diff --git a/rules-emerging-threats/2025/Exploits/CVE-2025-31324/web_lnx_exploit_cve_2025_31324_sap_netviewer_webshell.yml b/rules-emerging-threats/2025/Exploits/CVE-2025-31324/web_lnx_exploit_cve_2025_31324_sap_netviewer_webshell.yml new file mode 100644 index 000000000..111a35b95 --- /dev/null +++ b/rules-emerging-threats/2025/Exploits/CVE-2025-31324/web_lnx_exploit_cve_2025_31324_sap_netviewer_webshell.yml @@ -0,0 +1,47 @@ +title: Potential SAP NetViewer Webshell Command Execution +id: 94e12f41-6cb3-45c5-97b1-c783a7bf2e72 +status: experimental +description: | + Detects potential command execution via webshell in SAP NetViewer through JSP files with cmd parameter. + This rule is created to detect exploitation of vulnerabilities like CVE-2025-31324, which allows remote code execution via a webshell. +references: + - https://blog.eclecticiq.com/china-nexus-nation-state-actors-exploit-sap-netweaver-cve-2025-31324-to-target-critical-infrastructures +author: Swachchhanda Shrawan Poudel (Nextron Systems) +date: 2025-05-14 +tags: + - attack.persistence + - attack.t1505.003 + - attack.initial-access + - attack.t1190 + - detection.emerging-threats + - cve.2025-31324 +logsource: + category: webserver +detection: + selection_uri: + cs-uri-stem|contains|all: + - '/irj/' + - '.jsp' + selection_query: + - cs-uri-query|startswith: + - 'cmd=' + - 'command=' + - 'exec_cmd=' + - 'exec=' + - cs-uri-query|contains: + - '/dev/tcp' + - '/etc/passwd' + - '%2fdev%2ftcp' # URL encoded of /dev/tcp + - '%2fetc%2fpasswd' # URL encoded of /etc/passwd + - '=uname' + - '=whoami' + - 'ifconfig' + - 'ping' + - 'pwd' + - cs-uri-query|contains|all: + - 'echo' + - 'base64' + condition: all of selection_* +falsepositives: + - Legitimate applications using cmd parameter for non-malicious purposes +level: high diff --git a/rules-emerging-threats/2025/Exploits/CVE-2025-31324/web_lnx_exploit_cve_2025_31324_sap_netviewer_webshell_uploaded.yml b/rules-emerging-threats/2025/Exploits/CVE-2025-31324/web_lnx_exploit_cve_2025_31324_sap_netviewer_webshell_uploaded.yml new file mode 100644 index 000000000..f25f1ba2b --- /dev/null +++ b/rules-emerging-threats/2025/Exploits/CVE-2025-31324/web_lnx_exploit_cve_2025_31324_sap_netviewer_webshell_uploaded.yml @@ -0,0 +1,32 @@ +title: Potential Java WebShell Upload in SAP NetViewer Server +id: 639b893f-f93a-4e53-a7c8-f08cf73fe7f7 +status: experimental +description: | + Detects potential Java webshell uploads via HTTP requests with Content-Type 'application/octet-stream' and Java file extensions. + This behavior might indicate exploitation of vulnerabilities like CVE-2025-31324, which allows remote code execution through webshells in SAP NetViewer. +references: + - https://blog.eclecticiq.com/china-nexus-nation-state-actors-exploit-sap-netweaver-cve-2025-31324-to-target-critical-infrastructures +author: Swachchhanda Shrawan Poudel (Nextron Systems) +date: 2025-05-14 +tags: + - attack.persistence + - attack.t1505.003 + - detection.emerging-threats + - cve.2025-31324 +logsource: + category: webserver +detection: + selection: + cs-content-type: 'application/octet-stream' + cs-method: 'POST' + cs-uri-stem|contains|all: + - '/irj/' + - '.jsp' + cs-uri-stem|endswith: + - '.class' + - '.java' + - '.jsp' + condition: selection +falsepositives: + - Legitimate uploads of Java files in development environments +level: high diff --git a/tests/logsource.json b/tests/logsource.json index 05ef8e7dd..8615dec66 100644 --- a/tests/logsource.json +++ b/tests/logsource.json @@ -443,6 +443,12 @@ "file_rename":["Image", "CommandLine", "ParentImage", "ParentCommandLine", "User", "OriginalFileName", "SourceFilename", "TargetFilename", "MagicHeader"] }, "service":{} + }, + "empty":{ + "category":{ + "webserver": ["cs-content-type"] + }, + "service":{} } } } \ No newline at end of file