This detection rule addresses the exploitation of the WebLogic CVE-2017-10271 vulnerability, specifically focusing on the attackers’ use of a reverse shell mechanism to establish remote command and control. The rule leverages both Sysmon and endpoint data to identify malicious PowerShell commands that are indicative of this exploitation. Key indicators include the presence of the PowerShell command aborted with arguments typical for a reverse shell, including hidden execution and command execution through `cmd.exe`. The analytics involve filtering for specific process and command characteristics associated with this threat vector. Moreover, the rule harnesses DNS lookup to enrich the alert data with hostname resolution based on the identified source IP. Ultimately, this rule shows clear alignment with tactics by known threat actors such as APT29, known for their advanced persistent threat capabilities against Microsoft WebLogic servers.