Suspicious Child Process of SAP NetWeaver

Last updated on:

About the rule

Rule Type

Standard

Rule Description

Detects suspicious child processes spawned by SAP NetWeaver that could indicate potential exploitation of vulnerability that allows arbitrary execution via webshells such as CVE-2025-31324

Severity

Attention

Rule Requirement

Criteria

Action1: actionname = "Process started" AND (PARENTPROCESSNAME contains "\j2ee\cluster\apps\sap.com\irj\servlet_jsp\irj\work,\j2ee\cluster\apps\sap.com\irj\servlet_jsp\irj\root" OR PROCESSNAME contains "\j2ee\cluster\apps\sap.com\irj\servlet_jsp\irj\work,\j2ee\cluster\apps\sap.com\irj\servlet_jsp\irj\root") AND (PROCESSNAME endswith "\cmd.exe,\powershell.exe,\powershell_ise.exe,\pwsh.exe,\wscript.exe,\cscript.exe,\regsvr32.exe,\rundll32.exe,\mshta.exe,\certutil.exe,\bitsadmin.exe,\python.exe" OR ORIGINALFILENAME = "Cmd.Exe,PowerShell.EXE,PowerShell_ISE.EXE,pwsh.dll,wscript.exe,cscript.exe,REGSVR32.EXE,RUNDLL32.EXE,MSHTA.EXE,CertUtil.exe,bitsadmin.exe,python.exe") select Action1.HOSTNAME,Action1.MESSAGE,Action1.COMMANDLINE,Action1.FILE_NAME,Action1.PROCESSNAME,Action1.USERNAME,Action1.PARENTPROCESSNAME,Action1.DOMAIN,Action1.ORIGINALFILENAME,Action1.PARENTPROCESSID,Action1.PROCESSID,Action1.PRODUCT_NAME,Action1.SECURITYID

Detection

Execution Mode

realtime

Log Sources

Windows

Author

@Elastic (idea), Swachchhanda Shrawan Poudel (Nextron Systems)