Detect CVE-2024-43468: Microsoft Configuration Manager SQL Injection Exploitation in Google Chronicle
Detects exploitation attempts targeting CVE-2024-43468, a SQL injection vulnerability in Microsoft Configuration Manager (SCCM/ConfigMgr). This vulnerability allows unauthenticated attackers to execute arbitrary SQL commands against the ConfigMgr site database, potentially leading to remote code execution, credential theft, and lateral movement within the environment. Listed in CISA KEV indicating active exploitation in the wild.
MITRE ATT&CK
YARA-L Detection Query
rule cve_2024_43468_configmgr_sqli {
meta:
author = "df00tech"
description = "Detects CVE-2024-43468 exploitation - Microsoft Configuration Manager SQL Injection"
severity = "CRITICAL"
priority = "HIGH"
reference = "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-43468"
cve = "CVE-2024-43468"
events:
(
$e1.metadata.event_type = "NETWORK_HTTP" and
(
re.regex($e1.target.url, `(?i)/SMS_|/ccm_|/AdminService`) and
re.regex($e1.target.url, `(?i)UNION.{0,10}SELECT|OR.{0,5}1.{0,5}=.{0,5}1|xp_cmdshell|WAITFOR.{0,5}DELAY|DROP.{0,5}TABLE|EXEC.{0,5}xp_`)
) and
$e1.target.port in (80, 443, 8530, 8531)
) or
(
$e1.metadata.event_type = "PROCESS_LAUNCH" and
re.regex($e1.principal.process.file.full_path, `(?i)SMSvcHost\.exe|CcmExec\.exe|smsexec\.exe`) and
re.regex($e1.target.process.file.full_path, `(?i)sqlcmd\.exe|osql\.exe|cmd\.exe|powershell\.exe|wscript\.exe`)
) or
(
$e1.metadata.event_type = "GENERIC_EVENT" and
$e1.metadata.product_name = "Microsoft-Windows-Security-Auditing" and
$e1.metadata.product_event_type in ("18456", "17882", "8601")
)
condition:
$e1
}Chronicle YARA-L 2.0 rule detecting CVE-2024-43468 exploitation through HTTP events with SQL injection patterns targeting ConfigMgr endpoints, process launch events showing SCCM service spawning suspicious children, and SQL Server security audit events.
Data Sources
Required Tables
False Positives & Tuning
- ConfigMgr REST API AdminService calls that include complex filter expressions resembling SQL syntax
- Authorized SCCM task sequences that launch PowerShell or cmd.exe for application installation
- SQL Server log shipping or database mirroring generating authentication error events during network interruptions
- Security compliance tools that query ConfigMgr endpoints and generate HTTP events with encoded query parameters
Other platforms for CVE-2024-43468
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1ConfigMgr AdminService SQL Injection Probe
Expected signal: IIS W3C log entry showing the request to /AdminService/v1.0/Device with the encoded SQL payload in the query string. SQL Server error log should show a syntax error if the payload reaches the database layer.
- Test 2SCCM Service xp_cmdshell Execution Simulation via SQL
Expected signal: Windows Application Event Log: SQL Server events for sp_configure changes (EventID 15457). SQL Server error log: xp_cmdshell execution entry. Sysmon EventID 1: cmd.exe spawned with parent process sqlservr.exe executing the whoami/hostname/ipconfig commands.
- Test 3ConfigMgr Management Point Error Flood via Malformed Requests
Expected signal: IIS access log entries for each probed endpoint showing the SQL injection string in the query parameter. HTTP response codes (200, 400, 500) indicating which endpoints processed the request. Network flow records showing sequential HTTP connections from the attacker IP to port 80/443.
Unlock Pro Content
Get the full detection package for CVE-2024-43468 including response playbook, investigation guide, and atomic red team tests.