KQL Search

Query Details

HomeAI ToolsDevice Query

SAP Net Weaver Attack By Chinese Threat Actor Impact Assessment

Query

// SAP NetWeaver Attack by Chinese Threat Actor Impact Assessment
// https://www.forescout.com/blog/threat-analysis-sap-vulnerability-exploited-in-the-wild-by-chinese-threat-actor/

let InternetFacing =
DeviceInfo
| where IsInternetFacing == true and isnotempty(PublicIP)
| distinct DeviceId;
let SAPNetweaver =
DeviceProcessEvents
| where TimeGenerated > ago(90d)
| where InitiatingProcessVersionInfoProductName has "netweaver"
| summarize arg_max(TimeGenerated, *) by DeviceId
| where DeviceId has_any(InternetFacing);
let ForescoutIOC=externaldata(Type:string, Value:string, Source:string)
[h'https://raw.githubusercontent.com/SlimKQL/Hunting-Queries-Detection-Rules/refs/heads/main/IOC/Chaya_004-IOC10May2025.csv'];
DeviceNetworkEvents
| where TimeGenerated > ago(30d)
| join ForescoutIOC on $left.RemoteIP == $right.Value
| where ActionType has "ConnectionSuccess" or ActionType has "InboundConnectionAccepted"
| where DeviceId has_any(SAPNetweaver)
| summarize NoOfHits=count() by DeviceName, ActionType, RemoteIP
| sort by NoOfHits desc

Explanation

This query is designed to assess the impact of a potential attack on SAP NetWeaver systems by a Chinese threat actor. Here's a simplified breakdown of what the query does:

  1. Identify Internet-Facing Devices: It first identifies devices that are exposed to the internet by checking if they have a public IP address.

  2. Find SAP NetWeaver Processes: It then looks for processes related to SAP NetWeaver that have been active in the last 90 days on these internet-facing devices.

  3. Load Indicators of Compromise (IOCs): The query imports a list of known threat indicators (IOCs) from an external CSV file hosted on GitHub. These indicators are associated with the Chinese threat actor.

  4. Detect Network Events: It examines network events from the last 30 days, specifically looking for successful connections or accepted inbound connections that match the threat indicators.

  5. Summarize and Sort Results: Finally, it counts and summarizes these events by device name, action type, and remote IP address, sorting them by the number of hits in descending order to highlight the most affected devices.

In essence, this query helps identify which internet-facing SAP NetWeaver systems might have been targeted or compromised by the specified threat actor, based on known threat indicators.

Details

Steven Lim profile picture

Steven Lim

Released: May 10, 2025

Tables

DeviceInfoDeviceProcessEventsDeviceNetworkEvents

Keywords

DeviceInfoDeviceProcessEventsDeviceNetworkEventsDeviceIdDeviceNamePublicIPTimeGeneratedInitiatingProcessVersionInfoProductNameInternetFacingSAPNetweaverForescoutIOCRemoteIPActionType

Operators

let|where==andisnotemptydistinct>agohassummarizearg_maxbyhas_anyexternaldata[]h'https://'joinon$left.==$right.orcount()sortdesc

Actions