Potential SAP NetWeaver WebShell Creation

 1[metadata]
 2creation_date = "2025/04/26"
 3integration = ["endpoint"]
 4maturity = "production"
 5updated_date = "2025/04/26"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Identifies suspicious Java file creation in the IRJ directory of the SAP NetWeaver application. This may indicate an attempt to deploy a webshell.
11"""
12from = "now-9m"
13index = ["auditbeat-*", "logs-endpoint.events.file*"]
14language = "eql"
15license = "Elastic License v2"
16name = "Potential SAP NetWeaver WebShell Creation"
17references = [
18    "https://reliaquest.com/blog/threat-spotlight-reliaquest-uncovers-vulnerability-behind-sap-netweaver-compromise/",
19    "https://onapsis.com/blog/active-exploitation-of-sap-vulnerability-cve-2025-31324/"
20]
21risk_score = 73
22rule_id = "f7d588ba-e4b0-442e-879d-7ec39fbd69c5"
23severity = "high"
24tags = [
25    "Domain: Endpoint",
26    "OS: Linux",
27    "OS: Windows",
28    "Use Case: Threat Detection",
29    "Tactic: Execution",
30    "Use Case: Vulnerability",
31    "Data Source: Elastic Defend",
32    "Resources: Investigation Guide",
33]
34timestamp_override = "event.ingested"
35type = "eql"
36
37query = '''
38file where host.os.type in ("linux", "windows") and event.action == "creation" and
39 file.extension : ("jsp", "java", "class") and
40 file.path : ("/*/sap.com/*/servlet_jsp/irj/root/*",
41              "/*/sap.com/*/servlet_jsp/irj/work/*",
42              "?:\\*\\sap.com\\*\\servlet_jsp\\irj\\root\\*",
43              "?:\\*\\sap.com\\*\\servlet_jsp\\irj\\work\\*")
44'''
45note = """## Triage and analysis
46
47### Investigating Potential SAP NetWeaver WebShell Creation
48
49### Possible investigation steps
50
51- Examine the file creation event and the associated HTTP post request logs details to identify the source of the creation.
52- Examine the process tree to verify the parent-child relationship between the Java process and any suspicious child processes such as shell scripts or scripting languages (e.g., sh, bash, curl, python).
53- Check the command line arguments and environment variables of the suspicious child processes to identify any potentially malicious payloads or commands being executed.
54- Investigate the host's recent activity and logs for any other indicators of compromise or unusual behavior that might correlate with the suspected exploitation attempt.
55- Assess the system for any unauthorized changes or new files that may have been introduced as a result of the exploitation attempt, focusing on JSP files under the IRJ root directory.
56
57
58### Response and remediation
59
60- Immediately isolate the affected host from the network to prevent further outbound connections and potential lateral movement.
61- Terminate any suspicious Java processes identified in the alert, especially those making outbound connections to LDAP, RMI, or DNS ports.
62- Conduct a thorough review of the affected system for any unauthorized changes or additional malicious processes, focusing on child processes like shell scripts or scripting languages.
63- Restore the affected system from a known good backup if unauthorized changes or malware are detected.
64- Update and patch Java and any related applications to the latest versions to mitigate known vulnerabilities.
65- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to assess the potential impact on other systems within the network."""
66
67
68[[rule.threat]]
69framework = "MITRE ATT&CK"
70[[rule.threat.technique]]
71id = "T1059"
72name = "Command and Scripting Interpreter"
73reference = "https://attack.mitre.org/techniques/T1059/"
74[[rule.threat.technique.subtechnique]]
75id = "T1059.007"
76name = "JavaScript"
77reference = "https://attack.mitre.org/techniques/T1059/007/"
78
79
80[[rule.threat.technique]]
81id = "T1203"
82name = "Exploitation for Client Execution"
83reference = "https://attack.mitre.org/techniques/T1203/"
84
85
86[rule.threat.tactic]
87id = "TA0002"
88name = "Execution"
89reference = "https://attack.mitre.org/tactics/TA0002/"