Database swells
Hunting for swells in database read volume
Many attackers are after data!
It's easy to steal, easy to sell and quite valuable in large quantities
Most organizations store valuable data in a "crown jewel" database
This database is usually protected by multiple levels of protections
If the number of read requests or volume of response data for the database increases suddenly, it may be an indication of an attack
Enabling database auditing
In order to threat hunt using data from the database, it's necessary to have database auditing enabled
To check if auditing is enabled, connect and run:
show parameter audit_trail
if auditing is not "DB", set it to DB
It's also important to enable connection auditing (set value to DB as well)
Enabling auditing should be done ASAP since it is disabled by default
Detecting database read volume swells
If you suspect data exfiltration from a database, checking the read volume is a quick and easy test
The command iostat -xd will show the rate at which disk and writes are currently occurring
Establishing a baseline by performing this step during normal conditions can help with detection of a potential incident
Multiple baseline measurements are always a good idea
Testing read volumes can be scripted as a cronjob, enabling real-time alerting of potential attacks
Hunting for unexpected patching of systems
Many vendors offer automated patching and updating services for their products
This decreases the exposure of their software to new attack vectors
Some malware authors will patch software themselves for a variety of different reasons
Disabling security
Infecting processes
Ensuring control
Unexpected software patching can be a valuable IOC for a threat hunter
Disabling security
Most operating systems have built-in security features
Windows' Safe File Check feature is an example
Malicious updates may be designed to disable these security features
This allows the attacker t establish or expand their footprint on the compromised system
Tracking modifications to software implementing these security features is always a good idea
Infecting processes
Malicious patches are one way that malware authors can perform attacks like DLL hijacking
By pushing out malicious updates to trusted DLLs, attackers can modify the DLL code to include malicious functionality or point to other malicious code
A good step is threat hunting is to compare update and installed DLL file hashes to official versions provided by the developer
Ensuring control
A more common use of malicious patching by modern malware is to ensure control of the compromised system
If malware has gained access to a system by exploiting a certain vulnerability, they will often patch that vulnerability
This ensures that other malware cannot use the same vulnerability and compete for control or resources on the compromised device
This is more common with malware that exploits Internet of Things (IoT) devices for inclusion in botnets
Regular vulnerability scanning and testing software updates times versus patch schedules can help detect this type of malware
Detecting malicious patches
When searching for malware performing unexpected updates, the threat hunter should ask several questions:
Was the process execution a legitimate or fake?
What makes the process appear suspicious?
Are there any false logos?
The naming convention of the process (e.g., incorrect nomenclature)
Unexpected execution of scripts?
Unexpected downloads from the internet?
The context behind the installation of update (whether the update was shown while startup while browsing a website, or through email, or pop-up)
Look for threat campaigns installing malware through fake updates from the past
Additional resources
The following resources on the Skills portal show some host-based threat hunting tools and analysis methods
Cyber-threat hunting
Cyber-threat hunting - Hunting host-based threats
Cyber-threat hunting - Finding threats in .vmem files
Cyber-threat hunting - Hunting with PowerShell
Last updated