Potential OGNL Injection Exploitation In JVM Based Application
Detects potential OGNL Injection exploitation, which may lead to RCE. OGNL is an expression language that is supported in many JVM based systems. OGNL Injection is the reason for some high profile RCE's such as Apache Struts (CVE-2017-5638) and Confluence (CVE-2022-26134)
Sigma rule (View on GitHub)
1title: Potential OGNL Injection Exploitation In JVM Based Application
2id: 4d0af518-828e-4a04-a751-a7d03f3046ad
3status: test
4description: |
5 Detects potential OGNL Injection exploitation, which may lead to RCE.
6 OGNL is an expression language that is supported in many JVM based systems.
7 OGNL Injection is the reason for some high profile RCE's such as Apache Struts (CVE-2017-5638) and Confluence (CVE-2022-26134)
8references:
9 - https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs
10author: Moti Harmats
11date: 2023-02-11
12tags:
13 - attack.initial-access
14 - attack.t1190
15 - cve.2017-5638
16 - cve.2022-26134
17logsource:
18 category: application
19 product: jvm
20 definition: 'Requirements: application error logs must be collected (with LOG_LEVEL=ERROR and above)'
21detection:
22 keywords:
23 - 'org.apache.commons.ognl.OgnlException'
24 - 'ExpressionSyntaxException'
25 condition: keywords
26falsepositives:
27 - Application bugs
28level: high
References
Related rules
- Atlassian Confluence CVE-2022-26134
- Java Payload Strings
- ADSelfService Exploitation
- Apache Spark Shell Command Injection - ProcessCreation
- Apache Spark Shell Command Injection - Weblogs