-2020-14882
id: 85d466b0-d74c-4514-84d3-2bdd3327588b
status: experimental
description: Detects exploitation attempts on WebLogic servers
author: Florian Roth
date: 2020/11/02
modified: 2020/11/04
references:
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14882
    - https://isc.sans.edu/diary/26734
    - https://twitter.com/jas502n/status/1321416053050667009?s=20
    - https://twitter.com/sudo_sudoka/status/1323951871078223874
logsource:
    category: webserver
detection:
    selection:
        c-uri|contains:
            - '/console/images/%252E%252E%252Fconsole.portal'
            - '/console/css/%2e'
    condition: selection
fields:
    - c-ip
    - c-dns
falsepositives:
    - Unknown
level: high
tags:
    - attack.t1100 # an old one
    - attack.t1190
    - attack.initial_access
    - cve.2020-14882