Detect CVE-2024-43468: Microsoft Configuration Manager SQL Injection Exploitation in Elastic Security
Detects exploitation attempts targeting CVE-2024-43468, a SQL injection vulnerability in Microsoft Configuration Manager (SCCM/ConfigMgr). This vulnerability allows unauthenticated attackers to execute arbitrary SQL commands against the ConfigMgr site database, potentially leading to remote code execution, credential theft, and lateral movement within the environment. Listed in CISA KEV indicating active exploitation in the wild.
MITRE ATT&CK
Elastic Detection Query
sequence by host.name with maxspan=5m
[
network where event.type == "connection" and
(
destination.port in (80, 443, 8530, 8531, 10123) or
source.port in (80, 443, 8530, 8531, 10123)
) and
(
host.name like~ "*SCCM*" or
host.name like~ "*ConfigMgr*" or
host.name like~ "*SMS*"
)
] by source.ip
[
process where event.type == "start" and
process.parent.name in~ ("SMSvcHost.exe", "CcmExec.exe", "smsexec.exe") and
process.name in~ ("sqlcmd.exe", "osql.exe", "cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe")
] by host.ip
| filter trueEQL sequence detection correlating inbound network connections to ConfigMgr ports with subsequent suspicious child process spawning from SCCM service processes, indicating potential post-exploitation activity following SQL injection.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate ConfigMgr push installations that spawn cmd.exe on managed endpoints
- SCCM compliance remediation scripts that execute command-line tools after network policy refresh
- ConfigMgr software distribution tasks that use scripted deployments with command-line execution
- Security tools polling ConfigMgr management points for inventory or policy updates
Other platforms for CVE-2024-43468
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1ConfigMgr AdminService SQL Injection Probe
Expected signal: IIS W3C log entry showing the request to /AdminService/v1.0/Device with the encoded SQL payload in the query string. SQL Server error log should show a syntax error if the payload reaches the database layer.
- Test 2SCCM Service xp_cmdshell Execution Simulation via SQL
Expected signal: Windows Application Event Log: SQL Server events for sp_configure changes (EventID 15457). SQL Server error log: xp_cmdshell execution entry. Sysmon EventID 1: cmd.exe spawned with parent process sqlservr.exe executing the whoami/hostname/ipconfig commands.
- Test 3ConfigMgr Management Point Error Flood via Malformed Requests
Expected signal: IIS access log entries for each probed endpoint showing the SQL injection string in the query parameter. HTTP response codes (200, 400, 500) indicating which endpoints processed the request. Network flow records showing sequential HTTP connections from the attacker IP to port 80/443.
Unlock Pro Content
Get the full detection package for CVE-2024-43468 including response playbook, investigation guide, and atomic red team tests.