limkedin Skip to main content

How to detect RFC hopping to prevent exploitation of SAP systems 

Another critical use case of Protect4S SAP Threat Detection 

RFC hopping

It’s no secret that during SAP implementations (and in all fairness also during normal operations) the topic of security has not been given the highest priority for a long time. This has often led to a sprawl of unnecessary RFC connections and RFC connections between SAP systems with users inside them with high privileges (like SAP_ALL). These connections have the potential for abuse since they can be used to move laterally throughout the SAP landscape with high privileges. Detecting this so-called RFC hopping at an early stage is key to preventing further abuse and exploitation of your SAP systems, minimizing impact of breaches and possible costs.  

What is RFC hopping? 

RFC hopping is the process of using existing ABAP RFC connections to jump from one system to another system without having the need for knowing the password of the user. This can be achieved by abusing users in these connections of the User Type DIALOG. When in transaction SM59 you can do so by pressing the “Remote Logon” button: 

image - How to detect RFC hopping to prevent exploitation of SAP systems 

As long as a DIALOG user with a password is in place, or if the connection is a Trusted connection with a DIALOG user in place, you will logon under the user context and privileges of the specified user in the remote system. Since in previous times, and still today, users were used with high privileges, you can easily roam around and move from system to system.  

Why is RFC hopping a security problem?  

RFC hopping serves no business purpose by itself and is a strong indication of abusing connections. Roaming around via RFC hopping and moving laterally throughout the SAP landscape might eventually lead to productive access gaining access to productive data. 

Typically, you want to monitor this behaviour as it indicates malicious events happening. 

How to detect RFC hopping? 

Detecting RFC hopping is hard since there are not too many specific indicators to work with in the standard logfiles. Yet, by combining the Security Audit Log and STAD records (allowing us to map the user interaction) you can detect RFC hopping and see which users where involved, from which- to which SAP system a user went and which connection name was used. 

An example of how Protect4S Threat Detection alerts related to RFC hopping can look like is found below: 

image - How to detect RFC hopping to prevent exploitation of SAP systems 

Once RFC hopping is detected, it is critical to immediately follow up on this. Threat Detection Solutions can be configured to immediately send out e-mails to monitored mailboxes or threats to your SIEM Solution. Next steps typically are to see why this Threat occurred, what this user did in the system, if this was legitimate or not, etc. 


Key takeaways 

To summarise the above, detecting RFC hopping is important since it often indicates malicious behaviour and can lead to access to productive data. By detecting RFC hopping at an early stage, you can prevent further risks to your SAP systems.  

Protect4S SAP Threat Detection is a powerful solution that helps organisations protect their sensitive data in SAP systems from unauthorised access and other threats. By using default best-practice values and setting up custom rules, organisations can quickly detect and respond to suspicious activities and prevent compliance and security breaches which might lead to fraud, espionage or sabotage. 

Interested to learn more? Want a demo? Or start a free Proof of Concept? We are happy to tell you more about our SAP Vulnerability Management and SAP Threat Detection capabilities. For more SAP security-related news, articles, and whitepapers, please follow us on LinkedIn!