limkedin Skip to main content

Detecting execution of Operating System commands in SAP 

Another SAP Threat Detection use case powered by Protect4S 

image - Detecting execution of Operating System commands in SAP 

As outlined in earlier blog posts, typically within SAP systems, there is a trust relation between the SAP Application layer, Operating System layer and Database layer (where all the data resides). This can be displayed as below: 

image - Detecting execution of Operating System commands in SAP 

This means that full access to one of these layers provides full access to the others. For example, SAP_ALL on the Application layer or the execution of Operating System commands under the SAP OS user, implicitly provides full access to all SAP business data in the Database. This means that the execution of Operating System commands should be monitored closely to prevent privilege escalation and prevent further abuse and exploitation of your SAP systems, minimizing the impact of data breaches and costs.  

An example: Report RSBDCOS0 to rule them all 

In SAP systems there are several ways to execute Operating System commands. One direct and easy way is report RSBDCOS0. This report is present in any SAP system and allows direct OS command execution under the <sid>adm user on the Operating System, for example: 

Operating System commands-2

Even though this report can only be executed with high privileges, its use should be monitored closely to detect abuse. 

What risks are related to report RSBDCOS0?  

This specific report makes it very easy to execute Operating system commands via the SAP Gui like you are on the OS layer. From there it is just a small step to create an SAP user directly in the SAP Database in stealth mode (See here for an example script on GitHub we published earlier) or gain access to the full DB schema containing all business data.  

How to detect Abuse? 

Detecting abuse of this report is important in ABAP-based systems and can be done via the SAP system Log (SM21). This data source records the commands executed via this report and are captured in our Protect4S Threat Detection solution. This data source is being read periodically for events and it is determined if unwanted malicious behaviour has occurred. An example of how Protect4S Threat Detection alerts related to the RSBDCOS0 report look is found below: 

Operating System commands-3

If abuse is detected, it is critical to immediately follow up on this. Threat Detection Solutions can be configured to immediately send out e-mails to monitored mailboxes or threats to SIEM Solutions. The next steps typically are to see why this Threat occurred, why these OS commands were executed and if this was legitimate or not, etc. 

Key takeaways 

To summarise the above, detecting execution of Operating System commands is important since this can have a big impact on the security of your SAP systems and can lead to full access to all business data. By detecting abuse at an early stage, you can prevent further risks to your SAP systems.  

Protect4S SAP Threat Detection is a powerful solution that helps organisations protect their sensitive data in SAP systems from unauthorised access and other threats. By using default best-practice values and setting up custom rules, organisations can quickly detect and respond to suspicious activities and prevent compliance and security breaches which might lead to fraud, espionage or sabotage. 

Interested to learn more? Want a demo? Or start a free Proof of Concept? We are happy to tell you more about our SAP Vulnerability Management and SAP Threat Detection capabilities. For more SAP security-related news, articles, and whitepapers, please follow us on LinkedIn!