Suspicious Child Process of SAP NetWeaver - Linux
Detects suspicious child processes spawned by SAP NetWeaver on Linux systems that could indicate potential exploitation of vulnerability that allows arbitrary execution via webshells such as CVE-2025-31324.
Sigma rule (View on GitHub)
1title: Suspicious Child Process of SAP NetWeaver - Linux
2id: 69dea60b-2deb-4c9e-a685-ad542f4367f9
3status: experimental
4description: |
5 Detects suspicious child processes spawned by SAP NetWeaver on Linux systems that could indicate potential
6 exploitation of vulnerability that allows arbitrary execution via webshells such as CVE-2025-31324.
7author: Elastic (idea), Swachchhanda Shrawan Poudel (Nextron Systems)
8date: 2025-04-28
9tags:
10 - attack.initial-access
11 - attack.t1190
12 - attack.persistence
13 - attack.t1059.003
14 - cve.2025-31324
15 - detection.emerging-threats
16references:
17 - https://reliaquest.com/blog/threat-spotlight-reliaquest-uncovers-vulnerability-behind-sap-netweaver-compromise/
18 - https://onapsis.com/blog/active-exploitation-of-sap-vulnerability-cve-2025-31324/
19logsource:
20 category: process_creation
21 product: linux
22detection:
23 selection_parent_img:
24 ParentImage|contains:
25 - '/j2ee/cluster/apps/sap.com/irj/servlet_jsp/irj/work'
26 - '/j2ee/cluster/apps/sap.com/irj/servlet_jsp/irj/root'
27 selection_current_dict:
28 CurrentDirectory|contains:
29 - '/j2ee/cluster/apps/sap.com/irj/servlet_jsp/irj/work'
30 - '/j2ee/cluster/apps/sap.com/irj/servlet_jsp/irj/root'
31 selection_child:
32 Image|endswith:
33 - '/ash'
34 - '/bash'
35 - '/csh'
36 - '/dash'
37 - '/ksh'
38 - '/sh'
39 - '/tcsh'
40 - '/zsh'
41 - '/python'
42 - '/python2'
43 - '/python3'
44 - '/perl'
45 - '/ruby'
46 - '/curl'
47 - '/wget'
48 - '/nc'
49 - '/netcat'
50 - '/ncat'
51 - '/socat'
52 - '/nmap'
53 - '/telnet'
54 - '/awk'
55 - '/sed'
56 condition: (selection_parent_img or selection_current_dict) and selection_child
57falsepositives:
58 - Legitimate administrative activities such as software updates
59level: medium
References
Related rules
- Potential SAP NetWeaver Webshell Creation
- Potential SAP NetWeaver Webshell Creation - Linux
- Suspicious Child Process of SAP NetWeaver
- Potential SAP NetViewer Webshell Command Execution
- Potential Exploitation of CrushFTP RCE Vulnerability (CVE-2025-54309)