The researchers from GuardiCore Labs have analyzed attacks from last months and identified several attack variants Hex, Hanako, and Taylor targeting different MS SQL servers, using known vulnerabilities and password brute force attacks.
Certainly you can detect the brute force attack by out of the box Flowmon ADS methods, but it makes sense to check out the situation also from other point of view.
Check and audit database accounts and their usage
As you know, there can be several types of accounts in database such as direct users, application or system accounts. Each usage of account type is expected from specific network or server, for example application account should be used only from specific server, so lets confirm such an expectation by Flowmon and detect automatically the violation by Alerts in FMC.First of all you can analyze accounts used in the database in your network. It will answer several simple questions by one query.
Go to Monitoring Center > Analysis and set the filter:
Filter:
dst port 1433 and not tds-user = ""
Aggregate by "MSSQL Username", "Source IP address,"Destination IP address
"Output:
%sa %da %tdsuser %tdsservname
The output reveals:
- what are MSSQL servers
- what are accounts used on servers
- what are source IP addresses and real users
You can easily check in the output, whether there is something wrong. Specificaly, if there is some of the account from the GuardiCore Labs research (hanako, kisadminnew1, 401hk$, guest or Huazhongdiguo110).
Alert for automatic detection
Alerts help you to automatize the check. Follow the instructions to setup a new alert in FMC.
1. Prepare new profile for MSSQL (dst port "ms-sql-s")
2. Use this profile for Alert definition
Filter:
dst port "ms-sql-s" and (tds-user = "guest" or tds-user = "hanako" or tds-user = "kisadminnew1" or tds-user = "401hk$" or tds-user = "Huazhongdiguo110")
Conditions based on total flow summary: total flows > 0
Send email or syslog
Flowmon will automatically inform you in case of detection. This way you can also monitor usage of system and application accounts from unknown servers and networks.
Filter:
dst port "ms-sql-s" and tds-user = "app_account" and not (src ip 1.1.1.1 or src ip 1.1.1.2)
where 1.1.1.1 and 1.1.1.2 are servers which should correctly use this application account
Conditions based on total flow summary: total flows > 0
Send email or syslog
You can use long term statistics to find out what the correct sources for the account and account name are. These sources can be used for alerting setup. All described detections works with Flowmon MSSQL protocol visibility which should be enabled in Configuration Center > Exporter > Global Settings > Advanced options > Optional L7 values for IPFIX record > MSSQL.