Examples of Using MITRE ATT&CK Framework For SAP Threat Detection
MITRE ATT&CK® stands for MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK). The MITRE ATT&CK framework is a curated knowledge base and model for cyber adversary behavior, reflecting the various phases of an adversary's attack lifecycle and the platforms they are known to target. The tactics and techniques abstraction in the model provide a common taxonomy of individual adversary actions understood by both offensive and defensive sides of cybersecurity. It also provides an appropriate level of categorization for adversary action and specific ways of defending against it.
The behavioral model presented by ATT&CK contains the following core components:
Let us dive into a few examples of using MITRE ATT&CK Framework for SAP Security :
Example 1 : “New SAP_All Assignment” to T1098 - Account Manipulation (Persistence)
The "New SAP_ALL Assignment" alert has been mapped to T1098 - Account Manipulation because assigning the SAP_ALL role grants unrestricted access to all SAP system functionalities.
This action creates an opportunity for potential attacks and disruptions in business workflow processes. It also aligns with the definition of attackers manipulating the system to maintain access.
Mapping this alert to Persistence is crucial because the SAP_ALL assignment provides prolonged access to critical system data, enabling attackers to carry out malicious activities undetected.
This mapping benefits SOC analysts unfamiliar with SAP by linking a specific SAP privilege escalation event (SAP_ALL role assignment) to a MITRE ATT&CK technique. It simplifies threat identification, emphasizes potential risks, and highlights the need for immediate review to prevent abuse of high-privilege roles. Additionally, it bridges the gap between SAP-specific knowledge and general cybersecurity frameworks, enhancing the effectiveness of incident response.
Recommended by LinkedIn
Example 2: “Interactive login of technical IDM account” to T1078 - Valid Accounts (Privilege Escalation, Initial Access, Persistence)
The "Interactive login of technical IDM account" alert has been mapped to T1078 - Valid Accounts because technical IDM accounts are typically used for automated processes and should not require interactive logins.
These accounts are highly privileged SAP user accounts created by SAP. An interactive login with these accounts enables the person using the account to perform suspicious activities.
Such actions (logins) can indicate Privilege Escalation, as technical accounts often have elevated permissions; Initial Access, if credentials are being used to gain entry; or Persistence, if the account is being used to maintain long-term access.
Mapping this alert to T1078 - Valid Accounts highlights a suspicious action that could indicate misuse of credentials.
It helps SOC teams prioritize investigating potentially dangerous accounts with broad access. This ensures that even analysts without SAP-specific expertise can effectively respond to credential-related threats.
SAGESSE TECH, global SAP Security / Oracle Security / ERP Security Tech Company, is providing Automated Audit Tool for SAP, SAP Threat Detection and Monitoring Products, SAP PenTest Framework and an SAP Audit Service which control these kinds of configurations, vulnerabilities and much more in your SAP Systems. Their products and services can help you to integrate your SAP System into your central threat detection solutions and foster your NIS2 and DORA Compliance.
SAGESSE TECH is now providing companies who do not use a SIEM Solution or would like to have a separate SIEM for SAP Threat Detection with a Wazuh SIEM App.
You can contact SAGESSE TECH(E-mail : info@sagesseconsultancy.com, sales@sagesseconsultancy.com or kaankars@sagesseconsultancy.com ), if you would like to have more information about our products or to have a Vulnerability Scanning, SAP Audit or SAP PenTest on your SAP Systems or implement a SAP Threat Detection and Monitoring Solution integrated with leading SIEM Vendors like SPLUNK, IBM QRadar and Wazuh.
SAP Security Engineer | CISSP | InfoSec and Cybersecurity
1moNice examples however I find the details slightly inconsistent. You mention „SAP_ALL role” while it’s a profile and it’s also visible on the screenshot in your article as profile assignment, not a role assignment. It would be nice to make it specific and correct. Thank you!