SERVER-WEBAPP SAP ConfigServlet command execution attempt

This alert is designed to detect an attempt to exploit a command execution vulnerability in SAP systems using the ConfigServlet. The rule is specifically searching for network traffic directed at port 50000 (often used by SAP applications) containing a specific sequence of URI patterns indicating a possible attack.

ID Number

26929

Signature

alert tcp $EXTERNAL_NET any -> $HOME_NET 50000 (msg:"SERVER-WEBAPP SAP ConfigServlet command execution attempt"; flow:to_server,established; content:"/ctc/servlet/ConfigServlet"; http_uri; content:"param=com.sap.ctc.util.FileSystemConfig"; distance:0; http_uri; content:"EXECUTE_CMD"; distance:0; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,erpscan.com/wp-content/uploads/2012/11/Breaking-SAP-Portal-HackerHalted-2012.pdf; classtype:attempted-admin; sid:26929; rev:4;)

MITRE ATT&CK Technique

-

Severity

High

Recommendations/Investigative actions

It is recommended to immediately identify the server receiving this traffic and verify if it's running a vulnerable version of the SAP system. If so, patch or update the software to a non-vulnerable version. Inspect server logs to determine if the attempted exploitation was successful. Look for signs of unauthorized access or further exploitation attempts. If possible, block communication Attempts from external networks, or enable access from specific external devices only.