Waseem Ajrab & Julian Petersohn - Identify, Exploit, & Defend SAP Environments (BSidesFrankfurt 2024

thank you so we're getting through the last leg of the talks today uh and we have Julian and Wasim who are here to talk about the to identify exploit and defend sap environments Wasim works for no monkeys and Julian with for foret forite so we'll see how sip environment is really secure secure how about it thank you all right thank you very much for having us um quick question Who works for sap here good hosting sap in your environments come on all right um so to give a small you know our agenda we'll we'll come through all this but um I do want to start with sap if nobody has I mean you came across sap um but to see

if the complexity of sap is actually a blessing you know for attackers or is it actually a curse um so red teamers please take notes it's going to make your life even better or easier when uh you have that Arsenal so first of all lines of cod let's talk about the application Level um we see from different applications the number of the estimate numbers of lines of codes when it comes to different applications can anybody guess the 84 this is a million by the way not just 84 lines of code so uh can anybody guess uh the 84 million lines of code to which application that is no so this is yeah this is Mac OS uh I

think tiger that was there and then SAP with a booming 319 this is their own code this is not even I'm not talking about custom code I'm not talking about third party add-ons I'm just talking about their business Suite yeah no no nothing you got to wait for it no fixes so let's take another step forward and see what kind of you know vectors um so this is a very old sap Erp yes it still runs um in different organizations you see 's a lot of um entry points to where you can speak to different processes or I'm not going to explain to you every single process right now but just to have an idea of where Erp was

still is and how big it has so if you can imagine double the size for the S4 Hana implementations or any kind of other Erp um um that is produced by sap so are you imagining the attack Vector yet all right let's take it a step forward and see the different network uh components that sap has they're not scary sap router is not a scary thing it's a dummy router so yeah web dispatcher you have Cloud connectors you have different kinds of gateways that connect to your um on premise or even to your Cloud environments when it comes to sap so what you also need to think of so we spoke quite a while today about for

example HTTP or common protocols I hope it's better um but for example like the satellite talk we spoke about stuff which is maybe older than myself welcome to sap um when you see like that RFC or the d That's proprietary stuff sa has developed in 1992 and earlier with knowledge from IBM and well it runs exactly the same like at that time so guess what was missing at that time correct encryption so by default that stuff is missing there is a solution we will come to that but when you now look those are proprietary protocols user accessing your business data and Business Systems speaking to other systems and that could be iot that could be another business

system that could be maybe a partner system by the way over the Internet that could be I don't know what else and now maybe you know where SCP is used for example in health care your medical records in a hospital when you come there and you have an accident is in an sap system and if you ever worked for example in that environment or in a financial system and you know when the SCP system is down you're laying there half dead sorry as's down we cannot help you it's secure by the way and it's secure by the way of course so just to keep that in mind what SCP is absolutely so as as Julian was saying um they have

their proprietary protocols like di like RFC that has been built off of um IBM knowledge and then sap knowledge and so on and so forth so imagine the amounts of patches that you have to do around these different kind of protocols um and then sap really wants to go to Cloud so you know rise is the solution have you heard of Rise before rise with sap yeah it's amazing right they take all those responsibilities that you had for protecting an sap environment and they will take care of it but then they send you a around 50 plus 60 plus Pages uh um of data telling you that um it is an additional service to protect you from

Disaster Recovery it's an additional service to protect you from high availability you name it you if you want this document please come to me I will send it to you happily um and then sap would like to go to AI with Jewel and it's an amazing and the first thing that they did you know is yes it got spawned AI vulnerabilities exposed customer Cloud environments and private AI AR defense it's it's still secure and isolated and all of that so are we imagining how Sap's attack Vector is quite impressive um I come from uh to get to the background I come from a cyber security blue and red team I went into sap security around five six years

ago and I tell you that what I found Julian has been doing it for years what I found is that the same thing that they have been doing before I jumped are still um existing um standard users are still existing U with standard passwords I'm just giving you an example here but yeah anyway some myths around sap which I like to always showcase zero trust what uh where the gentleman what the Aaron what what he showed about zero trust that's zero trust so for sap zero trust is not a product please don't believe sap people when they tell you zero trust is a product they do it's not a product yeah um while identity and

access um um management and authorization is really a big thing around sap it's not the only thing so um I've seen coming into this um environment or coming into this domain when we talk about sap security they only talk about those um IIM and authorization guys they miss out on those other interfaces they miss out on the entire environment they miss out on the network so they're really isolated sitting somewhere fancy they're not like it administrators in a in a bunker or somewhere they have budgets really huge budgets when it comes to sap so they are stuck somewhere doing I am and authorization they miss out on everything else one other thing is that you know

companies do is they really enforce some controls some controls only on production system and there's a lot of staging um um levels for sap system so you can imagine going from a development stage to a um acceptance stage to a regression stage and yeah we don't have to put controls there uh we keep it flat network no network segmentation amazing but we can protect the we we should protect only the production environment so sap basis team takes care of security think of sap Bas te as it administrators so um the skill set of actually protecting an sap system is not there so they will not know how to even start or where to start from um there's a ongoing

um uh what do you call it discussion between sap basis guys and ourselves on yes you guys do not know how to protect those environments and you could test that sap system systems are isolated I think we just proved on how they are connected how different environments the cloud different hyperscalers they are not isolated so yes you need that protection and finally one that I hear with most of customers that I work with um well now work with but before is that it's German made it is secure by default do you believe that but actually none of this none of this um um uh yeah the only thing that keeps me from sleeping or or from lack

of sleep is actually what sap protects it protects 72% of your production imagine imagine those those breweries getting hacked what October Fest would look like

the yeah the horror imagine waking up there's no anymore the hospitals look at that exactly and and it's really used in breweries we did some um pen tests not red teams they don't like to touch anything else they will be very specific and scoped um you really can turn off without like doing any kind of reconnaissance just knowing which port to look for and you could turn off an entire beer uh Brewery production whatever um so yeah that's that's something I I I this is why I came to this domain to help beer producers do that all right um moving on some of our now project goals for for OAS now to get into some SE stock now we do wanted to

provide that standard sap is not a security company even though sometimes they act like it but they really say that we are not a security company so we want to create that standard whether it is through the tools that we are producing or through the standard that you will see soon um yeah tools to verify those security standards and of course to find a single point where everybody can come through this project to understand about sap whether you are sap or you are not to understand what kind of protections you can put how you can test how you can verify how you can exploit your environment in a safe manner um in that trusted area which is

our oasp Core Business application security and of course another project goal is just to piss off some people and vendors yeah um so to give you an idea of how the OAS Poe business application security looks like right now um we have different people working on different stuff um mostly around you know deception adversary simulation attack surface management that Julian is leading the sap attack surface disc discovery which we will have a look at but but most of these projects really help you improve um let's say at least give you an idea of what sap looks like into your organization or into outside where it is exposed and then on top of that or on bottom we build that

verification standard where it's really needed for people to know how to protect it okay I found this how can I take a dummy how to guide on how to protect sap from these pitfalls and this is what it provides there's a lot lot of work still to do we're trying to move now from um um Python 2.7 to to three and in in especially around the honey sap and pyap I'll get to those in a little while but we are trying to improve that so the more that we have contributors we have great contributors like um Jonathan Gonzalo so there's a lot of the sap community that do contribute in into this project up to you

so that's just a simple introduction maybe to add that PAB just to have an idea it sounds super fancy that's really a reverse engineering of all those proprietary protocols so just take that up front uh that's crazy so from the attack surface Discovery sounds a bit marketing sorry for that um I'm super interested what's going on around who exposes his SAP systems and well what should I say so we introduced you to one of the other service so sap has my gosh I don't know how many different Services you can technically expose uh which is super crazy on sap they more or less dynamically generate a port on when you start up that application stack so especially for

firewall and network administrators you have a lot of fun because someone tells you hey I need access and you can say well that's POS potential Port range of 100 ports which should I open and guess what happens yes 90% which we see on audits is 100 parts are open congratulations and not only sometimes to internal communication also to the public because to be honest for for someone who just do Network stuff sap is really a blackbox you have no understanding of the service and how should you that's a whole business world where you have tons of different silos like developers Engineers administrators and stuff they do only sap how should you as a network guy who has another

Silo by the way um take care of that sap stuff that's like if someone asks you to run the whole it and you have skills of everything that's impossible and when you look at all those servic I just picked a few and let's grab for example that sap router so what sap had think about many years back when you had just a modem and you Tred to reach another system over the Internet so the problem is if you now have I I don't know maybe 50 or 100 SCP systems you need to expose all those ports and they maybe collide with each other because they are the same port number so you cannot all expose them on the same IP address and

getting an IP is a bit difficult especially in the meantime for ipv4 so what SCP do say hey we have a great idea let's build a service which listens on one port and on client side you specify just I want to connect to the like application Gateway and this one then just redirects internally and allows it to access the other system through that single port let me introduce you to SCP router what is the security mechanism in there that's an ACL Source destination service you may think now well cool sap only proprietary protocols and their own stuff works no which is pretty cool you can also tunnel through that proprietary protocol called SCP order SSH HTTP tnet

whatever you like as long as fits in the pet and for example PP has a great proxy proxy for that you can just spin up R your traffic through and have fun and and you're in the internal Network by the way you bypass the firewall because it's usually exposed and look at the numbers of exposed SCP routers uh leading is India congratulations there uh Germany is on the fourth position so of just systems they are really set in the internet that's just the service Expos that's nothing bad that's it's intended for them other services which are a bit better uh the dispatcher so-called for the user to access the sap system through the fat client the guy something

you definitely should not expose because you can use that as a puder for that that's made for having you that remote access yeah uh it was quite a few again India is on the top um then you have China United States and South uh Korea for example those are all systems in those countries exposed that service to the internet even more interesting on that is so as I mentioned SCP generates a dynamic there's quite common that many people use that 0 Z as instance number so I only scanned one port I ignored 99 others I don't know what else will come out there and just maybe as a background have you ever tried scanning the whole

internet so for one part if you have a good holer which for example ignores abuse reports it takes about 40 minutes to scan for one single port about the whole range multiplied it with some hundreds and the problem is when the cloud it's Dynamic it's a bit challenging that's why I only took one port the RFC gateways for server to server communication similar should not be exposed strict guidelines don't do that that we vulnerabilities in that and those very well it's not a vulnerability it's intended by Design when you connect to the service is it doesn't have any authentication and there's a process allowing you to execute OS commands the maybe Google for 10K Blaze

or Gateway To Heaven um pretty sure they're not gener well to be honest well that scanner indeed found some honey pots and you can easily identify those they're responding on all parts was super interesting because wait how can that thing have 100 pts open what's yeah I found some um so it's not cleaned up but yeah RFC Gateway let's go back to the SCP router I found 8,793 worldwide what do they do they just leak a version number and their host name favorites of mine are like that one it's the HR productive system where that one is running on and it's exposed to the Internet so think about potentially someone could find maybe vulnerability on a thing that allows to

get remote code execution where are you on the productive HR System nice um but that's just a potential use case so we want to have something which is like that's a problem 93 of those routers allowed me to dump their connection table so what does that mean that SCP router has a built-in function it which allows it to monitor that application um what does it do it just prints you that source is connected to that destination on that Port so I get some internal insights this also means I know which source is allowed to which destinat I know internal IP addresses I know public IP addresses maybe who are connecting to that another one is that feature is

disabled since various updates I think they patched it around 2014 that stuff still runs there and if I now tell you that for example I found some gold mining companies in China exposing their systems through that and you can then connect to that stuff and connect to the sap system if someone potentially would do that and you maybe find then some hot coded credentials on an internal production system what would you do

if you speak Chinese you can order some gold yeah so it's super interesting so the the problem is that's like a so I lovely call it the Forgotten component because the SCP rer is quite often just thrown in the network usually hopefully to be honest based on my statistics never runs in the DM set and my mostly times runs on any production machine on the side which is super scary it should be running in a DM set on a standalone box side away but I also found many of those running for example in Windows Server 2003 without an SP the good thing on those is no one can really exploit them anymore because no one has any idea how to exploit those

old systems um that's really a good thing but that's the only one um now it has some PR and cons the problem is it's really bad secured um so that's what we did here some other stuff we found is for example we get those system names um I extended it a bit you will see it in the demo you can put on the SCP fat client you have there a common field where I can put in like free text system information hey that's a production system be careful what you click on don't push stuff on Friday blah blah blah some people really put their demo systems out for example Consulting companies or maybe sometimes even sap

themselves where would you place your demo credentials that no one really forget them right on the login page so you sometimes find their logging information another one is one of my favorites so sap it's big thousands of users running against it so you need load balancing has a message server let me introduce you to that servers and the message server has the cool feature to you connect to it and it will say go to server X you get redirected basically and then can log into the machine it has two ports well yeah it has two ports dynamically generate an internal and an external with that gateway to heaven we also spoke about that internal Port

again lack of authentic authentication and that internal allows it to change parameters and also dump parameters and what you see here for example that Ms monitor that's basically you can enable that it's a monitoring service so zero means only the instant self can see each other and see which services are there and how the load is it's to One external can connect from wherever and change stuff and if you then see like that Ms admin Port that's why I included that connect to that Port congratulations you now can change whatever configuration parameter an sap system has you can change it and switch it when it is dynamically that means for example enable hardcoded user passwords in

credential so you basically have taken over that system and when I now tell you that SCP recommends to not install an EDR and AV on an SCP server you will laugh that as's a red teamer it's like a wild card breaking into a network you have no visibility what's going on and who is executing what and yeah at the end that's one of my tests which maybe potentially someone could have done uh we never do something like that hot coded credal ials in various systems from sap so sap is multic client competi so for example I know from some public government systems in Germany that there's one holster running 500 different communities in one system it's made for that that's pretty

cool thing of sap and uh so but there's always one that's the shipped by default that's a ser and it goes up to 999 you can iterate those and figure out maybe if someone adds by accident a new one and do not add any user or data and sets the wrong parameter you have hardcoded credentials enabl and can break into the system and if you think that there is no OS execution capability in sap no it is so let me give you a quick demo of what we do with the teex service Discovery so the idea of the whole project is providing a relatively easy way to identify which services are exposed and if you have maybe some

critical exposure like of those message server are there some parameters there do you maybe have set up your security properly you can avoid those message server stuff if you just flip a single parameter it's just turn on automatic encryption it's there you just need to turn it on um and the idea is to provide it in a simple way and in a streamlined way there are some tools out there but you need to know what you do and it's a bit complex to handle all of those if you're not in the insights of what the the hell is sap and that's what we Tred to do on that whole the teex surface Discovery have like streamline tools so

a lot of the stuff I work on is based on nuly I guess some of you will know that uh it's easy you can use TCP and HTTP Services right it in yaml and you can extend it super easy and for sure there's NM and so on so what we do is with find open ports then enumerate the services look what we can find and then check what we can do and just to show you a bit of the tool tools and capabilities what we have for sure we will compromise the system it's staged of course um so what we do and that's one thing also for the attack surfice Discovery so we spoke about all those

tools up front hey install all those on your machine please um and maybe you're in engagement where you only get like a Citrix desktop that's bad so you can also do not really use scans and then you have dependencies and that's all the problem so we started creating just a container you have one environment with all the tools we describe in our Wiki so we also have for each service started up writing a Wiki where you have like how you can find it in show done where how you what does the service do what is the problem with that which attack techniques or non vulnerabilities and stuff exist because also that is sometimes a bit confusing and need to read 500

articles we have a container you have a full-fledged environment to play with there are all other tools in the container one hint I noticed don't run a container on a Windows machine with enabled Defender except you want to have like a Christmas tree light up because some stuff Defender doesn't like and it seems like Defender can look into containers usually what you do you start up with an nmap scan um let's just simply do that there is indeed a tool or a tool it's like a data pattern for nmap created regarding sap it's not that 100% accurate accurate anymore but it still works great it's just Google nmap Minus sap it's out there in GitHub you can use those and

identify certain sap Services it helps a lot if not you will have an output like that um I can bet I think SSH is the only one which is right everything else is wrong it's just default identified but that's what you get back and that's even a Strip view besides that if you know run want to run it for example through that nucle that nmap output doesn't really help because nucle for example requires you to have IP address colon Port so you need to reformat that um I'm not that proud I'm not a good coder but that script does its job uh it just takes the nmap XML output and creates you just a Target list of all

the IP addresses and ports it's out there grab it uh play with it have fun there we go so as an The Next Step what we will do is like just scan um that whole I think I deleted something my notes cool here we go um run those nucle tacks so what when you look uh let me no I don't have it there so what we you can do you create for each service or what you try to detect in nucle template now I don't want to run I think it's about 40 templates but manual you can create workflows you can summarize those and I started just creating one big workflow just run your workflow

against your tiget let's see what's coming out um will take a bit but we try to identify as accurate as possible we are not intrusive so we are not flipping any parameters we are not really breaking anything it's more like just looking around getting visibility what's enabled so one thing we didn't mention but sap changed their RFC by the way to web sockets anyway um you can see we get some information uh we see for example host names internal IP addresses those weird upd BTC SPO whatever that's just a description on which server is which process running and provides which capability um but if we go a bit down you see we can dump the ACL on that

system we have that monitor uh service enabled and maybe that looks a bit familiar that's just we scraping that log on screen we can just look if there's something from interest besides for example that Sid which is always fre digits usually numbers and letters uh with some exclusions and a host name so we can also try to scrape that it's super interesting what you can find because sometimes you know then which company that system belongs to and um yeah some famous Russian companies by the way are also running sap um it's quite interesting anyway getting those information and getting that visibility is just that what is exposed on my systems either to the internet or maybe if you try to run

that through your internal Network to gain and see what do I expose there we had various yeah I wouldn't say company but yet coming over and say hey I didn't even know that we expose our system and by the way that we saw that it is exposed we also recognized we have a Brute Force attack ongoing why did you not see that no one looked into that and even if I asked the firewall guy why it's suppos said well I don't know it's just happened it's like okay please monitor your stuff and I know there are some projects out there which automate that nuclear run it continuously look what's when you have a company look what you

expose on your public system systems it's super important continuing with that we have our system let's see what else is working so when you go into that PAB so there is a d Logan brute force and I told you there are some sap default creds Google there there publicly if not you can also get them in the repo and what it does it simulates like a client connection and can enumerate all those different clients if not it uses the default and just checks like a um what's it called a password spray froze them against because there's defined Pairs and say hey that's the default cor and you can see we can log in with those so they're available like

that SCP star and pass that's by the way the hardcoded password so if you flip the parameter and the user doesn't exist it's hardcoded in the kernel so you cannot delete that or whatever either you disable it or it's there and guess why dick has that password what happened at that

date are free that's just that date and by the way the other default password for the SCP star is just the same date reverse 06 07 1992 um and those are all known so that's sap how it is and for example that hardcoded substar um you would think about like an insurance company they have their security maturity and they know about that I did an audit about four and a half years ago for quite a big Swit Swiss insurance company was like hey why is that enabled as a fallback just sayane so many people enable that stuff because it could be just a fallback if something goes wrong we did some Network cool fancy stuff let me continue a bit so we have

another Tool uh just reconnect here come on windows thank you so we so when you now have access to the sap system it's cool congratulations now but how can you tend what you do the problem is sap itself has completely different handling which you maybe are aware from a common other application and there's another project called SCP Killen which tries to help you bid on that so what you need is that SCP green installed um that's the fat CL of sap it just minimized it here quickly just looks like that where is it there we go here's my guy um you can put in a system the IP address and more or less that's it and when you have the

system connected you would double click on that maybe something looks familiar Dar under right it's that common field where you can put in free text some some companies even put logos in there um it's super cool because sometimes really it helps because you manage uh hundreds sometimes of systems and you want to know is it production as a test as a development because they have Landscapes so there's maybe you break into a death system which is even better um so and then you log in and it's a gooey whoever worked with sap I think you know what I'm speaking about um so the sap killan you just basically provide the path to the sap gu and then

you can specify the connection and it will automate you a lot of that stuff so let's take our system from before I already prepared that let's go into that managing client and it's the hope I didn't have it wrong and we are locked in you do not see anything that's happening in the background so what is cool with that so SCP GUI allows allows you to run scripts so you can record actions which you then can automate based on that GUI so what we do it looks right right now if you're a legitimate user grasping fruit at SCP system which is not worse but uh SCP GUI is bit complex to handle that's why we

go that way so in the background you see it a bit down there it's blinking in Orange it runs in the background for us on the scui what we can do now here some example protocols is just execute and check if we can execute operating system commands like who am I and yeah what should I say I hope it works it did execute anything I have a demo video that works yes two days ago yeah it's always yeah didn't help um or other stuff maybe we can see them background ah let's run it again here we go we have username which is our service where the sap is running on we could now break for example the

operating system again no EDR usually or AB so you do not need to be set up any a bypass and yeah you can fully compromise the corporate Network without even being detected on a bad day there are mechanism in place but the biggest problem for sap is not that there is like an exploit this also case especially for Java but 99% of the attacks against this P misconfiguration because it's too complex and you can easily mess it up and it sometimes it's too annoying to configure it securely and with that just again what we do I mean we spoke about that what we build tons of services that's not even the half of what we

should Implement uh if you identify any servers feel free to open issue please help us because also for us or right now especially for me it's a lot of stuff to do that I do that just in between when I cannot sleep in the night um and it's you need to fingerprint that you need to have the service up and running so wasting a lot I think I have 10 or 15 SCP systems in the meantime at home running um just to test different uh Styles in addition what we did we collaborate with hunter. how which allows so the problem with Showdown is they scan only about thousand something ports which doesn't include the one from sap

mostly and hun. how technically scans all 6 uh 65,000 whatever and we're build in like the ability that you can search for service like SCP Gateway and you find all the RFC gateways exposed to the Internet so that helps a lot they were super helpful and that's pretty cool we have a Wiki section and happy for any collaboration we work on more uh extended as much as we can and with that back to you um just to put it out there um sap is really doing some some good work in terms of um um putting the requirements or security for the organizations but organizations don't actually take that um standard and and um let's say

implement it so that verification standard based on the attacks will just enable you to actually it's it's very dull right now we're trying to improve that I know so we're trying for instance the the the the what we saw with the attack flow is that those standard users there is a long um let's say a standard or long um requirement that you can actually implement or check um if you have it so this verification standard um has all of these different areas where you can take and Implement on your sap system uh of course start with development and then go up don't implement it directly to production but we are trying to work here on on you

know visualizing this bit better um but you have different controls also controls for btp right now it's the thing so there are security controls when it comes to the verification so you could find different areas when it comes under the sap security verification standard uh under the O project yeah you could see more around theana technology here so it really gives you an understanding also we tried to map it to different um um let's say not standards I would say and then directly towards the nest cyber security framework so you as a cyber security expert or information security expert can understand how it is related because I mean a lot of people speak that n cyber

security framework so we want to try to map that towards sap security pyap just some features that pyap gives it's built on top of uh scappy if you've heard so we create packets um whether we are doing some attack emulations to improve um use cases around sap to enhance monitoring so it does actually dissect and craft Network protocols around the different proprietary Protocols of sap so it's quite a big project uh um around pyp now our focus is Shifting it to to Python 3 point uh whatever yeah latest one um and then of course our honey sap which is really um we use it a lot when we are doing some pentest is emulating um an

application server where um individuals can log into that honey sap we're trying different ways to introduce honey users into it from what John was speaking the morning but with sap you need to be careful when creating stuff because their license models is amazing so if you create actually users and do not unlock or do not lock them you will pay for those users so lock them yes you can create users as service users and they won't charge you for it but make sure when you are doing some sort of Honey um users honey tables uh when it comes to the database try to um understand the licensing around that I'm not an expert expert in licensing there's departments

and departments for sap licensing so ask them um you want to say anything no all right so to give you a small mapping around the attack flow how those different tools work together under that same umbrella so we saw from the attack surface Discovery how we can you know find those ports enumerate Services don't do it just from an external perspective do it from an internal perspective as well some of these SAP systems are not published but still they are internally also published and exposed to different networks so look into that perspective as well we with pisp actually we did some scanning and testing around default credentials around that area and then finally with our sap K what we

did is yeah compromis the system through the different validation and checking those permissions so check it out um of course um um support us whoever is interested we have um um a community I'll show you now the the QR codes you could join us and Julian would like to give you some um sap Whoever likes an sap system to test on so scan this QR code cod as everybody before us said trust me so one thing to add maybe if you want to share the pain you know if it's shared it's a bit easier to handle uh that's uh so what SCP so first of all SCP is not that bad at all in security

no they provide solutions they provide ACLS they provide capabilities and guidelines they do their work but the most responsibility also on the customer side that you need to implement it you cannot blame someone because you're not able to look left and right when you walk over a street you cannot CL blame the police or the state it's just you sap also provides demo systems for Developers for non-commercial use I need to say that because we are recorded and so that's a container I think it's one of the smallest sap I've ever seen I think it's four CPUs and 16 gigs of memory um they even uh say that they will keep it updated over the year so

there will be definitely an update maybe in the next year or year the cool thing is it's in container Docker and basically what you see there is it's what I created is just a bit of terraform automation around it to deploy an AWS because even if you run it on Docker you need to have that machine available and for example on an MC it doesn't work anymore so you need to have x68 hardware and stuff like that that's why that's just terraform you can even run it on Prem feel free if you're doing any research and then tell us what you find yeah please so yeah we we have a we have a Discord we're not that big we're around 30 40

people there um and our page for the WASP so thank you very much any [Applause] questions do we have any questions

hello hi uh here Here Am uh I just wondered because uh actually I do not have any experience with sap so uh please uh be be kind to me but um someday in the past um custom success manager I think or a sales manager from uh sap came to us because uh they have this new cool uh thread detection module in uh which they would like to offer for us so uh do you have any experience with that is it mean enterpr yeah the exactly the Enterprise threat detection model it's something like a CM where they have pre-built rules and they can detect every move you take within that system so the short and the long other

than it is quite expensive it's good if you understand sa but you really want to understand your entire environment as well so how would you um collab with your soof team on on doing that so you can ship I'm not sure if they introduced that recently with ETV to ship logs or or whatever you find on ETV into a Sim so you can start doing use cases it's really good when it comes to building or doing forensics and not just forensics but doing some sort of incident response so to find how things started or what kind of threads are there it's quite good uh but you really need to understand how to connect it to your

entire environment sof because attacks are not just happening on the application Level attacks are happening on your entire um let's say stack so whether it's Network whether it's the host whether so it's happening everywhere so just how you operate it any other words yeah from my experience ETD is you need a team which is dedicated to run that you need sap guys understanding what they see the second one is there are two versions there's the version you can install all which basically means you need an sap Hana license of the database which is an in-memory database so you need also the hardware for that which ingests your locks the cool thing with that is that

sap build in their kernel layer an proprietary API which allows it before that lock even is written is sent to that ETD that's a pretty cool feature the problem is it's only for ETD um when you go to the cloud version so ETD delivers you pattern which is like the pre-build rules from elastic with uh I would say that amount of compared to what elastic provides um when you go to the cloud Edition you get even less they have not fully it's the same system just run by sap for you but they were not able to transfer all those pattern over think you get in the normal 120 patterns and in the cloud 140 and it's to be honest also in my

opinion freaking expensive because you have to license for the software usually and but on the other side you can get it halfway free if you're in license discussions with sap so just for everyone else think about license discussion we're not speaking about some thousand bucks put some more zeros on the end it's usually about Millions if you are thinking of doing some sort of um monitoring so think of connect where you are shipping yours through some sort of connector to your thenes like watch I hope that SAP account manager likes don't tell him our yeah better not that's that's one of our goals you know piss off a lot of people doing it successfully any more

question thank you thank you so much any more questions okay

I know indeed from a tool but I think it's not in pyap which allows to decompress that repo Source I know about that it's in a different

repo but uh it's posan reports a lot of zero days with for sa I hope they listen to you one day but awesome research yeah but yeah there's a way and so also for everyone wondering what s as a file system file type it's the sap tar

yeah do we have any more questions anybody uh it is uh regarding like the thread detection uh module that scab sells are they selling Like rules or rules like what what you call pattern or patterns and logs like is is is there a possibility if you don't pay like this this license to collect the logs and you create the patterns if if there are someone with with good understanding of SE security attacks I when it comes to this Hon

trick sell get money and then ask question later but I I haven't crossed that I'm not sure about how they license I remember once but don't quote me that it's quite a while ago uh easily seven eight years it was per user based so which so how many US you have reporting back to but not sure if they changed it and as I mentioned depending on when you're in licensed discussions with sap could be they you get it for free that whole product uh because they tried to throw it out to justify their whatever 2 million contract um yeah there are cheaper ways to yeah do with more patterns but we not want to do marketing

here and it's not from both of our companies so anybody else don't be shy if not one last words we have stickers on the outside grab some this is just a community um yeah the the security Silver B is just a community it's not a company an organization so we are a bunch of people that and we learned when you work a lot in sap space you get easily gray hairs where I have a bit of cheating with my blonde hairs compared to you but uh that's why a silver back so yeah thank you thank you so much