Samirbous
5c5185d227
* [New] Potential SAP NetWeaver Exploitation https://reliaquest.com/blog/threat-spotlight-reliaquest-uncovers-vulnerability-behind-sap-netweaver-compromise/ * ++ * Update execution_sap_netweaver_jsp_webshell.toml * Update execution_sap_netweaver_webshell_exec.toml * Update rules/cross-platform/execution_sap_netweaver_webshell_exec.toml Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com> * Apply suggestion from @Mikaayenson Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com> * Update execution_sap_netweaver_jsp_webshell.toml * Update execution_sap_netweaver_webshell_exec.toml * Update execution_sap_netweaver_webshell_exec.toml --------- Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com> Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
108 lines
4.2 KiB
TOML
108 lines
4.2 KiB
TOML
[metadata]
|
|
creation_date = "2025/04/26"
|
|
integration = ["endpoint"]
|
|
maturity = "production"
|
|
updated_date = "2025/04/26"
|
|
|
|
[rule]
|
|
author = ["Elastic"]
|
|
description = """
|
|
Identifies suspicious processes spawned from the SAP NetWeaver application. This may indicate an attempt to execute commands via webshell.
|
|
"""
|
|
from = "now-9m"
|
|
index = ["auditbeat-*", "logs-endpoint.events.process*"]
|
|
language = "eql"
|
|
license = "Elastic License v2"
|
|
name = "Potential SAP NetWeaver Exploitation"
|
|
references = [
|
|
"https://reliaquest.com/blog/threat-spotlight-reliaquest-uncovers-vulnerability-behind-sap-netweaver-compromise/",
|
|
"https://onapsis.com/blog/active-exploitation-of-sap-vulnerability-cve-2025-31324/"
|
|
]
|
|
risk_score = 73
|
|
rule_id = "23c53c4c-aa8b-4b07-85c0-fe46a9c8acaf"
|
|
severity = "high"
|
|
tags = [
|
|
"Domain: Endpoint",
|
|
"OS: Linux",
|
|
"OS: Windows",
|
|
"Use Case: Threat Detection",
|
|
"Tactic: Execution",
|
|
"Use Case: Vulnerability",
|
|
"Data Source: Elastic Defend",
|
|
"Resources: Investigation Guide",
|
|
]
|
|
timestamp_override = "event.ingested"
|
|
type = "eql"
|
|
|
|
query = '''
|
|
process where event.type == "start" and host.os.type in ("linux", "windows") and
|
|
process.name : ("sh",
|
|
"bash",
|
|
"dash",
|
|
"ksh",
|
|
"tcsh",
|
|
"zsh",
|
|
"curl",
|
|
"perl*",
|
|
"python*",
|
|
"ruby*",
|
|
"php*",
|
|
"wget",
|
|
"cmd.exe",
|
|
"powershell.exe",
|
|
"rundll32.exe",
|
|
"msbuild.exe",
|
|
"curl.exe",
|
|
"certutil.exe") and
|
|
(
|
|
process.working_directory : ("/*/sap.com*/servlet_jsp/irj/*", "*\\sap.com*\\servlet_jsp\\irj\\*") or
|
|
process.command_line : ("*/sap.com*/servlet_jsp/irj/*", "*\\sap.com*\\servlet_jsp\\irj\\*") or
|
|
process.parent.command_line : ("*/sap.com*/servlet_jsp/irj/*", "*\\sap.com*\\servlet_jsp\\irj\\*")
|
|
)
|
|
'''
|
|
note = """## Triage and analysis
|
|
|
|
### Investigating Potential SAP NetWeaver Exploitation
|
|
|
|
### Possible investigation steps
|
|
|
|
- Examine the process tree to verify the parent-child relationship between the Java process and any suspicious child processes such as shell scripts or scripting languages (e.g., sh, bash, curl, python).
|
|
- Check the command line arguments and environment variables of the suspicious child processes to identify any potentially malicious payloads or commands being executed.
|
|
- Investigate the host's recent activity and logs for any other indicators of compromise or unusual behavior that might correlate with the suspected exploitation attempt.
|
|
- Assess the system for any unauthorized changes or new files that may have been introduced as a result of the exploitation attempt, focusing on JSP files under the IRJ root directory.
|
|
|
|
|
|
### Response and remediation
|
|
|
|
- Immediately isolate the affected host from the network to prevent further outbound connections and potential lateral movement.
|
|
- Terminate any suspicious Java processes identified in the alert, especially those making outbound connections to LDAP, RMI, or DNS ports.
|
|
- Conduct a thorough review of the affected system for any unauthorized changes or additional malicious processes, focusing on child processes like shell scripts or scripting languages.
|
|
- Restore the affected system from a known good backup if unauthorized changes or malware are detected.
|
|
- Update and patch Java and any related applications to the latest versions to mitigate known vulnerabilities.
|
|
- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to assess the potential impact on other systems within the network."""
|
|
|
|
|
|
[[rule.threat]]
|
|
framework = "MITRE ATT&CK"
|
|
[[rule.threat.technique]]
|
|
id = "T1059"
|
|
name = "Command and Scripting Interpreter"
|
|
reference = "https://attack.mitre.org/techniques/T1059/"
|
|
[[rule.threat.technique.subtechnique]]
|
|
id = "T1059.007"
|
|
name = "JavaScript"
|
|
reference = "https://attack.mitre.org/techniques/T1059/007/"
|
|
|
|
|
|
[[rule.threat.technique]]
|
|
id = "T1203"
|
|
name = "Exploitation for Client Execution"
|
|
reference = "https://attack.mitre.org/techniques/T1203/"
|
|
|
|
|
|
[rule.threat.tactic]
|
|
id = "TA0002"
|
|
name = "Execution"
|
|
reference = "https://attack.mitre.org/tactics/TA0002/"
|
|
|