Potential Database Dumping Activity on Linux
This rule detects the use of database dumping utilities to exfiltrate data from a database on Linux systems, where attackers may attempt to dump the database to a file and then exfiltrate the file to a remote server.
This detection identifies potential database exfiltration attempts on Linux systems. The rule focuses on detecting the execution of common database dumping utilities such as pg_dump, mysqldump, mariadb-dump, pg_dumpall, and mongodump. Attackers may leverage these tools to create local copies of databases, which they then exfiltrate to external locations. This activity can lead to significant data breaches and compromise sensitive information. The rule is designed to detect unauthorized or suspicious use of these utilities, which might indicate malicious activity rather than legitimate backups or maintenance operations.
Attack Chain
- The attacker gains initial access to a Linux system, possibly through compromised credentials or exploiting a vulnerability.
- The attacker performs reconnaissance to identify accessible database servers and database user accounts.
- The attacker uses compromised database credentials or exploits a vulnerability to gain access to the database.
- The attacker executes a database dumping utility (e.g.,
pg_dump,mysqldump,mongodump) to create a local copy of the database. - The attacker compresses the database dump to reduce its size for easier exfiltration, often using tools like
gziportar. - The attacker stages the compressed dump file in a temporary directory or a location accessible for exfiltration.
- The attacker exfiltrates the database dump to an external server or cloud storage using tools like
scp,rsync, orawscli. - The attacker removes traces of the activity, such as deleting the dump file and clearing command history.
Impact
Successful database dumping and exfiltration can result in significant data breaches, leading to the compromise of sensitive customer data, financial records, or intellectual property. This can cause severe reputational damage, financial losses, legal liabilities, and regulatory fines. Organizations in all sectors are vulnerable, particularly those handling large volumes of personal or financial data.
Recommendation
- Deploy the Sigma rules in this brief to your SIEM to detect unauthorized database dumping activity, focusing on process creation events (
process_creation) whereprocess.nameispg_dump,mysqldump,mariadb-dump,pg_dumpall, ormongodump. - Monitor network connections originating from database servers for unusual outbound traffic patterns that may indicate data exfiltration after a database dump (
network_connection). - Implement strict access controls and multi-factor authentication for database servers to prevent unauthorized access and the ability to execute dumping utilities.
- Investigate any alerts generated by the Sigma rules by reviewing command-line arguments, parent processes, and user accounts involved in the activity.
- Review and restrict which users and hosts are allowed to run database dumping tools to minimize the attack surface.
Detection coverage 2
Potential Database Dumping Activity - Process Creation
mediumDetects the execution of common database dumping utilities on Linux systems.
Database Dump Compression Activity
lowDetects the compression of potential database dumps using gzip or tar.
Detection queries are available on the platform. Get full rules →