Rule: CVE-2018-2894 Oracle WebLogic exploit and webshell drop

rules/web/web_cve_2018_2894_weblogic_exploit.yml

@@ -0,0 +1,30 @@
+title: Oracle WebLogic Exploit
+description: Detects access to a webshell droped into a keytore folder on the WebLogic server
+author: Florian Roth
+date: 2018/07/22
+status: experimental
+references: 
+    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2894
+    - https://twitter.com/pyn3rd/status/1020620932967223296
+    - https://github.com/LandGrey/CVE-2018-2894
+logsource:
+    category: webserver
+detection:
+    selection:
+        c-uri-path: '*/ws_utc/css/config/keystore/*.jsp'
+    condition: selection
+fields:
+    - c-ip
+    - c-dns
+falsepositives:
+    - Unknown
+tags:
+    - attack.t1100
+    - attack.web_shell
+    - attack.t1190
+    - attack.initial_access
+    - attack.persistence
+    - attack.privilege_escalation
+    - cve.2018-2894
+level: critical
+