Time for database accounts audit

January 08, 2018 Flowmon, Infrastructure Management

With Flowmon solution you can easily automate the detection of users, applications or administrations accounts in MSSQL databases. New attacks have been spreading on internet since the end of 2017 and with the new year it is the right time for small check if you are not one of the victim.

The researchers from GuardiCore Labs have analyzed attacks from last months and identified several attack variants Hex, Hanako, and Taylor targeting different MS SQL servers, using known vulnerabilities and password brute force attacks.

Certainly you can detect the brute force attack by out of the box Flowmon ADS methods, but it makes sense to check out the situation also from other point of view.

Check and audit database accounts and their usage

As you know, there can be several types of accounts in database such as direct users, application or system accounts. Each usage of account type is expected from specific network or server, for example application account should be used only from specific server, so lets confirm such an expectation by Flowmon and detect automatically the violation by Alerts in FMC.First of all you can analyze accounts used in the database in your network. It will answer several simple questions by one query.

Go to Monitoring Center > Analysis and set the filter:

Filter:

dst port 1433 and not tds-user = ""

Aggregate by "MSSQL Username", "Source IP address,"Destination IP address

"Output:

%sa %da %tdsuser %tdsservname

The output reveals:

  • what are MSSQL servers
  • what are accounts used on servers
  • what are source IP addresses and real users

You can easily check in the output, whether there is something wrong. Specificaly, if there is some of the account from the GuardiCore Labs research (hanako, kisadminnew1, 401hk$, guest or Huazhongdiguo110).

Alert for automatic detection

Alerts help you to automatize the check. Follow the instructions to setup a new alert in FMC.

1. Prepare new profile for MSSQL (dst port "ms-sql-s")

2. Use this profile for Alert definition

Filter:

dst port "ms-sql-s" and (tds-user = "guest" or tds-user = "hanako" or tds-user = "kisadminnew1" or tds-user = "401hk$" or tds-user = "Huazhongdiguo110")

Conditions based on total flow summary: total flows > 0

Send email or syslog

Flowmon will automatically inform you in case of detection. This way you can also monitor usage of system and application accounts from unknown servers and networks.

Filter:

dst port "ms-sql-s" and tds-user = "app_account" and not (src ip 1.1.1.1 or src ip 1.1.1.2)

 where 1.1.1.1 and 1.1.1.2 are servers which should correctly use this application account

Conditions based on total flow summary: total flows > 0

Send email or syslog

You can use long term statistics to find out what the correct sources for the account and account name are. These sources can be used for alerting setup. All described detections works with Flowmon MSSQL protocol visibility which should be enabled in Configuration Center > Exporter  > Global Settings > Advanced options > Optional L7 values for IPFIX record > MSSQL.

Tomáš Vlach