0

Consider a scenario, where your AV / EDR software has to exclude paths of database files as suggested by vendors to avoid affecting performance or stability issues.

You want to review your database for integrity with the aim to make sure that any malicious code such as shells injected in DB code that trigger when called, contaminated functions or stored procedures, presence of persistence mechanisms etc get detected. So this also blends into some forensics.

With an assume breach mentality and excluding the option of sifting through the activity logs, what tools (if any) work best to read an exported DB or a DB at runtime and check it for presence of malicious code?

Is it done through:

  • A scan on the DB export with an AV solution?
  • Static Code analyzers (Any recommendations on which ones can read through MS SQL syntax while being able to interpret malicious functions?)

If none of the above caters for my requirement, should I manually inspect the DB export and use query tools to look for patterns of malicious code (any suggested checklists?)

Appreciate your assistance and thanks in advance.

Bob
  • 1
  • My opinion is that, in general, detecting any malicious changes in the DB is going to be hard, and you would need to implement custom checks based on your data. For example, if there's HTML code stored in your DB, you'd need to check for malicious JS there, or even just changes in src/href attributes. Or if you have role IDs like 1=user, 0=admin, you could compromise your DB just by changing a 1 to a 0. – reed Jan 29 '21 at 16:34
  • Hi reed, in fact that came to mind. It's a very tricky exercise and the manual way looks also extremely painful. Considering also Yara scanners that might be able to scan on files, but need to get versed with some decent scanners. Thanks for your view nevertheless. – Bob Jan 29 '21 at 16:44

0 Answers0