Detectionhightest

Potential SpEL Injection In Spring Framework

Detects potential SpEL Injection exploitation, which may lead to RCE.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Moti HarmatsCreated Sat Feb 11e9edd087-89d8-48c9-b0b4-5b9bb10896b8application

Log Source

springapplication

Productspring← raw: spring

Categoryapplication← raw: application

Definition

Requirements: application error logs must be collected (with LOG_LEVEL=ERROR and above)

Detection Logic

detection:
    keywords:
        - 'org.springframework.expression.ExpressionException'
    condition: keywords

False Positives

Application bugs

References

MITRE ATT&CK

Tactics

Techniques

Rule Metadata

Rule ID

e9edd087-89d8-48c9-b0b4-5b9bb10896b8

Status

test

Level

high

Type

Detection

Created

Sat Feb 11

Author

Path

rules/application/spring/spring_spel_injection.yml

Raw Tags

attack.initial-accessattack.t1190