Potential SAP NetViewer Webshell Command Execution

 1title: Potential SAP NetViewer Webshell Command Execution
 2id: 94e12f41-6cb3-45c5-97b1-c783a7bf2e72
 3status: experimental
 4description: |
 5    Detects potential command execution via webshell in SAP NetViewer through JSP files with cmd parameter.
 6    This rule is created to detect exploitation of vulnerabilities like CVE-2025-31324, which allows remote code execution via a webshell.    
 7references:
 8    - https://blog.eclecticiq.com/china-nexus-nation-state-actors-exploit-sap-netweaver-cve-2025-31324-to-target-critical-infrastructures
 9author: Swachchhanda Shrawan Poudel (Nextron Systems)
10date: 2025-05-14
11tags:
12    - attack.persistence
13    - attack.t1505.003
14    - attack.initial-access
15    - attack.t1190
16    - detection.emerging-threats
17    - cve.2025-31324
18logsource:
19    category: webserver
20detection:
21    selection_uri:
22        cs-uri-stem|contains|all:
23            - '/irj/'
24            - '.jsp'
25    selection_query:
26        - cs-uri-query|startswith:
27              - 'cmd='
28              - 'command='
29              - 'exec_cmd='
30              - 'exec='
31        - cs-uri-query|contains:
32              - '/dev/tcp'
33              - '/etc/passwd'
34              - '%2fdev%2ftcp' # URL encoded of /dev/tcp
35              - '%2fetc%2fpasswd' # URL encoded of /etc/passwd
36              - '=uname'
37              - '=whoami'
38              - 'ifconfig'
39              - 'ping'
40              - 'pwd'
41        - cs-uri-query|contains|all:
42              - 'echo'
43              - 'base64'
44    condition: all of selection_*
45falsepositives:
46    - Legitimate applications using cmd parameter for non-malicious purposes
47level: high