Phoenix
Sigma IntelligenceBeta
Rule Library

Sigma Rules

4 rules found for "Elastic Security"

3,707Total
3,116Detection
451Emerging
137Hunting
Emerging Threatmediumexperimental

Potential SAP NetWeaver Webshell Creation - Linux

Detects the creation of suspicious files (jsp, java, class) in SAP NetWeaver directories, which may indicate exploitation attempts of vulnerabilities such as CVE-2025-31324.

LinuxFile Event
TA0002 · ExecutionTA0001 · Initial AccessT1190 · Exploit Public-Facing ApplicationTA0003 · Persistence+3
Elastic Security+1Mon Apr 282025
Emerging Threatmediumexperimental

Potential SAP NetWeaver Webshell Creation

Detects the creation of suspicious files (jsp, java, class) in SAP NetWeaver directories, which may indicate exploitation attempts of vulnerabilities such as CVE-2025-31324.

WindowsFile Event
TA0002 · ExecutionTA0001 · Initial AccessT1190 · Exploit Public-Facing ApplicationTA0003 · Persistence+3
Elastic Security+1Mon Apr 282025
Emerging Threatmediumexperimental

Suspicious Child Process of SAP NetWeaver - Linux

Detects suspicious child processes spawned by SAP NetWeaver on Linux systems that could indicate potential exploitation of vulnerability that allows arbitrary execution via webshells such as CVE-2025-31324.

LinuxProcess Creation
TA0002 · ExecutionTA0001 · Initial AccessT1190 · Exploit Public-Facing ApplicationTA0003 · Persistence+3
Elastic Security+1Mon Apr 282025
Emerging Threatmediumexperimental

Suspicious Child Process of SAP NetWeaver

Detects suspicious child processes spawned by SAP NetWeaver that could indicate potential exploitation of vulnerability that allows arbitrary execution via webshells such as CVE-2025-31324.

WindowsProcess Creation
TA0002 · ExecutionTA0001 · Initial AccessT1190 · Exploit Public-Facing ApplicationTA0003 · Persistence+3
Elastic Security+1Mon Apr 282025