In this presentation, we talk about:
- Attack Kill Chain
- About Persistence
- Persistence Techniques
- Persistence Leveraging MSSQL
- Approach to Detect Persistence
You can watch the complete session here: https://youtu.be/HfpjLR6ZwIU?t=1322
You need to enforce rules in your SQL Server environment? You need to strictly monitor who breaks or tries to break them? If so, you need Policy-based Management! Learn how this technology can help your resolve many of your problems!
Security 101: IBM i Security Auditing and ReportingPrecisely
IBM i journals and logs are the trusted source of audit information accepted by IBM i security and audit professionals as they contain a trail of access attempts, command line activity, changes to sensitive data, changes to system objects and more. However, IBM i log files contain massive amounts of data - and they are difficult to setup, report and alert on.
View this webcast on-demand to learn more about key topics such as:
• Key IBM i logs
• Auditing and monitoring for security incidents
• Leveraging 3rd party solutions that analyze security data
• How Syncsort can help
This presentation describes how to configure and leverage ProxySQL with
AWS Aurora,
Azure Database for MySQL
and CloudSQL for MySQL.
It details the various benefits, configuration, and monitoring.
Answer questions Who, What , When and Where about any database activity by setting up an Oracle audit. The infrastructure is free and available in every database edition.
Stay on top of any possible performance and storage issues by choosing appropriate audit parameters.
Build summary and detail reports to analyze audit events from multiple databases using APEX or SQL*Plus.
Setup a data retention period and cleanup audit records regularly.
Create honeypot to attract hacker’s attention.
Enable alerts and send email notifications using Oracle Enterprise Manager infrastructure.
You need to enforce rules in your SQL Server environment? You need to strictly monitor who breaks or tries to break them? If so, you need Policy-based Management! Learn how this technology can help your resolve many of your problems!
Security 101: IBM i Security Auditing and ReportingPrecisely
IBM i journals and logs are the trusted source of audit information accepted by IBM i security and audit professionals as they contain a trail of access attempts, command line activity, changes to sensitive data, changes to system objects and more. However, IBM i log files contain massive amounts of data - and they are difficult to setup, report and alert on.
View this webcast on-demand to learn more about key topics such as:
• Key IBM i logs
• Auditing and monitoring for security incidents
• Leveraging 3rd party solutions that analyze security data
• How Syncsort can help
This presentation describes how to configure and leverage ProxySQL with
AWS Aurora,
Azure Database for MySQL
and CloudSQL for MySQL.
It details the various benefits, configuration, and monitoring.
Answer questions Who, What , When and Where about any database activity by setting up an Oracle audit. The infrastructure is free and available in every database edition.
Stay on top of any possible performance and storage issues by choosing appropriate audit parameters.
Build summary and detail reports to analyze audit events from multiple databases using APEX or SQL*Plus.
Setup a data retention period and cleanup audit records regularly.
Create honeypot to attract hacker’s attention.
Enable alerts and send email notifications using Oracle Enterprise Manager infrastructure.
ProxySQL and the Tricks Up Its Sleeve - Percona Live 2022.pdfJesmar Cannao'
ProxySQL is well-affirmed into thousands of production environments for the features we all know: multiplexing, query routing, and rewriting to name a few.
Let's go through those use cases which maybe are the least common: from keeping malicious eyes away from your production data to rebuilding your non-production environment, from stopping having hanging transactions to monitor your instance, from query firewalling to changing ProxySQL configuration without a single line of SQL!
When the sky is the limit, ProxySQL gives you some boost!
Monitoring and Reporting for IBM i Compliance and SecurityPrecisely
Today’s world of complex regulatory requirements and evolving security threats requires you to find simple ways to monitor all IBM i system and database activity, identify security threats and compliance issues in real time, produce clear and concise reports, and maintain an audit trail to satisfy security officers and auditors.
IBM i log files and journals are rich sources of system and database activity. However, they are in their own proprietary format, and they are not easy to manually analyze for security events.
Join this webinar to learn more about:
- Key IBM i log files and static data sources that must be monitored
- Automating real-time analysis of log files to identify threats to system and data security
- Integrating IBM i security data into SIEM solutions for a clear view of security across multiple platforms
• Answer questions Who, What, Where and When about any database activity, by setting up an Oracle standard audit. The feature is free and available in every database edition.
• Stay on top of any possible performance and storage issues by choosing appropriate audit parameters.
• Build summary and detail reports to analyze audit events from multiple databases using APEX or SQL*PLUS.
• Setup a data retention period and cleanup audit records regularly.
• Create a honeypot to attract hacker’s attention.
• Enable alerts and send email notifications using Oracle enterprise manager infrastructure
The Windows Logging Cheat Sheet is the definitive guide on learning where to start with Windows Logging. How to Enable, Configure, Gather and Harvest events so you can catch a hacker in the act.
Securing your Oracle Fusion Middleware Environment, On-Prem and in the CloudRevelation Technologies
Oracle WebLogic Server (and Oracle HTTP Server) form the foundation for practically all Oracle Fusion Middleware products. For the most part, securing your on-prem installation is similar to their Oracle Cloud equivalent counterparts, with some notable differences which we intend to cover. In this presentation, we discuss security patching, configuration hardening, web service security, network lockdowns, transport security, OS best practices, access policies, and much more - all intended to increase the security of your Oracle Fusion Middleware environments.
These are the slides I used to present "MySQL Performance Schema" at FOSSASIA, 2015 Singapore. It gives an overview of Performance Schema and also explains how it could be used to diagnose issues using few use cases.
How to Increase ICS Cybersecurity Return on Investment (ROI) Dragos, Inc.
In Austin's presentation, he will align his 2019 top 5 findings from the Dragos Industrial Penetration Testing team to tactical activities that can be performed to reduce cyberrisk within industrial environments. Return on Investment (ROI) is a broad and subjective term. Even in terms of industrial cyberrisk reduction, the interpretation of ROI can change drastically depending on who you ask. As a member of the Dragos Industrial Penetration Testing team, he sees the world around him in terms of exploitation effort. Exploitation effort is the investment required by an adversary to advance through a network. In his presentation, Austin will detail five ways that will significantly increase the time and energy needed for an adversary while minimizing operational and capital expenditure.
The presentation focuses on the facilities available in Oracle 10g for SQL and database tuning, the identification of database problems using wait events, and some common configuration problems.
This presentation showcased live during the DNIF KONNECT meetup on 19th December 2019. We have our presenter: Ruchir Shah- Account Manager at DNIF, walk us through the importance of SOAR
Some key points discussed during the meetup:
-Understand, what is SOAR.
-The problems a SOAR solution solves.
-Real-time demo by DNIF expert on SOAR.
Watch the full presentation here: https://www.youtube.com/watch?v=bCp-WAs6w5I
More Related Content
Similar to Anatomy of Persistence Techniques & Strategies to Detect
ProxySQL and the Tricks Up Its Sleeve - Percona Live 2022.pdfJesmar Cannao'
ProxySQL is well-affirmed into thousands of production environments for the features we all know: multiplexing, query routing, and rewriting to name a few.
Let's go through those use cases which maybe are the least common: from keeping malicious eyes away from your production data to rebuilding your non-production environment, from stopping having hanging transactions to monitor your instance, from query firewalling to changing ProxySQL configuration without a single line of SQL!
When the sky is the limit, ProxySQL gives you some boost!
Monitoring and Reporting for IBM i Compliance and SecurityPrecisely
Today’s world of complex regulatory requirements and evolving security threats requires you to find simple ways to monitor all IBM i system and database activity, identify security threats and compliance issues in real time, produce clear and concise reports, and maintain an audit trail to satisfy security officers and auditors.
IBM i log files and journals are rich sources of system and database activity. However, they are in their own proprietary format, and they are not easy to manually analyze for security events.
Join this webinar to learn more about:
- Key IBM i log files and static data sources that must be monitored
- Automating real-time analysis of log files to identify threats to system and data security
- Integrating IBM i security data into SIEM solutions for a clear view of security across multiple platforms
• Answer questions Who, What, Where and When about any database activity, by setting up an Oracle standard audit. The feature is free and available in every database edition.
• Stay on top of any possible performance and storage issues by choosing appropriate audit parameters.
• Build summary and detail reports to analyze audit events from multiple databases using APEX or SQL*PLUS.
• Setup a data retention period and cleanup audit records regularly.
• Create a honeypot to attract hacker’s attention.
• Enable alerts and send email notifications using Oracle enterprise manager infrastructure
The Windows Logging Cheat Sheet is the definitive guide on learning where to start with Windows Logging. How to Enable, Configure, Gather and Harvest events so you can catch a hacker in the act.
Securing your Oracle Fusion Middleware Environment, On-Prem and in the CloudRevelation Technologies
Oracle WebLogic Server (and Oracle HTTP Server) form the foundation for practically all Oracle Fusion Middleware products. For the most part, securing your on-prem installation is similar to their Oracle Cloud equivalent counterparts, with some notable differences which we intend to cover. In this presentation, we discuss security patching, configuration hardening, web service security, network lockdowns, transport security, OS best practices, access policies, and much more - all intended to increase the security of your Oracle Fusion Middleware environments.
These are the slides I used to present "MySQL Performance Schema" at FOSSASIA, 2015 Singapore. It gives an overview of Performance Schema and also explains how it could be used to diagnose issues using few use cases.
How to Increase ICS Cybersecurity Return on Investment (ROI) Dragos, Inc.
In Austin's presentation, he will align his 2019 top 5 findings from the Dragos Industrial Penetration Testing team to tactical activities that can be performed to reduce cyberrisk within industrial environments. Return on Investment (ROI) is a broad and subjective term. Even in terms of industrial cyberrisk reduction, the interpretation of ROI can change drastically depending on who you ask. As a member of the Dragos Industrial Penetration Testing team, he sees the world around him in terms of exploitation effort. Exploitation effort is the investment required by an adversary to advance through a network. In his presentation, Austin will detail five ways that will significantly increase the time and energy needed for an adversary while minimizing operational and capital expenditure.
The presentation focuses on the facilities available in Oracle 10g for SQL and database tuning, the identification of database problems using wait events, and some common configuration problems.
This presentation showcased live during the DNIF KONNECT meetup on 19th December 2019. We have our presenter: Ruchir Shah- Account Manager at DNIF, walk us through the importance of SOAR
Some key points discussed during the meetup:
-Understand, what is SOAR.
-The problems a SOAR solution solves.
-Real-time demo by DNIF expert on SOAR.
Watch the full presentation here: https://www.youtube.com/watch?v=bCp-WAs6w5I
This presentation showcased live during the DNIF Konnect meetup on 14th November 2019. We have our guest presenter: Sudhan Pathak and Nabeel Shaikh - MBA student at Symbiosis centre for Information Technology, walk us basics and some of the challenges at Capture The Flag (CTF).
Some key points discussed during the meetup:
-Introduction to NXLogs.
-Find out how using NXLogs with DNIF can make life easier for security analysts.
-Introduction to the concepts of capture the flag (CTF).
-Learn how users can easily manage their DNIF components.
Watch the full presentation here: https://www.youtube.com/watch?v=UHE9-oYatiY
This presentation showcased live during the DNIF Konnect meetup on 5th September 2019. We have our guest presenter: Mr. Mikhail Moskvin - Cyber Security Expert from Kaspersky, walk us through some key points related to benefits and practical applications of threat intelligence.
Some key points discussed during the meetup:
- Introduction to threat intelligence.
- Strategies to implement threat intelligence with SIEM.
- Practical use cases on using KASPERSKY Threat Intelligence Portal with DNIF.
- How SOC teams can leverage threat intelligence aand validation.
Watch the full presentation here: https://youtu.be/C89lTX13Vcw?t=1284
In this presentation, we talk about actual use cases that can be created in DNIF to leverage the additional information provided by vFeed based on attack CVEs and related CAPEC information.
This presentation was demonstrated live during the DNIF Konnect session held on 4th July 2019 - You can watch the complete session here: https://youtu.be/owp1q-XoBoc?t=1170
In this presentation, we talk about:
- Introduction to Containers
- Container Security Overview
You can watch the complete session here:
https://youtu.be/w2-NtdAkrOI?t=1901
Importance of having a vulnerability management | Vfeed DNIF
In this presentation, the presenters NJ Ouchn and Rachid Harrando from vFeed talk about:
- Introduction to vFeed
- Common Vulnerability Structure
- Vulnerability Correlation Engine
This presentation was demonstrated live during the DNIF Konnect session held on 4th July 2019 - You can watch the complete session here: https://youtu.be/owp1q-XoBoc?t=412
User Behavior Analytics Using Machine LearningDNIF
In this presentation we talk about:
- Introduction to user behavior analytics.
- Classifying malicious IP using machine learning.
- User behavior analytics using machine learning.
You can watch the complete demonstration video here: https://youtu.be/HfpjLR6ZwIU?t=3550
In this session, we talk about:
- Introduction to process whitelisting
- Advantages
- Leverage VirusTotal Threat Intelligence
You can watch the complete demonstration video here: https://youtu.be/HfpjLR6ZwIU?t=342
VirusTotal Threat Intelligence and DNIF Use CasesDNIF
NIF is a next gen SIEM platform with advanced security and automation capabilities, that let's machines do what they do best and allows security analysts to do activities that can actually change the game.
In this presentation, we talk about how DNIF users can build a use case on "Detecting Malicious URLs" with the help of VirusTotal Threat Intelligence.
Threat hunting and achieving security maturityDNIF
In this virtual meetup of DNIF KONNNECT (04.04.2019), where the growing DNIF community connects, interacts, shares and helps each other to grow and learn about the latest in threat hunting and many more...this time we have Mr. Ankit Panchal from NSDL who shall demonstrate an end to end demo of how you can achieve security maturity.
Learn more about DNIF KONNECT here - https://dnif.it/dnif-konnect.html
Learn more about DNIF KONNECT here - https://dnif.it/dnif-konnect.html
Kaspersky Threat Intelligence Portal and DNIF Use Cases DNIF
DNIF is a next gen SIEM platform with advanced security and automation capabilities, that let's machines do what they do best and allows security analysts to do activities that can actually change the game.
In this presentation, we talk about how DNIF users can build a use case on "Detecting Malicious IP Addresses" with the help of Kaspersky Threat Intelligence Portal.
Agenda:
1. Cyber Security - How it works, today!
2. Data Analytics, the What and the Why
3. The technical aspects
4. The pipeline
5. Opportunities - Gaps we're aiming for
6. Demo
Part 3, the final part of the series "Mastering Next Gen SIEM Use Cases".
The following presentation talks about building use cases to detect anomalies pertaining to applications and application servers.
Importance of correlating events pertaining to applications and applications servers.
Discover sample use cases for detecting anomalies in the SWIFT application.
Part 2 of 3 part series of "Mastering Next Gen SIEM Use Cases"
The following presentation talks about building use cases to detect anomalies pertaining to endpoints.
Discover use cases for Credential Theft and Endpoint compromise.
Part 1 of 3 part series of "Mastering Next-Gen SIEM Use Cases"
The following presentation talks about the mindset which next-gen threat hunters need to have in order to detect and respond to next-gen threats.
Dr. Sean Tan, Head of Data Science, Changi Airport Group
Discover how Changi Airport Group (CAG) leverages graph technologies and generative AI to revolutionize their search capabilities. This session delves into the unique search needs of CAG’s diverse passengers and customers, showcasing how graph data structures enhance the accuracy and relevance of AI-generated search results, mitigating the risk of “hallucinations” and improving the overall customer journey.
In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...SOFTTECHHUB
The choice of an operating system plays a pivotal role in shaping our computing experience. For decades, Microsoft's Windows has dominated the market, offering a familiar and widely adopted platform for personal and professional use. However, as technological advancements continue to push the boundaries of innovation, alternative operating systems have emerged, challenging the status quo and offering users a fresh perspective on computing.
One such alternative that has garnered significant attention and acclaim is Nitrux Linux 3.5.0, a sleek, powerful, and user-friendly Linux distribution that promises to redefine the way we interact with our devices. With its focus on performance, security, and customization, Nitrux Linux presents a compelling case for those seeking to break free from the constraints of proprietary software and embrace the freedom and flexibility of open-source computing.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024Neo4j
Neha Bajwa, Vice President of Product Marketing, Neo4j
Join us as we explore breakthrough innovations enabled by interconnected data and AI. Discover firsthand how organizations use relationships in data to uncover contextual insights and solve our most pressing challenges – from optimizing supply chains, detecting fraud, and improving customer experiences to accelerating drug discoveries.
Threats to mobile devices are more prevalent and increasing in scope and complexity. Users of mobile devices desire to take full advantage of the features
available on those devices, but many of the features provide convenience and capability but sacrifice security. This best practices guide outlines steps the users can take to better protect personal devices and information.
Pushing the limits of ePRTC: 100ns holdover for 100 daysAdtran
At WSTS 2024, Alon Stern explored the topic of parametric holdover and explained how recent research findings can be implemented in real-world PNT networks to achieve 100 nanoseconds of accuracy for up to 100 days.
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AIVladimir Iglovikov, Ph.D.
Presented by Vladimir Iglovikov:
- https://www.linkedin.com/in/iglovikov/
- https://x.com/viglovikov
- https://www.instagram.com/ternaus/
This presentation delves into the journey of Albumentations.ai, a highly successful open-source library for data augmentation.
Created out of a necessity for superior performance in Kaggle competitions, Albumentations has grown to become a widely used tool among data scientists and machine learning practitioners.
This case study covers various aspects, including:
People: The contributors and community that have supported Albumentations.
Metrics: The success indicators such as downloads, daily active users, GitHub stars, and financial contributions.
Challenges: The hurdles in monetizing open-source projects and measuring user engagement.
Development Practices: Best practices for creating, maintaining, and scaling open-source libraries, including code hygiene, CI/CD, and fast iteration.
Community Building: Strategies for making adoption easy, iterating quickly, and fostering a vibrant, engaged community.
Marketing: Both online and offline marketing tactics, focusing on real, impactful interactions and collaborations.
Mental Health: Maintaining balance and not feeling pressured by user demands.
Key insights include the importance of automation, making the adoption process seamless, and leveraging offline interactions for marketing. The presentation also emphasizes the need for continuous small improvements and building a friendly, inclusive community that contributes to the project's growth.
Vladimir Iglovikov brings his extensive experience as a Kaggle Grandmaster, ex-Staff ML Engineer at Lyft, sharing valuable lessons and practical advice for anyone looking to enhance the adoption of their open-source projects.
Explore more about Albumentations and join the community at:
GitHub: https://github.com/albumentations-team/albumentations
Website: https://albumentations.ai/
LinkedIn: https://www.linkedin.com/company/100504475
Twitter: https://x.com/albumentations
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionAggregage
Join Maher Hanafi, VP of Engineering at Betterworks, in this new session where he'll share a practical framework to transform Gen AI prototypes into impactful products! He'll delve into the complexities of data collection and management, model selection and optimization, and ensuring security, scalability, and responsible use.
Climate Impact of Software Testing at Nordic Testing DaysKari Kakkonen
My slides at Nordic Testing Days 6.6.2024
Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...Neo4j
Leonard Jayamohan, Partner & Generative AI Lead, Deloitte
This keynote will reveal how Deloitte leverages Neo4j’s graph power for groundbreaking digital twin solutions, achieving a staggering 100x performance boost. Discover the essential role knowledge graphs play in successful generative AI implementations. Plus, get an exclusive look at an innovative Neo4j + Generative AI solution Deloitte is developing in-house.
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!SOFTTECHHUB
As the digital landscape continually evolves, operating systems play a critical role in shaping user experiences and productivity. The launch of Nitrux Linux 3.5.0 marks a significant milestone, offering a robust alternative to traditional systems such as Windows 11. This article delves into the essence of Nitrux Linux 3.5.0, exploring its unique features, advantages, and how it stands as a compelling choice for both casual users and tech enthusiasts.
2. #whoami
👉 Chirag Savla
👉 Twitter – @chiragsavla94
👉 Interest area – Red
Teaming, Application
Security, Penetration
Testing
2
Blog – https://3xpl01tc0d3r.blogspot.com
3. “As an offensive researcher, if you can dream
it, someone has likely already done it… and
that someone isn’t the kind of person who
speaks at security cons.
— Matt Graeber
9. About Persistence
▸ Persistence is any access, action, or configuration change to a system that
gives an adversary a persistent presence on that system.
▸ Adversaries will often need to maintain access to systems through
interruptions such as system restarts, loss of credentials, or other failures
that would require a remote access tool to restart or alternate backdoor for
them to regain access.
9
10. Question
▸ Do you think Antivirus (AV) solutions are enough to detect persistent
malwares?
- Yes, I have a next-gen AV
- No
- Don’t know
10
14. What & Why MSSQL ?
▸ Microsoft SQL Server is a relational database management system
developed by Microsoft. As a database server, it is a software product with
the primary function of storing and retrieving data as requested by other
software applications — which may run either on the same computer or on
another computer across a network.
▸ SQL server mostly runs with privilege accounts which are useful for
persistence.
14
15. Persistence Opportunities
▸ Startup Stored Procedures - Stored procedures marked for automatic
execution are executed every time SQL Server starts. Its automatically
executes with the same permissions as members of the sysadmin.
▸ Triggers - A trigger is a special type of stored procedure that automatically
runs when an event occurs in the database server. There are 3 types of
triggers DML, DDL and Logon.
▸ Registry Keys - Undocumented extended procedures allows sysadmins to
read and write the registry keys.
15
18. Create and enable a SERVER AUDIT
-- Select master database
USE master
-- Setup server audit to log to application log
CREATE SERVER AUDIT Audit_StartUp_Procs
TO APPLICATION_LOG
WITH (QUEUE_DELAY = 1000, ON_FAILURE = CONTINUE)
-- Enable server audit
ALTER SERVER AUDIT Audit_StartUp_Procs
WITH (STATE = ON)
18
19. Create an enabled SERVER AUDIT
SPECIFICATION
-- Create server audit specification
CREATE SERVER AUDIT SPECIFICATION Audit_StartUp_Procs_Server_Spec
FOR SERVER AUDIT Audit_StartUp_Procs
ADD (SERVER_ROLE_MEMBER_CHANGE_GROUP),
-- track group changes
ADD (SERVER_OPERATION_GROUP),
-- track server setting changes
ADD (AUDIT_CHANGE_GROUP)
-- track audit setting changes
WITH (STATE = ON)
19
20. Create an enabled DATABASE AUDIT
SPECIFICATION
-- Create the database audit specification
CREATE DATABASE AUDIT SPECIFICATION Audit_StartUp_Procs_Database_Spec
FOR SERVER AUDIT Audit_StartUp_Procs
ADD (EXECUTE
ON master..sp_procoption BY public )
-- sp_procoption execution
WITH (STATE = ON)
GO
20
22. Tips for detecting persistence
▸Monitor Registry Changes – Sysmon Event ID 12,13,14
▸Monitor Account Creation – Event ID 4720
▸Monitor File Creations – Sysmon Event ID 11
▸Monitor DLL loading – Sysmon Event ID 7 (ImageLoaded)
▸Monitor Schedule Task – Event ID 4698
22
23. Question
▸ How many of you are already monitoring these events?
- All of them
- Some of them
- Haven't started yet
23
24. Credits
Thanks to DNIF for granting me the privilege to
present.
Special thanks to Scott Sutherland for documenting
the amazing ways to get persistence using MSSQL.
24