Database swells

Hunting for swells in database read volume

Many attackers are after data!

  • It's easy to steal, easy to sell and quite valuable in large quantities

Most organizations store valuable data in a "crown jewel" database

  • This database is usually protected by multiple levels of protections

If the number of read requests or volume of response data for the database increases suddenly, it may be an indication of an attack

Enabling database auditing

In order to threat hunt using data from the database, it's necessary to have database auditing enabled

To check if auditing is enabled, connect and run:

  • show parameter audit_trail

  • if auditing is not "DB", set it to DB

It's also important to enable connection auditing (set value to DB as well)

Enabling auditing should be done ASAP since it is disabled by default

Detecting database read volume swells

If you suspect data exfiltration from a database, checking the read volume is a quick and easy test

The command iostat -xd will show the rate at which disk and writes are currently occurring

Establishing a baseline by performing this step during normal conditions can help with detection of a potential incident

  • Multiple baseline measurements are always a good idea

  • Testing read volumes can be scripted as a cronjob, enabling real-time alerting of potential attacks

Hunting for unexpected patching of systems

Many vendors offer automated patching and updating services for their products

  • This decreases the exposure of their software to new attack vectors

Some malware authors will patch software themselves for a variety of different reasons

  • Disabling security

  • Infecting processes

  • Ensuring control

Unexpected software patching can be a valuable IOC for a threat hunter

Disabling security

Most operating systems have built-in security features

  • Windows' Safe File Check feature is an example

Malicious updates may be designed to disable these security features

  • This allows the attacker t establish or expand their footprint on the compromised system

Tracking modifications to software implementing these security features is always a good idea

Infecting processes

Malicious patches are one way that malware authors can perform attacks like DLL hijacking

By pushing out malicious updates to trusted DLLs, attackers can modify the DLL code to include malicious functionality or point to other malicious code

A good step is threat hunting is to compare update and installed DLL file hashes to official versions provided by the developer

Ensuring control

A more common use of malicious patching by modern malware is to ensure control of the compromised system

If malware has gained access to a system by exploiting a certain vulnerability, they will often patch that vulnerability

  • This ensures that other malware cannot use the same vulnerability and compete for control or resources on the compromised device

  • This is more common with malware that exploits Internet of Things (IoT) devices for inclusion in botnets

Regular vulnerability scanning and testing software updates times versus patch schedules can help detect this type of malware

Detecting malicious patches

When searching for malware performing unexpected updates, the threat hunter should ask several questions:

  • Was the process execution a legitimate or fake?

  • What makes the process appear suspicious?

  • Are there any false logos?

  • The naming convention of the process (e.g., incorrect nomenclature)

  • Unexpected execution of scripts?

  • Unexpected downloads from the internet?

  • The context behind the installation of update (whether the update was shown while startup while browsing a website, or through email, or pop-up)

  • Look for threat campaigns installing malware through fake updates from the past

Additional resources

The following resources on the Skills portal show some host-based threat hunting tools and analysis methods

Cyber-threat hunting

  • Cyber-threat hunting - Hunting host-based threats

  • Cyber-threat hunting - Finding threats in .vmem files

  • Cyber-threat hunting - Hunting with PowerShell

Last updated