Detect CVE-2024-43468: Microsoft Configuration Manager SQL Injection Exploitation in IBM QRadar
Detects exploitation attempts targeting CVE-2024-43468, a SQL injection vulnerability in Microsoft Configuration Manager (SCCM/ConfigMgr). This vulnerability allows unauthenticated attackers to execute arbitrary SQL commands against the ConfigMgr site database, potentially leading to remote code execution, credential theft, and lateral movement within the environment. Listed in CISA KEV indicating active exploitation in the wild.
MITRE ATT&CK
QRadar Detection Query
SELECT
DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
sourceip,
destinationip,
destinationport,
URL,
username,
QIDNAME(qid) AS event_name,
logsourcename(logSourceId) AS log_source,
"Message"
FROM events
WHERE
LOGSOURCETYPENAME(devicetype) IN ('Microsoft IIS', 'Microsoft Windows Security Event Log', 'Sysmon')
AND (
(
(URL ILIKE '%/SMS_%' OR URL ILIKE '%/ccm_%' OR URL ILIKE '%/AdminService%')
AND (
URL ILIKE '%UNION%SELECT%'
OR URL ILIKE '%OR%1=1%'
OR URL ILIKE '%xp_cmdshell%'
OR URL ILIKE '%WAITFOR%DELAY%'
OR URL ILIKE '%EXEC%xp_%'
OR URL ILIKE '%DROP%TABLE%'
)
)
OR
(
QIDNAME(qid) ILIKE '%process%create%'
AND "Message" ILIKE '%SMSvcHost%'
AND (
"Message" ILIKE '%sqlcmd%'
OR "Message" ILIKE '%cmd.exe%'
OR "Message" ILIKE '%powershell%'
)
)
OR
(
EventID IN (18456, 17882, 8601)
AND LOGSOURCETYPENAME(devicetype) = 'Microsoft Windows Security Event Log'
)
)
AND LOGSOURCEGROUPNAME(logSourceGroupId) ILIKE '%Windows%'
AND starttime > NOW() - 3600000
ORDER BY starttime DESC
LIMIT 500QRadar AQL query detecting CVE-2024-43468 exploitation via SQL injection patterns in ConfigMgr IIS URLs, suspicious process creation under SCCM parent processes, and SQL Server error events indicating injection attempts.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate URL-encoded characters in ConfigMgr HTTP requests that trigger pattern matches
- SCCM compliance evaluation spawning command-line tools as part of authorized remediation workflows
- SQL Server scheduled jobs and maintenance plans generating error events during off-hours maintenance windows
- Authorized red team or penetration testing activity against ConfigMgr infrastructure
Other platforms for CVE-2024-43468
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1ConfigMgr AdminService SQL Injection Probe
Expected signal: IIS W3C log entry showing the request to /AdminService/v1.0/Device with the encoded SQL payload in the query string. SQL Server error log should show a syntax error if the payload reaches the database layer.
- Test 2SCCM Service xp_cmdshell Execution Simulation via SQL
Expected signal: Windows Application Event Log: SQL Server events for sp_configure changes (EventID 15457). SQL Server error log: xp_cmdshell execution entry. Sysmon EventID 1: cmd.exe spawned with parent process sqlservr.exe executing the whoami/hostname/ipconfig commands.
- Test 3ConfigMgr Management Point Error Flood via Malformed Requests
Expected signal: IIS access log entries for each probed endpoint showing the SQL injection string in the query parameter. HTTP response codes (200, 400, 500) indicating which endpoints processed the request. Network flow records showing sequential HTTP connections from the attacker IP to port 80/443.
Unlock Pro Content
Get the full detection package for CVE-2024-43468 including response playbook, investigation guide, and atomic red team tests.