Consider a scenario, where your AV / EDR software has to exclude paths of database files as suggested by vendors to avoid affecting performance or stability issues.
You want to review your database for integrity with the aim to make sure that any malicious code such as shells injected in DB code that trigger when called, contaminated functions or stored procedures, presence of persistence mechanisms etc get detected. So this also blends into some forensics.
With an assume breach mentality and excluding the option of sifting through the activity logs, what tools (if any) work best to read an exported DB or a DB at runtime and check it for presence of malicious code?
Is it done through:
- A scan on the DB export with an AV solution?
- Static Code analyzers (Any recommendations on which ones can read through MS SQL syntax while being able to interpret malicious functions?)
If none of the above caters for my requirement, should I manually inspect the DB export and use query tools to look for patterns of malicious code (any suggested checklists?)
Appreciate your assistance and thanks in advance.