Suspicious Child Process of SAP NetWeaver

Detects suspicious child processes spawned by SAP NetWeaver that could indicate potential exploitation of vulnerability that allows arbitrary execution via webshells such as CVE-2025-31324.

Sigma rule (View on GitHub)

 1title: Suspicious Child Process of SAP NetWeaver
 2id: 5b304bcb-ac33-49d0-87af-fa1b3ca94333
 3status: experimental
 4description: |
 5    Detects suspicious child processes spawned by SAP NetWeaver that could indicate potential
 6    exploitation of vulnerability that allows arbitrary execution via webshells such as CVE-2025-31324.    
 7author: Elastic (idea), Swachchhanda Shrawan Poudel (Nextron Systems)
 8date: 2025-04-28
 9tags:
10    - attack.initial-access
11    - attack.t1190
12    - attack.persistence
13    - attack.t1059.003
14    - cve.2025-31324
15    - detection.emerging-threats
16references:
17    - https://reliaquest.com/blog/threat-spotlight-reliaquest-uncovers-vulnerability-behind-sap-netweaver-compromise/
18    - https://onapsis.com/blog/active-exploitation-of-sap-vulnerability-cve-2025-31324/
19logsource:
20    category: process_creation
21    product: windows
22detection:
23    selection_parent_img:
24        ParentImage|contains:
25            - '\j2ee\cluster\apps\sap.com\irj\servlet_jsp\irj\work'
26            - '\j2ee\cluster\apps\sap.com\irj\servlet_jsp\irj\root'
27    selection_current_dict:
28        CurrentDirectory|contains:
29            - '\j2ee\cluster\apps\sap.com\irj\servlet_jsp\irj\work'
30            - '\j2ee\cluster\apps\sap.com\irj\servlet_jsp\irj\root'
31    selection_child:
32        Image|endswith:
33            - '\cmd.exe'
34            - '\powershell.exe'
35            - '\powershell_ise.exe'
36            - '\pwsh.exe'
37            - '\wscript.exe'
38            - '\cscript.exe'
39            - '\regsvr32.exe'
40            - '\rundll32.exe'
41            - '\mshta.exe'
42            - '\certutil.exe'
43            - '\bitsadmin.exe'
44            - '\python.exe'
45    condition: (selection_parent_img or selection_current_dict) and selection_child
46falsepositives:
47    - Legitimate administrative activities such as software updates
48level: medium

References

Related rules

to-top