Detect CVE-2024-43468: Microsoft Configuration Manager SQL Injection Exploitation in CrowdStrike LogScale
Detects exploitation attempts targeting CVE-2024-43468, a SQL injection vulnerability in Microsoft Configuration Manager (SCCM/ConfigMgr). This vulnerability allows unauthenticated attackers to execute arbitrary SQL commands against the ConfigMgr site database, potentially leading to remote code execution, credential theft, and lateral movement within the environment. Listed in CISA KEV indicating active exploitation in the wild.
MITRE ATT&CK
LogScale Detection Query
#event_simpleName IN (HttpRequest, ProcessRollup2, NetworkConnectIP4)
| $HttpRequest
| filter (HttpPath LIKE "/SMS_*" OR HttpPath LIKE "/ccm_*" OR HttpPath LIKE "/AdminService*")
| filter (HttpPath MATCHES "(?i)(UNION.{0,10}SELECT|OR.{0,5}1.{0,5}=.{0,5}1|xp_cmdshell|WAITFOR.{0,5}DELAY|DROP.{0,5}TABLE|EXEC.{0,5}xp_)")
| select timestamp, HostnameField, RemoteAddressIP4, HttpMethod, HttpPath, HttpStatus
| eval AlertType="SQL Injection in ConfigMgr URI"
| $ProcessRollup2
| filter ParentBaseFileName IN~ ("SMSvcHost.exe", "CcmExec.exe", "smsexec.exe")
| filter FileName IN~ ("sqlcmd.exe", "osql.exe", "cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe")
| select timestamp, ComputerName, UserName, ParentBaseFileName, FileName, CommandLine
| eval AlertType="Suspicious Child Process from ConfigMgr Service"
| union
| sort timestamp desc
| limit 500CrowdStrike Falcon LogScale/CQL query detecting CVE-2024-43468 exploitation by hunting for SQL injection patterns in ConfigMgr HTTP paths and suspicious process creation chains originating from SCCM service processes.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate ConfigMgr client communications that include encoded parameters resembling SQL syntax
- SCCM software deployment scripts that invoke command-line interpreters as part of package installation
- Authorized security assessments using CrowdStrike sensors to monitor ConfigMgr exploitation testing
- ConfigMgr boundary group probing that generates HTTP events with complex query strings
Other platforms for CVE-2024-43468
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1ConfigMgr AdminService SQL Injection Probe
Expected signal: IIS W3C log entry showing the request to /AdminService/v1.0/Device with the encoded SQL payload in the query string. SQL Server error log should show a syntax error if the payload reaches the database layer.
- Test 2SCCM Service xp_cmdshell Execution Simulation via SQL
Expected signal: Windows Application Event Log: SQL Server events for sp_configure changes (EventID 15457). SQL Server error log: xp_cmdshell execution entry. Sysmon EventID 1: cmd.exe spawned with parent process sqlservr.exe executing the whoami/hostname/ipconfig commands.
- Test 3ConfigMgr Management Point Error Flood via Malformed Requests
Expected signal: IIS access log entries for each probed endpoint showing the SQL injection string in the query parameter. HTTP response codes (200, 400, 500) indicating which endpoints processed the request. Network flow records showing sequential HTTP connections from the attacker IP to port 80/443.
Unlock Pro Content
Get the full detection package for CVE-2024-43468 including response playbook, investigation guide, and atomic red team tests.