Potential SAP NetWeaver Exploitation

  1[metadata]
  2creation_date = "2025/04/26"
  3integration = ["endpoint"]
  4maturity = "production"
  5updated_date = "2025/04/26"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies suspicious processes spawned from the SAP NetWeaver application. This may indicate an attempt to execute commands via webshell.
 11"""
 12from = "now-9m"
 13index = ["auditbeat-*", "logs-endpoint.events.process*"]
 14language = "eql"
 15license = "Elastic License v2"
 16name = "Potential SAP NetWeaver Exploitation"
 17references = [
 18    "https://reliaquest.com/blog/threat-spotlight-reliaquest-uncovers-vulnerability-behind-sap-netweaver-compromise/",
 19    "https://onapsis.com/blog/active-exploitation-of-sap-vulnerability-cve-2025-31324/"
 20]
 21risk_score = 73
 22rule_id = "23c53c4c-aa8b-4b07-85c0-fe46a9c8acaf"
 23severity = "high"
 24tags = [
 25    "Domain: Endpoint",
 26    "OS: Linux",
 27    "OS: Windows",
 28    "Use Case: Threat Detection",
 29    "Tactic: Execution",
 30    "Use Case: Vulnerability",
 31    "Data Source: Elastic Defend",
 32    "Resources: Investigation Guide",
 33]
 34timestamp_override = "event.ingested"
 35type = "eql"
 36
 37query = '''
 38process where event.type == "start" and host.os.type in ("linux", "windows") and
 39   process.name : ("sh",
 40                   "bash",
 41                   "dash",
 42                   "ksh",
 43                   "tcsh",
 44                   "zsh",
 45                   "curl",
 46                   "perl*",
 47                   "python*",
 48                   "ruby*",
 49                   "php*",
 50                   "wget",
 51                   "cmd.exe",
 52                   "powershell.exe",
 53                   "rundll32.exe",
 54                   "msbuild.exe",
 55                   "curl.exe",
 56                   "certutil.exe") and
 57   (
 58    process.working_directory : ("/*/sap.com*/servlet_jsp/irj/*", "*\\sap.com*\\servlet_jsp\\irj\\*") or
 59    process.command_line : ("*/sap.com*/servlet_jsp/irj/*", "*\\sap.com*\\servlet_jsp\\irj\\*") or
 60    process.parent.command_line : ("*/sap.com*/servlet_jsp/irj/*", "*\\sap.com*\\servlet_jsp\\irj\\*")
 61   )
 62'''
 63note = """## Triage and analysis
 64
 65### Investigating Potential SAP NetWeaver Exploitation
 66
 67### Possible investigation steps
 68
 69- Examine the process tree to verify the parent-child relationship between the Java process and any suspicious child processes such as shell scripts or scripting languages (e.g., sh, bash, curl, python).
 70- Check the command line arguments and environment variables of the suspicious child processes to identify any potentially malicious payloads or commands being executed.
 71- Investigate the host's recent activity and logs for any other indicators of compromise or unusual behavior that might correlate with the suspected exploitation attempt.
 72- Assess the system for any unauthorized changes or new files that may have been introduced as a result of the exploitation attempt, focusing on JSP files under the IRJ root directory.
 73
 74
 75### Response and remediation
 76
 77- Immediately isolate the affected host from the network to prevent further outbound connections and potential lateral movement.
 78- Terminate any suspicious Java processes identified in the alert, especially those making outbound connections to LDAP, RMI, or DNS ports.
 79- Conduct a thorough review of the affected system for any unauthorized changes or additional malicious processes, focusing on child processes like shell scripts or scripting languages.
 80- Restore the affected system from a known good backup if unauthorized changes or malware are detected.
 81- Update and patch Java and any related applications to the latest versions to mitigate known vulnerabilities.
 82- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to assess the potential impact on other systems within the network."""
 83
 84
 85[[rule.threat]]
 86framework = "MITRE ATT&CK"
 87[[rule.threat.technique]]
 88id = "T1059"
 89name = "Command and Scripting Interpreter"
 90reference = "https://attack.mitre.org/techniques/T1059/"
 91[[rule.threat.technique.subtechnique]]
 92id = "T1059.007"
 93name = "JavaScript"
 94reference = "https://attack.mitre.org/techniques/T1059/007/"
 95
 96
 97[[rule.threat.technique]]
 98id = "T1203"
 99name = "Exploitation for Client Execution"
100reference = "https://attack.mitre.org/techniques/T1203/"
101
102
103[rule.threat.tactic]
104id = "TA0002"
105name = "Execution"
106reference = "https://attack.mitre.org/tactics/TA0002/"