++

Samirbous · Samirbous · commit 426e0d66a5f0 · 2025-04-26T11:54:40.000+01:00
diff --git a/rules/cross-platform/execution_sap_netweaver_jsp_webshell.toml b/rules/cross-platform/execution_sap_netweaver_jsp_webshell.toml
@@ -15,7 +15,8 @@ language = "eql"
 license = "Elastic License v2"
 name = "Potential SAP NetWeaver WebShell Creation"
 references = [
-    "https://reliaquest.com/blog/threat-spotlight-reliaquest-uncovers-vulnerability-behind-sap-netweaver-compromise/"
+    "https://reliaquest.com/blog/threat-spotlight-reliaquest-uncovers-vulnerability-behind-sap-netweaver-compromise/",
+    "https://onapsis.com/blog/active-exploitation-of-sap-vulnerability-cve-2025-31324/"
 ]
 risk_score = 73
 rule_id = "f7d588ba-e4b0-442e-879d-7ec39fbd69c5"
@@ -34,7 +35,11 @@ type = "eql"
 
 query = '''
 file where host.os.type in ("linux", "windows") and event.action == "creation" and
- file.extension : "jsp" and file.path : ("/*/sap.com/*/servlet_jsp/irj/root/*.jsp", "?:\\*\\sap.com\\*\\servlet_jsp\\irj\\root\\*.jsp")
+ file.extension : ("jsp", "java", "class") and
+ file.path : ("/*/sap.com/*/servlet_jsp/irj/root/*",
+              "/*/sap.com/*/servlet_jsp/irj/work/*",
+              "?:\\*\\sap.com\\*\\servlet_jsp\\irj\\root\\*",
+              "?:\\*\\sap.com\\*\\servlet_jsp\\irj\\work\\*")
 '''
 note = """## Triage and analysis
 
diff --git a/rules/cross-platform/execution_sap_netweaver_webshell_exec.toml b/rules/cross-platform/execution_sap_netweaver_webshell_exec.toml
@@ -15,7 +15,8 @@ language = "eql"
 license = "Elastic License v2"
 name = "Potential SAP NetWeaver Exploitation"
 references = [
-    "https://reliaquest.com/blog/threat-spotlight-reliaquest-uncovers-vulnerability-behind-sap-netweaver-compromise/"
+    "https://reliaquest.com/blog/threat-spotlight-reliaquest-uncovers-vulnerability-behind-sap-netweaver-compromise/",
+    "https://onapsis.com/blog/active-exploitation-of-sap-vulnerability-cve-2025-31324/"
 ]
 risk_score = 73
 rule_id = "23c53c4c-aa8b-4b07-85c0-fe46a9c8acaf"
@@ -54,9 +55,9 @@ process where event.type == "start" and file where host.os.type in ("linux", "wi
                    "curl.exe",
                    "certutil.exe") and
    (
-    process.working_directory : ("/*/sap.com/*/servlet_jsp/irj/root/*", "*\\sap.com\\*\\servlet_jsp\\irj\\root\\*") or
-    process.command_line : ("*/sap.com/*/servlet_jsp/irj/root/*", "*\\sap.com\\*\\servlet_jsp\\irj\\root\\*") or
-    process.parent.command_line : ("*/sap.com/*/servlet_jsp/irj/root/*", "*\\sap.com\\*\\servlet_jsp\\irj\\root\\*")
+    process.working_directory : ("/*/sap.com/*/servlet_jsp/irj/*", "*\\sap.com\\*\\servlet_jsp\\irj\\*") or
+    process.command_line : ("*/sap.com/*/servlet_jsp/irj/*", "*\\sap.com\\*\\servlet_jsp\\irj\\*") or
+    process.parent.command_line : ("*/sap.com/*/servlet_jsp/irj/*", "*\\sap.com\\*\\servlet_jsp\\irj\\*")
    )
 '''
 note = """## Triage and analysis
