Skip to content

[New] Potential SAP NetWeaver Exploitation rules#4666

Merged
Mikaayenson merged 14 commits intomainfrom
SAP-NV
Jan 22, 2026
Merged

[New] Potential SAP NetWeaver Exploitation rules#4666
Mikaayenson merged 14 commits intomainfrom
SAP-NV

Conversation

@Samirbous
Copy link
Contributor

@Samirbous Samirbous commented Apr 26, 2025

@Samirbous Samirbous added OS: Linux Rule: New Proposal for new rule OS: Windows windows related rules labels Apr 26, 2025
@Samirbous Samirbous self-assigned this Apr 26, 2025
@github-actions
Copy link
Contributor

github-actions bot commented Apr 26, 2025

Rule: New - Guidelines

These guidelines serve as a reminder set of considerations when proposing a new rule.

Documentation and Context

  • Detailed description of the rule.
  • List any new fields required in ECS/data sources.
  • Link related issues or PRs.
  • Include references.

Rule Metadata Checks

  • creation_date matches the date of creation PR initially merged.
  • min_stack_version should support the widest stack versions.
  • name and description should be descriptive and not include typos.
  • query should be inclusive, not overly exclusive, considering performance for diverse environments. Non ecs fields should be added to non-ecs-schema.json if not available in an integration.
  • min_stack_comments and min_stack_version should be included if the rule is only compatible starting from a specific stack version.
  • index pattern should be neither too specific nor too vague, ensuring it accurately matches the relevant data stream (e.g., use logs-endpoint.process-* for process data).
  • integration should align with the index. If the integration is newly introduced, ensure the manifest, schemas, and new_rule.yaml template are updated.
  • setup should include the necessary steps to configure the integration.
  • note should include any additional information (e.g. Triage and analysis investigation guides, timeline templates).
  • tags should be relevant to the threat and align/added to the EXPECTED_RULE_TAGS in the definitions.py file.
  • threat, techniques, and subtechniques should map to ATT&CK always if possible.

New BBR Rules

  • building_block_type should be included if the rule is a building block and the rule should be located in the rules_building_block folder.
  • bypass_bbr_timing should be included if adding custom lookback timing to the rule.

Testing and Validation

  • Provide evidence of testing and detecting the expected threat.
  • Check for existence of coverage to prevent duplication.

@tradebot-elastic
Copy link

tradebot-elastic commented Apr 26, 2025
edited
Loading

⛔️ Test failed

Results
  • ❌ Potential SAP NetWeaver Exploitation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential SAP NetWeaver WebShell Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@tradebot-elastic
Copy link

tradebot-elastic commented Apr 26, 2025
edited
Loading

⛔️ Test failed

Results
  • ❌ Potential SAP NetWeaver Exploitation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential SAP NetWeaver WebShell Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@tradebot-elastic
Copy link

tradebot-elastic commented Apr 26, 2025
edited
Loading

⛔️ Test failed

Results
  • ❌ Potential SAP NetWeaver Exploitation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential SAP NetWeaver WebShell Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@tradebot-elastic
Copy link

tradebot-elastic commented May 6, 2025
edited
Loading

⛔️ Test failed

Results
  • ❌ Potential SAP NetWeaver Exploitation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential SAP NetWeaver WebShell Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@tradebot-elastic
Copy link

tradebot-elastic commented May 6, 2025
edited
Loading

⛔️ Test failed

Results
  • ❌ Potential SAP NetWeaver Exploitation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential SAP NetWeaver WebShell Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@shashank-elastic
Copy link
Contributor

shashank-elastic commented May 6, 2025

Checked with @Samirbous Can be skipped for this release cycle.

@tradebot-elastic
Copy link

tradebot-elastic commented May 19, 2025
edited
Loading

⛔️ Test failed

Results
  • ❌ Potential SAP NetWeaver Exploitation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential SAP NetWeaver WebShell Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

Mikaayenson
Mikaayenson reviewed May 19, 2025
View reviewed changes
@Samirbous @Mikaayenson
Update rules/cross-platform/execution_sap_netweaver_webshell_exec.toml
01d36bb 
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
@tradebot-elastic
Copy link

tradebot-elastic commented May 20, 2025
edited
Loading

⛔️ Test failed

Results
  • ❌ Potential SAP NetWeaver Exploitation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential SAP NetWeaver WebShell Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@botelastic
Copy link

botelastic bot commented Jul 19, 2025

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@botelastic botelastic bot added the stale 60 days of inactivity label Jul 19, 2025
@w0rk3r w0rk3r added the backlog label Jul 21, 2025
@botelastic botelastic bot removed the stale 60 days of inactivity label Jul 21, 2025
Mikaayenson
Mikaayenson approved these changes Dec 4, 2025
View reviewed changes
Copy link
Contributor

@Mikaayenson Mikaayenson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: What about T1505.003?

@tradebot-elastic
Copy link

tradebot-elastic commented Dec 4, 2025
edited
Loading

⛔️ Test failed

Results
  • ❌ Potential SAP NetWeaver Exploitation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential SAP NetWeaver WebShell Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@Samirbous
Copy link
Contributor Author

Samirbous commented Dec 17, 2025

vuln not trending anymore and we do have some generic java webshell detections

detection-rules/rules/linux/persistence_web_server_unusual_command_execution.toml

Line 19 in 6ac69db

name = "Unusual Web Server Command Execution"

@Samirbous Samirbous closed this Dec 17, 2025
@Samirbous Samirbous reopened this Jan 22, 2026
@tradebot-elastic
Copy link

tradebot-elastic commented Jan 22, 2026
edited
Loading

⛔️ Test failed

Results
  • ❌ Potential SAP NetWeaver Exploitation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential SAP NetWeaver WebShell Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@Samirbous @Mikaayenson
Apply suggestion from @Mikaayenson
c7e6921 
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
@tradebot-elastic
Copy link

tradebot-elastic commented Jan 22, 2026
edited
Loading

⛔️ Test failed

Results
  • ❌ Potential SAP NetWeaver Exploitation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential SAP NetWeaver WebShell Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@tradebot-elastic
Copy link

tradebot-elastic commented Jan 22, 2026
edited
Loading

⛔️ Test failed

Results
  • ❌ Potential SAP NetWeaver Exploitation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential SAP NetWeaver WebShell Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@tradebot-elastic
Copy link

tradebot-elastic commented Jan 22, 2026
edited
Loading

⛔️ Test failed

Results
  • ❌ Potential SAP NetWeaver Exploitation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential SAP NetWeaver WebShell Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@tradebot-elastic
Copy link

tradebot-elastic commented Jan 22, 2026
edited
Loading

⛔️ Test failed

Results
  • ❌ Potential SAP NetWeaver Exploitation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential SAP NetWeaver WebShell Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@tradebot-elastic
Copy link

tradebot-elastic commented Jan 22, 2026
edited
Loading

⛔️ Test failed

Results
  • ❌ Potential SAP NetWeaver Exploitation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential SAP NetWeaver WebShell Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@tradebot-elastic
Copy link

tradebot-elastic commented Jan 22, 2026
edited
Loading

⛔️ Test failed

Results
  • ❌ Potential SAP NetWeaver Exploitation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential SAP NetWeaver WebShell Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@Mikaayenson Mikaayenson merged commit 5c5185d into main Jan 22, 2026
17 of 19 checks passed
@Mikaayenson Mikaayenson deleted the SAP-NV branch January 22, 2026 18:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Mikaayenson Mikaayenson Mikaayenson approved these changes

@Aegrah Aegrah Aegrah approved these changes

@shashank-elastic shashank-elastic shashank-elastic approved these changes

Assignees

@Samirbous Samirbous

Labels

backlog backport: auto OS: Linux OS: Windows windows related rules Rule: New Proposal for new rule

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

7 participants

@Samirbous @tradebot-elastic @shashank-elastic @Mikaayenson @Aegrah @w0rk3r @DefSecSentinel