Merge pull request #3499 from splunk/weavingbaskets

patel-bhavin · web-flow · commit 700667bda765 · 2025-04-28T12:09:17.000-07:00
🕸️ BasketNetWeaving with Haag: No Shell Left Behind!
diff --git a/detections/endpoint/java_writing_jsp_file.yml b/detections/endpoint/java_writing_jsp_file.yml
@@ -1,7 +1,7 @@
 name: Java Writing JSP File
 id: eb65619c-4f8d-4383-a975-d352765d344b
-version: 8
-date: '2025-04-22'
+version: 9
+date: '2025-04-28'
 author: Michael Haag, Splunk
 status: production
 type: TTP
@@ -72,6 +72,7 @@ tags:
   - Spring4Shell CVE-2022-22965
   - Atlassian Confluence Server and Data Center CVE-2022-26134
   - SysAid On-Prem Software CVE-2023-47246 Vulnerability
+  - SAP NetWeaver Exploitation
   asset_type: Endpoint
   cve:
   - CVE-2022-22965
diff --git a/detections/endpoint/windows_java_spawning_shells.yml b/detections/endpoint/windows_java_spawning_shells.yml
@@ -1,7 +1,7 @@
 name: Windows Java Spawning Shells
 id: 28c81306-5c47-11ec-bfea-acde48001122
-version: 9
-date: '2024-12-16'
+version: 10
+date: '2025-04-28'
 author: Michael Haag, Splunk
 status: experimental
 type: TTP
@@ -61,6 +61,7 @@ tags:
   - Log4Shell CVE-2021-44228
   - SysAid On-Prem Software CVE-2023-47246 Vulnerability
   - Cleo File Transfer Software
+  - SAP NetWeaver Exploitation
   asset_type: Endpoint
   cve:
   - CVE-2021-44228
diff --git a/detections/endpoint/windows_process_injection_into_commonly_abused_processes.yml b/detections/endpoint/windows_process_injection_into_commonly_abused_processes.yml
@@ -1,7 +1,7 @@
 name: Windows Process Injection into Commonly Abused Processes
 id: 1e1dedc6-f6f3-41a0-9dd7-a1245904fe75
-version: 2
-date: '2025-04-16'
+version: 3
+date: '2025-04-28'
 author: 0xC0FFEEEE, Github Community
 type: Anomaly
 status: production
@@ -70,6 +70,7 @@ tags:
   analytic_story:
   - BishopFox Sliver Adversary Emulation Framework
   - Earth Alux
+  - SAP NetWeaver Exploitation
   asset_type: Endpoint
   mitre_attack_id:
   - T1055.002
diff --git a/detections/web/sap_netweaver_visual_composer_exploitation_attempt.yml b/detections/web/sap_netweaver_visual_composer_exploitation_attempt.yml
@@ -0,0 +1,52 @@
+name: SAP NetWeaver Visual Composer Exploitation Attempt
+id: a583b9f1-9c3a-4402-9441-b981654dea6c
+version: 1
+date: '2025-04-28'
+author: Michael Haag, Splunk
+status: production
+type: Hunting
+description: |
+  Detects potential exploitation attempts targeting CVE-2025-31324, a critical unauthenticated file upload vulnerability in SAP NetWeaver Visual Composer. This flaw allows remote attackers to send specially crafted POST requests to the /developmentserver/metadatauploader endpoint, enabling arbitrary file uploads—commonly webshells—resulting in full system compromise. The detection looks for HTTP HEAD or POST requests with a 200 OK status to sensitive Visual Composer endpoints, which may indicate reconnaissance or active exploitation. Successful exploitation can lead to attackers gaining privileged access, deploying malware, and impacting business-critical SAP resources. Immediate patching and investigation of suspicious activity are strongly recommended, as this vulnerability is being actively exploited in the wild.
+data_source:
+- Suricata
+search: '| tstats count min(_time) as firstTime max(_time) as lastTime 
+  from datamodel=Web.Web 
+  where (Web.url IN ("/CTCWebService/CTCWebServiceBean", "/VisualComposer/services/DesignTimeService", "/ctc/CTCWebService/CTCWebServiceBean")) 
+  AND Web.http_method IN ("HEAD", "POST") 
+  AND Web.status=200
+  by Web.src, Web.dest, Web.http_method, Web.url, Web.http_user_agent, Web.url_length, sourcetype
+  | `drop_dm_object_name("Web")`
+  | eval action=case(http_method="HEAD", "Recon/Probe", http_method="POST", "Possible Exploitation")
+  | `security_content_ctime(firstTime)`
+  | `security_content_ctime(lastTime)`
+  | table firstTime, lastTime, src, dest, http_method, action, url, user_agent, url_length, sourcetype
+  | `sap_netweaver_visual_composer_exploitation_attempt_filter`'
+how_to_implement: |
+  Ensure that the Web data model is accelerated and populated with web server or web proxy logs capturing HTTP request and response data.
+  This search relies on HTTP method, status code, and URL path fields to identify suspicious access patterns against SAP NetWeaver endpoints.
+known_false_positives: |
+  Some legitimate administrative activity may access SAP NetWeaver services. However, HEAD or POST requests directly resulting in a 200 OK 
+  to Visual Composer endpoints are uncommon and should be investigated carefully.
+references:
+- https://onapsis.com/blog/active-exploitation-of-sap-vulnerability-cve-2025-31324/
+- https://reliaquest.com/blog/threat-spotlight-reliaquest-uncovers-vulnerability-behind-sap-netweaver-compromise/
+- https://www.rapid7.com/blog/post/2025/04/28/etr-active-exploitation-of-sap-netweaver-visual-composer-cve-2025-31324/
+tags:
+  analytic_story:
+  - SAP NetWeaver Exploitation
+  asset_type: Web Server
+  mitre_attack_id:
+  - T1190
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  security_domain: network
+  cve:
+  - CVE-2025-31324
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/sap/suricata_sapnetweaver.log
+    sourcetype: suricata
+    source: suricata
diff --git a/stories/sap_netweaver_exploitation.yml b/stories/sap_netweaver_exploitation.yml
@@ -0,0 +1,28 @@
+name: SAP NetWeaver Exploitation
+id: a52f77e2-0632-46a5-b750-6c059bc7bbb4
+version: 1
+status: production
+date: '2025-04-28'
+author: Michael Haag, Splunk
+description: |
+  This Analytic Story covers the detection of exploitation attempts and reconnaissance activity targeting SAP NetWeaver platforms, with a focus on the critical unauthenticated file upload vulnerability CVE-2025-31324 in Visual Composer. Attackers are actively exploiting this flaw to upload arbitrary files—often webshells—via POST requests to the /developmentserver/metadatauploader endpoint, leading to full system compromise, remote code execution, and persistent access. The story includes detections for both probing (e.g., HEAD requests) and active exploitation, and highlights the significant business risks, such as data theft, operational disruption, and potential regulatory impact. Defenders can use this story to monitor, hunt, and respond to suspicious activity across SAP NetWeaver services, helping to identify both initial access and post-exploitation behaviors.
+narrative: |
+  Attackers are actively targeting SAP NetWeaver environments through newly disclosed vulnerabilities like CVE-2025-31324, affecting the Visual Composer service.
+  Successful exploitation can lead to remote code execution (RCE) and the deployment of webshells, giving adversaries persistent access to SAP systems. 
+  This story provides detections for reconnaissance patterns (e.g., HEAD requests receiving HTTP 200 responses) and potential exploitation behavior 
+  (e.g., POST requests leading to successful uploads), empowering defenders to quickly identify compromise attempts and mitigate them before escalation.
+references:
+  - https://onapsis.com/blog/active-exploitation-of-sap-vulnerability-cve-2025-31324/
+  - https://reliaquest.com/blog/threat-spotlight-reliaquest-uncovers-vulnerability-behind-sap-netweaver-compromise/
+  - https://www.rapid7.com/blog/post/2025/04/28/etr-active-exploitation-of-sap-netweaver-visual-composer-cve-2025-31324/
+  - https://www.splunk.com/en_us/blog/security/the-final-shell-introducing-shellsweepx.html
+tags:
+  category:
+    - Adversary Tactics
+  product:
+    - Splunk Enterprise
+    - Splunk Enterprise Security
+    - Splunk Cloud
+  usecase: Advanced Threat Detection
+  cve:
+    - CVE-2025-31324
