Suspicious Child Process of SAP NetWeaver - Linux
Detects suspicious child processes spawned by SAP NetWeaver on Linux systems that could indicate potential exploitation of vulnerability that allows arbitrary execution via webshells such as CVE-2025-31324.
Sigma rule (View on GitHub)
1title: Suspicious Child Process of SAP NetWeaver - Linux
2id: 69dea60b-2deb-4c9e-a685-ad542f4367f9
3status: experimental
4description: |
5 Detects suspicious child processes spawned by SAP NetWeaver on Linux systems that could indicate potential
6 exploitation of vulnerability that allows arbitrary execution via webshells such as CVE-2025-31324.
7author: Elastic (idea), Swachchhanda Shrawan Poudel (Nextron Systems)
8date: 2025-04-28
9tags:
10 - attack.execution
11 - attack.initial-access
12 - attack.t1190
13 - attack.persistence
14 - attack.t1059.003
15 - cve.2025-31324
16 - detection.emerging-threats
17references:
18 - https://reliaquest.com/blog/threat-spotlight-reliaquest-uncovers-vulnerability-behind-sap-netweaver-compromise/
19 - https://onapsis.com/blog/active-exploitation-of-sap-vulnerability-cve-2025-31324/
20logsource:
21 category: process_creation
22 product: linux
23detection:
24 selection_parent_img:
25 ParentImage|contains:
26 - '/j2ee/cluster/apps/sap.com/irj/servlet_jsp/irj/work'
27 - '/j2ee/cluster/apps/sap.com/irj/servlet_jsp/irj/root'
28 selection_current_dict:
29 CurrentDirectory|contains:
30 - '/j2ee/cluster/apps/sap.com/irj/servlet_jsp/irj/work'
31 - '/j2ee/cluster/apps/sap.com/irj/servlet_jsp/irj/root'
32 selection_child:
33 Image|endswith:
34 - '/ash'
35 - '/bash'
36 - '/csh'
37 - '/dash'
38 - '/ksh'
39 - '/sh'
40 - '/tcsh'
41 - '/zsh'
42 - '/python'
43 - '/python2'
44 - '/python3'
45 - '/perl'
46 - '/ruby'
47 - '/curl'
48 - '/wget'
49 - '/nc'
50 - '/netcat'
51 - '/ncat'
52 - '/socat'
53 - '/nmap'
54 - '/telnet'
55 - '/awk'
56 - '/sed'
57 condition: (selection_parent_img or selection_current_dict) and selection_child
58falsepositives:
59 - Legitimate administrative activities such as software updates
60level: medium
References
-
ReliaQuest has uncovered a new vulnerability in SAP NetWeaver, CVE-2025-31324, involving unauthorized file uploads and malicious execution.
Read More -
SAP NetWeaver Flaw Lets Threat Actors Take Full Control: CVE-2025-31324 and CVE-2025-42999 Explained
Stay informed about CVE-2025-31324, a critical zero-day SAP vulnerability. Get updates, active campaign details, and remediation recommendations here.
Read More
Related rules
- Potential SAP NetWeaver Webshell Creation
- Potential SAP NetWeaver Webshell Creation - Linux
- Suspicious Child Process of SAP NetWeaver
- Potential Exploitation of CrushFTP RCE Vulnerability (CVE-2025-54309)
- Potential Exploitation of GoAnywhere MFT Vulnerability