Skip to content

Hunting SAP attackers

SAP attackers and hackers hiding in the shadows

Over and over again we see attackers who have gained unauthorized access to a system by spending a significant amount of time spying out relevant SAP data, unnoticed by the victim organization.

In a recent incident, we identified a large number of information gathering and data collection activities carried out by a threat actor prior to the exfiltration of sensitive data – which, if leaked, would inevitably lead to reputation and/or financial loss for the organization. Not only had the attacker used customer specific tools such as critical programs existing in the z, y namespace on the compromised servers, but they were also using Living Off The Land (LOTL) techniques to covertly gather system and network information.

Malicious LOTL activities are tricky to detect, as threat actors are predominantly using tools that already exist on the SAP Netweaver platform and are frequently used by system administrators, such as RFC connection setup (SM59) or testing features offered in transaction SE37 and SICF.

Attackers explore a victim environment by using public SAP services such as /sap/public/info or by calling the function module RFCSYSTEMINFO, which provides a whole range of system information. More sophisticated attacks use methods like Re-mote Code Injection (RCI), Remote Code Execution (RCE) and SQL Injection. Suitable tools for these kinds of attacks can actually be found in SAP tool-kit.

In order to identify those Tactics, Techniques and Procedures (TTP), it’s simply not enough to activate the SAP logs and then, even worse, leave them unattended. Organizations must be proactive and regularly threat-hunt by using frameworks like MITRE ATT&CK against TTPs.


MITRE ATT&CK® is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. Enterprises use the ATT&CK Matrix to classify vulnerabilities.

Using the logs for detection sophisticated attacks, however, appears to be “Mission-Impossible” due to the sheer number of entries. Also, a lack of information in the individual SAP logs makes it hard to detect an actual incident.

Market leading SIEM Solutions such as splunk, ArcSight, or MS Sentinel struggle to onboard log sources from SAP. Unfortunately for SAP’s customers, the market leading ERP manufacturer does not provide an open standard log stream, although one exists and is used for their own commercial solution.

By using SecurityBridge Threat Detection software for SAP we were able to identify log entries relevant for security. We then normalize those entries and enrich them with information. This makes it possible to search the log entries for suspicious patterns in real-time, helping our customers to prove that an attack happened and, more importantly, to enable our customers to take quick and effective measures.

Establish a SAP Security Strategy

Amongst a lot of other, innovative features, the possibility to comfortably sift through the logs with SecurityBridge or onboarding SAP as a new log source for established SIEM solutions makes our solution the first pick for many SAP customers and service providers when it comes to realizing a sound SAP security strategy.


Securing your SAP landscape is no longer optional. Security shall be unavoidable but workable, a core requirement within today’s interconnected world. For this reason, SecurityBridge is designed to be always on, 24/7.

Posted by

Christoph Nagy
SAP Security Comparison Report

Download the Product Comparison Report and understand that holistic security for SAP can be delivered by a single solution.

Find recent Security Advisories for SAP©