Which SIEM platforms have a CVE-2024-43468 detection rule?

df00tech provides CVE-2024-43468 (CVE-2024-43468: Microsoft Configuration Manager SQL Injection Exploitation) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What severity and confidence is the CVE-2024-43468 detection?

The CVE-2024-43468 detection is rated critical severity with medium confidence.

What are common false positives for CVE-2024-43468?

Common false positives for CVE-2024-43468 include: Legitimate SCCM administrative queries that contain SQL-like syntax in URI parameters during software deployment operations; Vulnerability scanners or security assessment tools probing ConfigMgr endpoints as part of authorized penetration testing; ConfigMgr health monitoring scripts that spawn cmd.exe or PowerShell to check service status.

CVE-2024-43468

CVE-2024-43468: Microsoft Configuration Manager SQL Injection Exploitation

Q: What data sources are required to detect CVE-2024-43468: Microsoft Configuration Manager SQL Injection Exploitation (CVE-2024-43468)?

Detecting CVE-2024-43468: Microsoft Configuration Manager SQL Injection Exploitation requires the following data sources: DeviceNetworkEvents, DeviceProcessEvents, W3CIISLog, Event.

Initial Access Credential Access Lateral Movement Last updated: June 19, 2026

Detects exploitation attempts targeting CVE-2024-43468, a SQL injection vulnerability in Microsoft Configuration Manager (SCCM/ConfigMgr). This vulnerability allows unauthenticated attackers to execute arbitrary SQL commands against the ConfigMgr site database, potentially leading to remote code execution, credential theft, and lateral movement within the environment. Listed in CISA KEV indicating active exploitation in the wild.

Vulnerability Intelligence

KEV — Known Exploited

CVE

CVE-2024-43468↗ NVD

Affected Software

Vendor: Microsoft
Product: Configuration Manager

Weakness (CWE)

CWE-89

Timeline

Disclosed: February 12, 2026

References & Proof of Concept

CVSS

Unscored

Write-up coming soon

What is CVE-2024-43468 CVE-2024-43468: Microsoft Configuration Manager SQL Injection Exploitation?

CVE-2024-43468: Microsoft Configuration Manager SQL Injection Exploitation (CVE-2024-43468) maps to the Initial Access and Credential Access and Lateral Movement tactics — the adversary is trying to get into your network in MITRE ATT&CK.

This page provides production-ready detection logic for CVE-2024-43468: Microsoft Configuration Manager SQL Injection Exploitation, covering the data sources and telemetry it touches: DeviceNetworkEvents, DeviceProcessEvents, W3CIISLog, Event. The queries below are rated critical severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic: Initial Access Credential Access Lateral Movement

Microsoft Sentinel / Defender

kusto

let configmgr_ports = dynamic([80, 443, 8530, 8531, 10123]);
let sql_injection_patterns = dynamic(['UNION SELECT', 'OR 1=1', 'DROP TABLE', 'EXEC xp_', 'CAST(0x', 'WAITFOR DELAY', 'BENCHMARK(', "' OR '", "1=1--", 'xp_cmdshell']);
let timeframe = 1h;
union
(
  DeviceNetworkEvents
  | where TimeGenerated >= ago(timeframe)
  | where RemotePort in (configmgr_ports) or LocalPort in (configmgr_ports)
  | where DeviceName contains "SCCM" or DeviceName contains "ConfigMgr" or DeviceName contains "SMS"
  | project TimeGenerated, DeviceName, RemoteIP, RemotePort, LocalPort, InitiatingProcessFileName, ActionType
  | extend AlertType = "ConfigMgr Network Activity"
),
(
  DeviceProcessEvents
  | where TimeGenerated >= ago(timeframe)
  | where InitiatingProcessParentFileName in~ ("SMSvcHost.exe", "CcmExec.exe", "smsexec.exe")
  | where FileName in~ ("sqlcmd.exe", "osql.exe", "cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe")
  | project TimeGenerated, DeviceName, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, AccountName
  | extend AlertType = "Suspicious Child Process from ConfigMgr"
),
(
  W3CIISLog
  | where TimeGenerated >= ago(timeframe)
  | where csUriStem contains "/SMS_" or csUriStem contains "/ccm_" or csUriStem contains "/AdminService"
  | where (
    csUriQuery has_any (sql_injection_patterns)
    or csUriStem has_any (sql_injection_patterns)
    or csMethod == "POST"
  )
  | where scStatus in (200, 500, 400)
  | project TimeGenerated, cIP, csMethod, csUriStem, csUriQuery, scStatus, scBytes, csUserAgent
  | extend AlertType = "Suspicious ConfigMgr HTTP Request"
),
(
  Event
  | where TimeGenerated >= ago(timeframe)
  | where Source == "MSSQLSERVER" or Source == "MSSQL$MICROSOFT##SS"
  | where EventID in (18456, 17882, 8601, 1205)
  | extend AlertType = "SQL Server Error - Potential Injection"
  | project TimeGenerated, Source, EventID, RenderedDescription, Computer, AlertType
)
| order by TimeGenerated desc

Detects suspicious activity indicative of CVE-2024-43468 exploitation against Microsoft Configuration Manager by correlating IIS web logs for SQL injection patterns in ConfigMgr endpoints, suspicious child processes spawned from ConfigMgr services, and SQL Server error events.

critical severity medium confidence

Data Sources

DeviceNetworkEvents DeviceProcessEvents W3CIISLog Event

Required Tables

DeviceNetworkEvents DeviceProcessEvents W3CIISLog Event

False Positives

Legitimate SCCM administrative queries that contain SQL-like syntax in URI parameters during software deployment operations
Vulnerability scanners or security assessment tools probing ConfigMgr endpoints as part of authorized penetration testing
ConfigMgr health monitoring scripts that spawn cmd.exe or PowerShell to check service status
SQL Server maintenance jobs or replication tasks generating error events during normal operation
Load balancers or proxies performing health checks against ConfigMgr IIS endpoints

Splunk

spl

index=* sourcetype IN ("iis", "WinEventLog:Application", "WinEventLog:Security", "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational")
| eval is_configmgr_iis=if(match(cs_uri_stem, "(?i)/SMS_|/ccm_|/AdminService|/ConfigMgr"), 1, 0)
| eval sql_inject_hit=if(match(cs_uri_query, "(?i)UNION\\s+SELECT|OR\\s+1\\s*=\\s*1|DROP\\s+TABLE|EXEC\\s+xp_|WAITFOR\\s+DELAY|xp_cmdshell|CAST\\(0x|BENCHMARK\\("), 1, 0)
| eval sccm_child_proc=if(match(ParentImage, "(?i)SMSvcHost\.exe|CcmExec\.exe|smsexec\.exe") AND match(Image, "(?i)sqlcmd\.exe|osql\.exe|cmd\.exe|powershell\.exe|wscript\.exe"), 1, 0)
| eval sql_error=if(sourcetype="WinEventLog:Application" AND (EventCode=18456 OR EventCode=17882 OR EventCode=8601) AND match(SourceName, "(?i)MSSQL"), 1, 0)
| where is_configmgr_iis=1 OR sql_inject_hit=1 OR sccm_child_proc=1 OR sql_error=1
| eval alert_type=case(
    sql_inject_hit=1, "SQL Injection Pattern in ConfigMgr Request",
    sccm_child_proc=1, "Suspicious Child Process from ConfigMgr Service",
    sql_error=1, "SQL Server Error Event - Potential Injection",
    true(), "Suspicious ConfigMgr HTTP Activity"
  )
| stats count min(_time) as first_seen max(_time) as last_seen values(src_ip) as source_ips values(cs_uri_stem) as uris values(Image) as child_processes values(CommandLine) as cmdlines by host alert_type
| eval first_seen=strftime(first_seen, "%Y-%m-%d %H:%M:%S"), last_seen=strftime(last_seen, "%Y-%m-%d %H:%M:%S")
| sort - count
| table host alert_type count first_seen last_seen source_ips uris child_processes cmdlines

Detects CVE-2024-43468 exploitation indicators across IIS logs for ConfigMgr endpoints with SQL injection patterns, Sysmon process creation events showing suspicious child processes under SCCM services, and Windows Application event log SQL Server errors.

critical severity medium confidence

Data Sources

IIS Web Logs Windows Event Log (Application) Sysmon

Required Sourcetypes

iis WinEventLog:Application WinEventLog:Security XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Authorized SCCM administrators running SQL queries for reporting or troubleshooting through ConfigMgr console
Security scanners performing routine vulnerability assessments against ConfigMgr web services
ConfigMgr client health evaluation processes spawning cmd.exe for remediation scripts
Backup and maintenance SQL jobs generating error events in the Application log
Third-party SCCM management tools that interact with the AdminService REST API using complex query strings

Sumo Logic CSE

sql

_sourceCategory=*iis* OR _sourceCategory=*windows/event* OR _sourceCategory=*sysmon*
| where _sourceCategory matches "*iis*" or _sourceCategory matches "*windows*" or _sourceCategory matches "*sysmon*"
| parse regex "(?<uri_stem>/(?:SMS_|ccm_|AdminService)[^\\s\"']*)" nodrop
| parse regex "(?<sql_pattern>(?i)(?:UNION\\s+SELECT|OR\\s+1=1|xp_cmdshell|WAITFOR\\s+DELAY|DROP\\s+TABLE|EXEC\\s+xp_))" nodrop
| parse regex "(?<parent_proc>(?i)(?:SMSvcHost\.exe|CcmExec\.exe|smsexec\.exe))" nodrop
| parse regex "(?<child_proc>(?i)(?:sqlcmd\.exe|osql\.exe|cmd\.exe|powershell\.exe))" nodrop
| where (uri_stem != "" and sql_pattern != "") or (parent_proc != "" and child_proc != "") or (EventID in ("18456", "17882", "8601"))
| eval alert_type = if (!isEmpty(sql_pattern), "SQL Injection in ConfigMgr URI",
                    if (!isEmpty(child_proc) and !isEmpty(parent_proc), "Suspicious Child Process under SCCM",
                    "SQL Server Error Event"))
| stats count, first(_messageTime) as first_seen, last(_messageTime) as last_seen, values(src_ip) as source_ips, values(uri_stem) as uris by _sourceHost, alert_type
| sort by count desc

Sumo Logic query detecting CVE-2024-43468 exploitation indicators across IIS, Windows Event, and Sysmon log sources by identifying SQL injection patterns in ConfigMgr URIs, SCCM service spawning suspicious child processes, and SQL Server error events.

critical severity medium confidence

Data Sources

IIS Access Logs Windows Event Logs Sysmon

Required Tables

_sourceCategory=*iis* _sourceCategory=*windows/event* _sourceCategory=*sysmon*

False Positives

ConfigMgr reporting services generating complex queries that match SQL injection patterns superficially
Legitimate software deployments via SCCM that invoke PowerShell or cmd.exe as part of installation scripts
SQL Server replication or Always On availability group events generating error codes during failover
Network monitoring tools performing deep packet inspection and logging ConfigMgr traffic with decoded payloads

Google Chronicle / SecOps

yaral

rule cve_2024_43468_configmgr_sqli {
  meta:
    author = "df00tech"
    description = "Detects CVE-2024-43468 exploitation - Microsoft Configuration Manager SQL Injection"
    severity = "CRITICAL"
    priority = "HIGH"
    reference = "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-43468"
    cve = "CVE-2024-43468"

  events:
    (
      $e1.metadata.event_type = "NETWORK_HTTP" and
      (
        re.regex($e1.target.url, `(?i)/SMS_|/ccm_|/AdminService`) and
        re.regex($e1.target.url, `(?i)UNION.{0,10}SELECT|OR.{0,5}1.{0,5}=.{0,5}1|xp_cmdshell|WAITFOR.{0,5}DELAY|DROP.{0,5}TABLE|EXEC.{0,5}xp_`)
      ) and
      $e1.target.port in (80, 443, 8530, 8531)
    ) or
    (
      $e1.metadata.event_type = "PROCESS_LAUNCH" and
      re.regex($e1.principal.process.file.full_path, `(?i)SMSvcHost\.exe|CcmExec\.exe|smsexec\.exe`) and
      re.regex($e1.target.process.file.full_path, `(?i)sqlcmd\.exe|osql\.exe|cmd\.exe|powershell\.exe|wscript\.exe`)
    ) or
    (
      $e1.metadata.event_type = "GENERIC_EVENT" and
      $e1.metadata.product_name = "Microsoft-Windows-Security-Auditing" and
      $e1.metadata.product_event_type in ("18456", "17882", "8601")
    )

  condition:
    $e1
}

Chronicle YARA-L 2.0 rule detecting CVE-2024-43468 exploitation through HTTP events with SQL injection patterns targeting ConfigMgr endpoints, process launch events showing SCCM service spawning suspicious children, and SQL Server security audit events.

critical severity medium confidence

Data Sources

Chronicle UDM Windows Event Logs (via Chronicle ingestion) IIS Logs (via Chronicle ingestion)

Required Tables

NETWORK_HTTP PROCESS_LAUNCH GENERIC_EVENT

False Positives

ConfigMgr REST API AdminService calls that include complex filter expressions resembling SQL syntax
Authorized SCCM task sequences that launch PowerShell or cmd.exe for application installation
SQL Server log shipping or database mirroring generating authentication error events during network interruptions
Security compliance tools that query ConfigMgr endpoints and generate HTTP events with encoded query parameters

Sigma rule & cross-platform mapping

The detection logic for CVE-2024-43468: Microsoft Configuration Manager SQL Injection Exploitation (CVE-2024-43468) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource:

logsource:
  category: process_creation
  product: windows

Browse the community-maintained Sigma rules for this technique:

SigmaHQ rules for CVE-2024-43468 Sigma rules on detection.fyi

Platform-specific guides for CVE-2024-43468

Detect in Microsoft Sentinel (KQL) Detect in Splunk (SPL) Detect in Elastic Security (Elastic) Detect in IBM QRadar (QRadar) Detect in Sumo Logic CSE (Sumo) Detect in Google Chronicle (YARA-L) Detect in CrowdStrike LogScale (LogScale)

Last updated: 2026-06-19 Research depth: standard

References (2)

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1ConfigMgr AdminService SQL Injection Probe
Expected signal: IIS W3C log entry showing the request to /AdminService/v1.0/Device with the encoded SQL payload in the query string. SQL Server error log should show a syntax error if the payload reaches the database layer.
Test 2SCCM Service xp_cmdshell Execution Simulation via SQL
Expected signal: Windows Application Event Log: SQL Server events for sp_configure changes (EventID 15457). SQL Server error log: xp_cmdshell execution entry. Sysmon EventID 1: cmd.exe spawned with parent process sqlservr.exe executing the whoami/hostname/ipconfig commands.
Test 3ConfigMgr Management Point Error Flood via Malformed Requests
Expected signal: IIS access log entries for each probed endpoint showing the SQL injection string in the query parameter. HTTP response codes (200, 400, 500) indicating which endpoints processed the request. Network flow records showing sequential HTTP connections from the attacker IP to port 80/443.

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for CVE-2024-43468 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Tactic Hubs

TA0001Initial Access TA0006Credential Access TA0008Lateral Movement

Related Techniques

T1190Exploit Public-Facing Application T1078Valid Accounts T1210Exploitation of Remote Services T1505.003Web Shell

Vulnerability Intelligence

CVE

Affected Software

Weakness (CWE)

Timeline

References & Proof of Concept

CVSS

What is CVE-2024-43468 CVE-2024-43468: Microsoft Configuration Manager SQL Injection Exploitation?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for CVE-2024-43468

Testing Methodology

Unlock Pro Content

Related Detections

Tactic Hubs

Related Techniques

Same Tactic: Initial Access

Popular Detections

Get new detections in your inbox