Detect Oracle WebLogic Server CVE-2024-21182 Exploitation Attempt in Microsoft Sentinel
Detects exploitation attempts targeting CVE-2024-21182, an unspecified vulnerability in Oracle WebLogic Server. This CVE is listed in CISA's Known Exploited Vulnerabilities catalog, indicating active exploitation in the wild. Oracle WebLogic Server is a high-value target for threat actors due to its prevalence in enterprise Java EE environments. Exploitation may enable remote code execution, unauthorized data access, or server compromise.
MITRE ATT&CK
KQL Detection Query
let weblogic_ports = dynamic([7001, 7002, 4848, 9002]);
let suspicious_paths = dynamic(['/wls-wsat/', '/bea_wls_internal/', '/uddiexplorer/', '/_async/', '/console/']);
union
(
CommonSecurityLog
| where TimeGenerated >= ago(24h)
| where DeviceProduct has_any ("WebLogic", "Oracle")
| where RequestURL has_any (suspicious_paths)
| where Activity in~ ("POST", "PUT", "GET")
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, RequestURL, Activity, RequestMethod, ResponseCode, DeviceVendor, DeviceProduct
),
(
AzureDiagnostics
| where TimeGenerated >= ago(24h)
| where ResourceType == "APPLICATIONGATEWAYS"
| where requestUri_s has_any (suspicious_paths)
| project TimeGenerated, clientIP_s, requestUri_s, httpMethod_s, httpStatus_d, host_s
),
(
W3CIISLog
| where TimeGenerated >= ago(24h)
| where sPort in (weblogic_ports)
| where csUriStem has_any (suspicious_paths)
| project TimeGenerated, cIP, csHost, csUriStem, csMethod, scStatus, sPort
)
| extend SuspiciousPath = case(
RequestURL has "/wls-wsat/", "T3/IIOP deserialization path",
RequestURL has "/uddiexplorer/", "UDDI SSRF vector",
RequestURL has "/_async/", "Async deserialization path",
RequestURL has "/bea_wls_internal/", "Internal WLS endpoint",
"Unknown suspicious path"
)
| summarize
RequestCount = count(),
UniqueURLs = dcount(RequestURL),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated),
Paths = make_set(RequestURL, 20)
by SourceIP, SuspiciousPath
| where RequestCount > 0
| order by RequestCount descDetects HTTP requests targeting known Oracle WebLogic Server vulnerable endpoints associated with CVE-2024-21182 exploitation patterns. Monitors for access to internal WLS paths commonly abused in deserialization and RCE attacks against WebLogic.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate administrative access to WebLogic console from known admin IPs
- Internal monitoring or health-check systems polling WebLogic endpoints
- Vulnerability scanning tools used by internal security teams against WebLogic
- Load balancer health probes targeting WebLogic listening ports
Other platforms for CVE-2024-21182
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1WebLogic WSAT Endpoint Probe
Expected signal: HTTP GET request logged in WebLogic access.log to /wls-wsat/CoordinatorPortType from attacker IP on port 7001. Network flow data showing connection to WebLogic port.
- Test 2WebLogic Async Servlet POST Probe
Expected signal: HTTP POST to /_async/AsyncResponseService visible in WebLogic access logs and network proxy logs. Process audit logs may show WebLogic JVM processing the request.
- Test 3WebLogic UDDI Explorer SSRF Probe
Expected signal: HTTP GET request to /uddiexplorer/ path logged in WebLogic access log. If SSRF is active, outbound connection attempt from WebLogic server to 127.0.0.1:22 visible in network monitoring.
- Test 4WebLogic Admin Console Access Attempt
Expected signal: HTTP GET to /console/login/LoginForm.jsp in WebLogic access logs. Windows Security event logs may show network logon attempts if authentication is attempted. Network flow logs capture the connection.
Unlock Pro Content
Get the full detection package for CVE-2024-21182 including response playbook, investigation guide, and atomic red team tests.