Merge PR #5416 from @swachchhanda000 - Detection of SAP NetViewer CVE-2025-31324 exploitation via webserver logs

new: Potential SAP NetViewer Webshell Command Execution
new: Potential Java WebShell Upload in SAP NetViewer Server
chore: unpin pySigma validator version

---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
Co-authored-by: nasbench <nasbench@users.noreply.github.com>

rules-emerging-threats/2025/Exploits/CVE-2025-31324/web_lnx_exploit_cve_2025_31324_sap_netviewer_webshell.yml

@@ -0,0 +1,47 @@
+title: Potential SAP NetViewer Webshell Command Execution
+id: 94e12f41-6cb3-45c5-97b1-c783a7bf2e72
+status: experimental
+description: |
+    Detects potential command execution via webshell in SAP NetViewer through JSP files with cmd parameter.
+    This rule is created to detect exploitation of vulnerabilities like CVE-2025-31324, which allows remote code execution via a webshell.
+references:
+    - https://blog.eclecticiq.com/china-nexus-nation-state-actors-exploit-sap-netweaver-cve-2025-31324-to-target-critical-infrastructures
+author: Swachchhanda Shrawan Poudel (Nextron Systems)
+date: 2025-05-14
+tags:
+    - attack.persistence
+    - attack.t1505.003
+    - attack.initial-access
+    - attack.t1190
+    - detection.emerging-threats
+    - cve.2025-31324
+logsource:
+    category: webserver
+detection:
+    selection_uri:
+        cs-uri-stem|contains|all:
+            - '/irj/'
+            - '.jsp'
+    selection_query:
+        - cs-uri-query|startswith:
+              - 'cmd='
+              - 'command='
+              - 'exec_cmd='
+              - 'exec='
+        - cs-uri-query|contains:
+              - '/dev/tcp'
+              - '/etc/passwd'
+              - '%2fdev%2ftcp' # URL encoded of /dev/tcp
+              - '%2fetc%2fpasswd' # URL encoded of /etc/passwd
+              - '=uname'
+              - '=whoami'
+              - 'ifconfig'
+              - 'ping'
+              - 'pwd'
+        - cs-uri-query|contains|all:
+              - 'echo'
+              - 'base64'
+    condition: all of selection_*
+falsepositives:
+    - Legitimate applications using cmd parameter for non-malicious purposes
+level: high

rules-emerging-threats/2025/Exploits/CVE-2025-31324/web_lnx_exploit_cve_2025_31324_sap_netviewer_webshell_uploaded.yml

@@ -0,0 +1,32 @@
+title: Potential Java WebShell Upload in SAP NetViewer Server
+id: 639b893f-f93a-4e53-a7c8-f08cf73fe7f7
+status: experimental
+description: |
+    Detects potential Java webshell uploads via HTTP requests with Content-Type 'application/octet-stream' and Java file extensions.
+    This behavior might indicate exploitation of vulnerabilities like CVE-2025-31324, which allows remote code execution through webshells in SAP NetViewer.
+references:
+    - https://blog.eclecticiq.com/china-nexus-nation-state-actors-exploit-sap-netweaver-cve-2025-31324-to-target-critical-infrastructures
+author: Swachchhanda Shrawan Poudel (Nextron Systems)
+date: 2025-05-14
+tags:
+    - attack.persistence
+    - attack.t1505.003
+    - detection.emerging-threats
+    - cve.2025-31324
+logsource:
+    category: webserver
+detection:
+    selection:
+        cs-content-type: 'application/octet-stream'
+        cs-method: 'POST'
+        cs-uri-stem|contains|all:
+            - '/irj/'
+            - '.jsp'
+        cs-uri-stem|endswith:
+            - '.class'
+            - '.java'
+            - '.jsp'
+    condition: selection
+falsepositives:
+    - Legitimate uploads of Java files in development environments
+level: high

tests/logsource.json

@@ -443,6 +443,12 @@
                 "file_rename":["Image", "CommandLine", "ParentImage", "ParentCommandLine", "User", "OriginalFileName", "SourceFilename", "TargetFilename", "MagicHeader"]
             },
             "service":{}
+        },
+        "empty":{
+            "category":{
+                "webserver": ["cs-content-type"]
+               },
+            "service":{}
         }
     }
 }