rule: reworked weblogic CVE-2020-14882 rule
This commit is contained in:
Florian Roth
@@ -4,16 +4,17 @@ status: experimental
|
||||
description: Detects exploitation attempts on WebLogic servers
|
||||
author: Florian Roth
|
||||
date: 2020/11/02
|
||||
modified: 2020/11/03
|
||||
references:
|
||||
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14882
|
||||
- https://isc.sans.edu/diary/26734
|
||||
- https://twitter.com/jas502n/status/1321416053050667009?s=20
|
||||
logsource:
|
||||
category: webserver
|
||||
detection:
|
||||
selection:
|
||||
c-uri|contains|all:
|
||||
- '/console/images/%252E%252E%252F'
|
||||
- '.exec('
|
||||
c-uri|contains:
|
||||
- '/console/images/%252E%252E%252Fconsole.portal'
|
||||
condition: selection
|
||||
fields:
|
||||
- c-ip
|
||||
@@ -26,4 +27,3 @@ tags:
|
||||
- attack.t1190
|
||||
- attack.initial_access
|
||||
- cve.2020-14882
|
||||
- attack.t1505.003
|
||||
|
||||
Reference in New Issue
Block a user