Suspicious Child Process of SAP NetWeaver - Linux

Detects suspicious child processes spawned by SAP NetWeaver on Linux systems that could indicate potential exploitation of vulnerability that allows arbitrary execution via webshells such as CVE-2025-31324.

Sigma rule (View on GitHub)

 1title: Suspicious Child Process of SAP NetWeaver - Linux
 2id: 69dea60b-2deb-4c9e-a685-ad542f4367f9
 3status: experimental
 4description: |
 5    Detects suspicious child processes spawned by SAP NetWeaver on Linux systems that could indicate potential
 6    exploitation of vulnerability that allows arbitrary execution via webshells such as CVE-2025-31324.    
 7author: Elastic (idea), Swachchhanda Shrawan Poudel (Nextron Systems)
 8date: 2025-04-28
 9tags:
10    - attack.initial-access
11    - attack.t1190
12    - attack.persistence
13    - attack.t1059.003
14    - cve.2025-31324
15    - detection.emerging-threats
16references:
17    - https://reliaquest.com/blog/threat-spotlight-reliaquest-uncovers-vulnerability-behind-sap-netweaver-compromise/
18    - https://onapsis.com/blog/active-exploitation-of-sap-vulnerability-cve-2025-31324/
19logsource:
20    category: process_creation
21    product: linux
22detection:
23    selection_parent_img:
24        ParentImage|contains:
25            - '/j2ee/cluster/apps/sap.com/irj/servlet_jsp/irj/work'
26            - '/j2ee/cluster/apps/sap.com/irj/servlet_jsp/irj/root'
27    selection_current_dict:
28        CurrentDirectory|contains:
29            - '/j2ee/cluster/apps/sap.com/irj/servlet_jsp/irj/work'
30            - '/j2ee/cluster/apps/sap.com/irj/servlet_jsp/irj/root'
31    selection_child:
32        Image|endswith:
33            - '/ash'
34            - '/bash'
35            - '/csh'
36            - '/dash'
37            - '/ksh'
38            - '/sh'
39            - '/tcsh'
40            - '/zsh'
41            - '/python'
42            - '/python2'
43            - '/python3'
44            - '/perl'
45            - '/ruby'
46            - '/curl'
47            - '/wget'
48            - '/nc'
49            - '/netcat'
50            - '/ncat'
51            - '/socat'
52            - '/nmap'
53            - '/telnet'
54            - '/awk'
55            - '/sed'
56    condition: (selection_parent_img or selection_current_dict) and selection_child
57falsepositives:
58    - Legitimate administrative activities such as software updates
59level: medium

References

Related rules

to-top