Suspicious Child Process of SAP NetWeaver
Last updated on:
In this page
About the rule
Rule Type
Standard
Rule Description
Detects suspicious child processes spawned by SAP NetWeaver that could indicate potential exploitation of vulnerability that allows arbitrary execution via webshells such as CVE-2025-31324
Severity
Attention
Rule Requirement
Criteria
Action1:
actionname = "Process started" AND (PARENTPROCESSNAME contains "\j2ee\cluster\apps\sap.com\irj\servlet_jsp\irj\work,\j2ee\cluster\apps\sap.com\irj\servlet_jsp\irj\root" OR PROCESSNAME contains "\j2ee\cluster\apps\sap.com\irj\servlet_jsp\irj\work,\j2ee\cluster\apps\sap.com\irj\servlet_jsp\irj\root") AND (PROCESSNAME endswith "\cmd.exe,\powershell.exe,\powershell_ise.exe,\pwsh.exe,\wscript.exe,\cscript.exe,\regsvr32.exe,\rundll32.exe,\mshta.exe,\certutil.exe,\bitsadmin.exe,\python.exe" OR ORIGINALFILENAME = "Cmd.Exe,PowerShell.EXE,PowerShell_ISE.EXE,pwsh.dll,wscript.exe,cscript.exe,REGSVR32.EXE,RUNDLL32.EXE,MSHTA.EXE,CertUtil.exe,bitsadmin.exe,python.exe")
select Action1.HOSTNAME,Action1.MESSAGE,Action1.COMMANDLINE,Action1.FILE_NAME,Action1.PROCESSNAME,Action1.USERNAME,Action1.PARENTPROCESSNAME,Action1.DOMAIN,Action1.ORIGINALFILENAME,Action1.PARENTPROCESSID,Action1.PROCESSID,Action1.PRODUCT_NAME,Action1.SECURITYID
Detection
Execution Mode
realtime
Log Sources
Windows
Author
@Elastic (idea), Swachchhanda Shrawan Poudel (Nextron Systems)


