Characteristics of a stored procedure attack

A malicious stored procedure is a block of code that is designed to evade detection, and to perform complex attacks over a period of time. The exact attack can be repeated, or it can change its characteristics over time.

The stored procedure can be dormant for an extended period of time, making it harder to identify as suspicious. Even if unusual activity was noticed in a previous audit, by the time the next audit occurs the previous activity is forgotten. A malicious stored procedure can be used to disguise a drop of an important table, or to extract the contents of a table.

Examples of suspicious activity are:
  • Creating a stored procedure with a DROP statement with sensitive objects.
  • A DROP verb.
  • SQL exceptions that are caused by missing objects.
  • A procedure that is modified after it was dormant for an extended period of time.
Guardium tracks the activity around individual stored procedures, and together with Outlier mining data correlates the various symptoms and users. Guardium can detect these typical symptoms of this malicious stored procedure use case (presented in the order they typically occur):
  1. A database administrator creates a malicious Procedure A, which deletes data from the customer table.
  2. A month later the database administrator changes a commonly used Procedure B to call Procedure A.
  3. A different user calls the modified Procedure B, such that the customer table data is deleted by that innocent user.