← Library
sigmaDRL-1.1from SigmaHQ/sigma

Potential OGNL Injection Exploitation In JVM Based Application

Detects potential OGNL Injection exploitation, which may lead to RCE. OGNL is an expression language that is supported in many JVM based systems. OGNL Injection is the reason for some high profile RCE's such as Apache Struts (CVE-2017-5638) and Confluence (CVE-2022-26134)

Quality
100
FP risk
Forks
0
Views
0
ATT&CK techniques
T1190
Rule sourcerules/application/jvm/java_ognl_injection_exploitation_attempt.yml
title: Potential OGNL Injection Exploitation In JVM Based Application
id: 4d0af518-828e-4a04-a751-a7d03f3046ad
status: test
description: |
    Detects potential OGNL Injection exploitation, which may lead to RCE.
    OGNL is an expression language that is supported in many JVM based systems.
    OGNL Injection is the reason for some high profile RCE's such as Apache Struts (CVE-2017-5638) and Confluence (CVE-2022-26134)
references:
    - https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs
author: Moti Harmats
date: 2023-02-11
tags:
    - attack.initial-access
    - attack.t1190
    - cve.2017-5638
    - cve.2022-26134
logsource:
    category: application
    product: jvm
    definition: 'Requirements: application error logs must be collected (with LOG_LEVEL=ERROR and above)'
detection:
    keywords:
        - 'org.apache.commons.ognl.OgnlException'
        - 'ExpressionSyntaxException'
    condition: keywords
falsepositives:
    - Application bugs
level: high