Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
N/A (single event) |
Deduplication Period |
1 Day |
Required Data |
|
Detection Modules |
|
Detector Tags |
|
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Informational |
Description
A DB related process abnormally spawned a shell. This might indicate an exploitation attempt.
Attacker's Goals
Obtain access to either the database or its hosting machine for various purposes like privilege escalation, lateral movement, and data theft.
Investigative actions
- Review the commands/processes executed by the shell for malicious actions.
- Check if and what else the DB process has executed.
- Check for any additional alerts raised in the context of the DB process.
- Audit the query/access logs of the DB for suspicious actions (Such as SQL injection or similar).
Variations
Unusual DB process spawning a shell with a possible reconnaissance commandUnusual DB process spawning a shell with a possible web download/access command
Unusual DB process spawning a shell with an unusual command line