From f848bb912cd1cfd4303a113e12d8066304385c8a Mon Sep 17 00:00:00 2001
From: Florian Roth <florian.roth@nextron-systems.com>
Date: Tue, 3 Nov 2020 10:39:40 +0100
Subject: [PATCH] rule: reworked weblogic CVE-2020-14882 rule

---
 rules/web/web_cve_2020_14882_weblogic_exploit.yml | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/rules/web/web_cve_2020_14882_weblogic_exploit.yml b/rules/web/web_cve_2020_14882_weblogic_exploit.yml
index 16a800344..eaf668eda 100644
--- a/rules/web/web_cve_2020_14882_weblogic_exploit.yml
+++ b/rules/web/web_cve_2020_14882_weblogic_exploit.yml
@@ -4,16 +4,17 @@ status: experimental
 description: Detects exploitation attempts on WebLogic servers
 author: Florian Roth
 date: 2020/11/02
+modified: 2020/11/03
 references:
     - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14882
     - https://isc.sans.edu/diary/26734
+    - https://twitter.com/jas502n/status/1321416053050667009?s=20
 logsource:
     category: webserver
 detection:
     selection:
-        c-uri|contains|all:
-            - '/console/images/%252E%252E%252F'
-            - '.exec('
+        c-uri|contains:
+            - '/console/images/%252E%252E%252Fconsole.portal'
     condition: selection
 fields:
     - c-ip
@@ -26,4 +27,3 @@ tags:
     - attack.t1190
     - attack.initial_access
     - cve.2020-14882
-    - attack.t1505.003