If you are interested, I’ve put a spring4shell exploit capture file on my GitHub.
It might trigger your AV, like Defender (Defender triggers on the webshell code).
First HTTP request in the capture file, is just a test query.
Second HTTP request is the exploit that drops a webshell.
Third HTTP request is using that webshell.Figure 1: just a test request Figure 2: exploit dropping a webshell Figure 3: using the webshell