Oracle WebLogic Server CVE-2024-21182 Exploitation Attempt

let weblogic_ports = dynamic([7001, 7002, 4848, 9002]);
let suspicious_paths = dynamic(['/wls-wsat/', '/bea_wls_internal/', '/uddiexplorer/', '/_async/', '/console/']);
union
(
  CommonSecurityLog
  | where TimeGenerated >= ago(24h)
  | where DeviceProduct has_any ("WebLogic", "Oracle")
  | where RequestURL has_any (suspicious_paths)
  | where Activity in~ ("POST", "PUT", "GET")
  | project TimeGenerated, SourceIP, DestinationIP, DestinationPort, RequestURL, Activity, RequestMethod, ResponseCode, DeviceVendor, DeviceProduct
),
(
  AzureDiagnostics
  | where TimeGenerated >= ago(24h)
  | where ResourceType == "APPLICATIONGATEWAYS"
  | where requestUri_s has_any (suspicious_paths)
  | project TimeGenerated, clientIP_s, requestUri_s, httpMethod_s, httpStatus_d, host_s
),
(
  W3CIISLog
  | where TimeGenerated >= ago(24h)
  | where sPort in (weblogic_ports)
  | where csUriStem has_any (suspicious_paths)
  | project TimeGenerated, cIP, csHost, csUriStem, csMethod, scStatus, sPort
)
| extend SuspiciousPath = case(
    RequestURL has "/wls-wsat/", "T3/IIOP deserialization path",
    RequestURL has "/uddiexplorer/", "UDDI SSRF vector",
    RequestURL has "/_async/", "Async deserialization path",
    RequestURL has "/bea_wls_internal/", "Internal WLS endpoint",
    "Unknown suspicious path"
  )
| summarize
    RequestCount = count(),
    UniqueURLs = dcount(RequestURL),
    FirstSeen = min(TimeGenerated),
    LastSeen = max(TimeGenerated),
    Paths = make_set(RequestURL, 20)
    by SourceIP, SuspiciousPath
| where RequestCount > 0
| order by RequestCount desc

index=* (sourcetype=oracle:weblogic OR sourcetype=access_combined OR sourcetype=iis)
(uri_path IN ("/wls-wsat/*", "/bea_wls_internal/*", "/uddiexplorer/*", "/_async/*", "/console/*")
OR dest_port IN (7001, 7002, 4848, 9002))
earliest=-24h latest=now
| eval suspicious_path=case(
    like(uri_path, "%/wls-wsat/%"), "T3/IIOP deserialization",
    like(uri_path, "%/uddiexplorer/%"), "UDDI SSRF vector",
    like(uri_path, "%/_async/%"), "Async deserialization",
    like(uri_path, "%/bea_wls_internal/%"), "Internal WLS endpoint",
    like(uri_path, "%/console/%"), "Admin console access",
    true(), "Unknown"
  )
| eval severity=case(
    like(uri_path, "%/wls-wsat/%") AND http_method="POST", "critical",
    like(uri_path, "%/_async/%") AND http_method="POST", "critical",
    like(uri_path, "%/uddiexplorer/%"), "high",
    true(), "medium"
  )
| stats
    count AS request_count,
    dc(uri_path) AS unique_paths,
    values(uri_path) AS accessed_paths,
    values(http_method) AS methods_used,
    values(status) AS response_codes,
    min(_time) AS first_seen,
    max(_time) AS last_seen
    BY src_ip, dest_ip, dest_port, suspicious_path, severity
| where request_count > 0
| eval first_seen=strftime(first_seen, "%Y-%m-%d %H:%M:%S"),
       last_seen=strftime(last_seen, "%Y-%m-%d %H:%M:%S")
| sort - request_count
| table src_ip, dest_ip, dest_port, suspicious_path, severity, request_count, unique_paths, accessed_paths, methods_used, response_codes, first_seen, last_seen

sequence by source.ip with maxspan=5m
  [network where destination.port in (7001, 7002, 4848, 9002)
   and http.request.method in ("POST", "GET", "PUT")
   and (
     http.request.body.content : "*wls-wsat*" or
     http.request.body.content : "*_async*" or
     http.request.body.content : "*uddiexplorer*" or
     url.path : "/wls-wsat/*" or
     url.path : "/_async/*" or
     url.path : "/uddiexplorer/*" or
     url.path : "/bea_wls_internal/*"
   )
  ]
  [network where destination.port in (7001, 7002, 4848, 9002)
   and http.response.status_code in (200, 500, 400)
  ]

SELECT
  sourceip AS source_ip,
  destinationip AS dest_ip,
  destinationport AS dest_port,
  URL AS request_url,
  "Method" AS http_method,
  "Response Code" AS http_status,
  COUNT(*) AS request_count,
  MIN(starttime) AS first_seen,
  MAX(starttime) AS last_seen
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) IN ('Oracle WebLogic', 'Apache HTTP Server', 'Microsoft IIS')
  AND (
    URL ILIKE '%/wls-wsat/%'
    OR URL ILIKE '%/_async/%'
    OR URL ILIKE '%/uddiexplorer/%'
    OR URL ILIKE '%/bea_wls_internal/%'
    OR URL ILIKE '%/console/%'
    OR destinationport IN (7001, 7002, 4848, 9002)
  )
  AND DATEFORMAT(starttime, 'YYYY-MM-dd') >= DATEADD('day', -1, CURRENT_DATE)
GROUP BY
  sourceip, destinationip, destinationport, URL, "Method", "Response Code"
HAVING request_count > 0
ORDER BY request_count DESC
LAST 24 HOURS

_sourceCategory=weblogic OR _sourceCategory=access_logs OR _sourceCategory=iis
| parse regex "(?P<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}).*?(?P<method>GET|POST|PUT|DELETE|HEAD|OPTIONS)\s+(?P<uri_path>/[^\s]*)" nodrop
| where uri_path matches "/wls-wsat/*"
  OR uri_path matches "/_async/*"
  OR uri_path matches "/uddiexplorer/*"
  OR uri_path matches "/bea_wls_internal/*"
  OR uri_path matches "/console/*"
| parse regex "(?P<status_code>\d{3})" nodrop
| eval suspicious_category = if(uri_path matches "/wls-wsat/*" OR uri_path matches "/_async/*", "Deserialization Vector",
    if(uri_path matches "/uddiexplorer/*", "SSRF Vector",
    if(uri_path matches "/bea_wls_internal/*", "Internal Endpoint Access", "Console Access")))
| timeslice 1h
| stats
    count AS requests,
    countDistinct(uri_path) AS unique_paths,
    values(uri_path) AS paths,
    values(status_code) AS status_codes
    by src_ip, method, suspicious_category, _timeslice
| where requests > 0
| sort by requests desc

rule oracle_weblogic_cve_2024_21182_exploit {
  meta:
    author = "df00tech Detection Engineering"
    description = "Detects exploitation attempts targeting Oracle WebLogic CVE-2024-21182"
    severity = "CRITICAL"
    priority = "HIGH"
    reference = "https://www.oracle.com/security-alerts/cpujul2024.html"
    mitre_attack_tactic = "Initial Access, Execution"
    mitre_attack_technique = "T1190"

  events:
    $http.metadata.event_type = "NETWORK_HTTP"
    $http.target.port in (7001, 7002, 4848, 9002)
    (
      re.regex($http.target.url, `.*/wls-wsat/.*`) or
      re.regex($http.target.url, `.*/_async/.*`) or
      re.regex($http.target.url, `.*/uddiexplorer/.*`) or
      re.regex($http.target.url, `.*/bea_wls_internal/.*`) or
      re.regex($http.target.url, `.*/console/.*`)
    )

  match:
    $http.principal.ip over 15m

  outcome:
    $risk_score = max(95)
    $source_ip = array_distinct($http.principal.ip)
    $target_url = array_distinct($http.target.url)
    $http_method = array_distinct($http.network.http.method)
    $response_code = array_distinct($http.network.http.response_code)

  condition:
    $http
}

#event_simpleName IN ("NetworkConnectIP4", "NetworkConnectIP6", "HttpRequest")
| $RemotePort IN (7001, 7002, 4848, 9002)
  OR $TargetURL IN ["*wls-wsat*", "*_async*", "*uddiexplorer*", "*bea_wls_internal*"]
| eval SuspiciousPath = case(
    $TargetURL = "*wls-wsat*", "Deserialization - WSAT",
    $TargetURL = "*_async*", "Deserialization - Async",
    $TargetURL = "*uddiexplorer*", "SSRF - UDDI",
    $TargetURL = "*bea_wls_internal*", "Internal Endpoint",
    "WebLogic Port Access"
  )
| groupBy([RemoteAddressIP4, LocalAddressIP4, RemotePort, SuspiciousPath, TargetURL, HttpMethod], function=[count(aid, as=RequestCount), min(timestamp, as=FirstSeen), max(timestamp, as=LastSeen)])
| sort RequestCount desc
| $RequestCount > 0