CVE-2024-43468 Splunk · SPL

Detect CVE-2024-43468: Microsoft Configuration Manager SQL Injection Exploitation in Splunk

Detects exploitation attempts targeting CVE-2024-43468, a SQL injection vulnerability in Microsoft Configuration Manager (SCCM/ConfigMgr). This vulnerability allows unauthenticated attackers to execute arbitrary SQL commands against the ConfigMgr site database, potentially leading to remote code execution, credential theft, and lateral movement within the environment. Listed in CISA KEV indicating active exploitation in the wild.

MITRE ATT&CK

Tactic
Initial Access Credential Access Lateral Movement

SPL Detection Query

Splunk (SPL)
spl 
index=* sourcetype IN ("iis", "WinEventLog:Application", "WinEventLog:Security", "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational")
| eval is_configmgr_iis=if(match(cs_uri_stem, "(?i)/SMS_|/ccm_|/AdminService|/ConfigMgr"), 1, 0)
| eval sql_inject_hit=if(match(cs_uri_query, "(?i)UNION\\s+SELECT|OR\\s+1\\s*=\\s*1|DROP\\s+TABLE|EXEC\\s+xp_|WAITFOR\\s+DELAY|xp_cmdshell|CAST\\(0x|BENCHMARK\\("), 1, 0)
| eval sccm_child_proc=if(match(ParentImage, "(?i)SMSvcHost\.exe|CcmExec\.exe|smsexec\.exe") AND match(Image, "(?i)sqlcmd\.exe|osql\.exe|cmd\.exe|powershell\.exe|wscript\.exe"), 1, 0)
| eval sql_error=if(sourcetype="WinEventLog:Application" AND (EventCode=18456 OR EventCode=17882 OR EventCode=8601) AND match(SourceName, "(?i)MSSQL"), 1, 0)
| where is_configmgr_iis=1 OR sql_inject_hit=1 OR sccm_child_proc=1 OR sql_error=1
| eval alert_type=case(
    sql_inject_hit=1, "SQL Injection Pattern in ConfigMgr Request",
    sccm_child_proc=1, "Suspicious Child Process from ConfigMgr Service",
    sql_error=1, "SQL Server Error Event - Potential Injection",
    true(), "Suspicious ConfigMgr HTTP Activity"
  )
| stats count min(_time) as first_seen max(_time) as last_seen values(src_ip) as source_ips values(cs_uri_stem) as uris values(Image) as child_processes values(CommandLine) as cmdlines by host alert_type
| eval first_seen=strftime(first_seen, "%Y-%m-%d %H:%M:%S"), last_seen=strftime(last_seen, "%Y-%m-%d %H:%M:%S")
| sort - count
| table host alert_type count first_seen last_seen source_ips uris child_processes cmdlines
critical severity medium confidence

Detects CVE-2024-43468 exploitation indicators across IIS logs for ConfigMgr endpoints with SQL injection patterns, Sysmon process creation events showing suspicious child processes under SCCM services, and Windows Application event log SQL Server errors.

Data Sources

IIS Web LogsWindows Event Log (Application)Sysmon

Required Sourcetypes

iisWinEventLog:ApplicationWinEventLog:SecurityXmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives & Tuning

  • Authorized SCCM administrators running SQL queries for reporting or troubleshooting through ConfigMgr console
  • Security scanners performing routine vulnerability assessments against ConfigMgr web services
  • ConfigMgr client health evaluation processes spawning cmd.exe for remediation scripts
  • Backup and maintenance SQL jobs generating error events in the Application log
  • Third-party SCCM management tools that interact with the AdminService REST API using complex query strings

Other platforms for CVE-2024-43468

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1ConfigMgr AdminService SQL Injection Probe

    Expected signal: IIS W3C log entry showing the request to /AdminService/v1.0/Device with the encoded SQL payload in the query string. SQL Server error log should show a syntax error if the payload reaches the database layer.

  2. Test 2SCCM Service xp_cmdshell Execution Simulation via SQL

    Expected signal: Windows Application Event Log: SQL Server events for sp_configure changes (EventID 15457). SQL Server error log: xp_cmdshell execution entry. Sysmon EventID 1: cmd.exe spawned with parent process sqlservr.exe executing the whoami/hostname/ipconfig commands.

  3. Test 3ConfigMgr Management Point Error Flood via Malformed Requests

    Expected signal: IIS access log entries for each probed endpoint showing the SQL injection string in the query parameter. HTTP response codes (200, 400, 500) indicating which endpoints processed the request. Network flow records showing sequential HTTP connections from the attacker IP to port 80/443.

Last updated: 2026-06-19 Research depth: standard
References (2)

Unlock Pro Content

Get the full detection package for CVE-2024-43468 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0006Credential AccessTA0008Lateral Movement

Related Techniques

T1190Exploit Public-Facing ApplicationT1078Valid AccountsT1210Exploitation of Remote ServicesT1505.003Web Shell

Same Tactic: Initial Access

Popular Detections