feat: SAP Netweaver CVE-2025-31324 Potential Exploitation #5387
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Member
|
Why not use |
Collaborator
Author
Done |
5 tasks
phantinuss
approved these changes
Oct 1, 2025
Contributor
There was a problem hiding this comment.
Pull Request Overview
This PR adds detection rules for potential exploitation of SAP NetWeaver CVE-2025-31324, focusing on identifying webshell creation and suspicious child processes that could indicate compromise.
- Adds detection rules for suspicious child processes spawned by SAP NetWeaver on both Windows and Linux
- Implements file event monitoring for potential webshell creation in SAP NetWeaver directories
- Targets CVE-2025-31324 exploitation attempts through process and file monitoring
Reviewed Changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
| proc_creation_win_sap_netweaver_susp_child_process.yml | Windows process creation rule detecting suspicious child processes from SAP NetWeaver |
| proc_creation_lnx_sap_nwtweaver_sup_child_process.yml | Linux process creation rule detecting suspicious child processes from SAP NetWeaver |
| file_event_win_sap_netweaver_webshell_creation.yml | Windows file event rule detecting potential webshell creation in SAP NetWeaver directories |
| file_event_lnx_sap_netweaver_webshell_creation.yml | Linux file event rule detecting potential webshell creation in SAP NetWeaver directories |
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
...-threats/2025/Exploits/CVE-2025-31324/proc_creation_lnx_sap_netweaver_susp_child_process.yml
Show resolved
Hide resolved
...ging-threats/2025/Exploits/CVE-2025-31324/file_event_win_sap_netweaver_webshell_creation.yml
Show resolved
Hide resolved
...ging-threats/2025/Exploits/CVE-2025-31324/file_event_lnx_sap_netweaver_webshell_creation.yml
Show resolved
Hide resolved
...ging-threats/2025/Exploits/CVE-2025-31324/file_event_lnx_sap_netweaver_webshell_creation.yml
Outdated
Show resolved
Hide resolved
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
swachchhanda000
force-pushed
the
sap_netweaver_vuln
branch
from
c429310 to
b80f197
Compare
Contributor
There was a problem hiding this comment.
Pull Request Overview
Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
...-threats/2025/Exploits/CVE-2025-31324/proc_creation_lnx_sap_netweaver_susp_child_process.yml
Show resolved
Hide resolved
...ging-threats/2025/Exploits/CVE-2025-31324/file_event_lnx_sap_netweaver_webshell_creation.yml
Show resolved
Hide resolved
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary of the Pull Request
SAP Netweaver CVE-2025-31324 Potential Exploitation
Changelog
new: Potential SAP NetWeaver Webshell Creation - Linux
new: Potential SAP NetWeaver Webshell Creation
new: Suspicious Child Process of SAP NetWeaver - Linux
new: Suspicious Child Process of SAP NetWeaver
Example Log Event
Fixed Issues
SigmaHQ Rule Creation Conventions