Detect CVE-2024-43468: Microsoft Configuration Manager SQL Injection Exploitation in Sumo Logic CSE
Detects exploitation attempts targeting CVE-2024-43468, a SQL injection vulnerability in Microsoft Configuration Manager (SCCM/ConfigMgr). This vulnerability allows unauthenticated attackers to execute arbitrary SQL commands against the ConfigMgr site database, potentially leading to remote code execution, credential theft, and lateral movement within the environment. Listed in CISA KEV indicating active exploitation in the wild.
MITRE ATT&CK
Sumo Detection Query
_sourceCategory=*iis* OR _sourceCategory=*windows/event* OR _sourceCategory=*sysmon*
| where _sourceCategory matches "*iis*" or _sourceCategory matches "*windows*" or _sourceCategory matches "*sysmon*"
| parse regex "(?<uri_stem>/(?:SMS_|ccm_|AdminService)[^\\s\"']*)" nodrop
| parse regex "(?<sql_pattern>(?i)(?:UNION\\s+SELECT|OR\\s+1=1|xp_cmdshell|WAITFOR\\s+DELAY|DROP\\s+TABLE|EXEC\\s+xp_))" nodrop
| parse regex "(?<parent_proc>(?i)(?:SMSvcHost\.exe|CcmExec\.exe|smsexec\.exe))" nodrop
| parse regex "(?<child_proc>(?i)(?:sqlcmd\.exe|osql\.exe|cmd\.exe|powershell\.exe))" nodrop
| where (uri_stem != "" and sql_pattern != "") or (parent_proc != "" and child_proc != "") or (EventID in ("18456", "17882", "8601"))
| eval alert_type = if (!isEmpty(sql_pattern), "SQL Injection in ConfigMgr URI",
if (!isEmpty(child_proc) and !isEmpty(parent_proc), "Suspicious Child Process under SCCM",
"SQL Server Error Event"))
| stats count, first(_messageTime) as first_seen, last(_messageTime) as last_seen, values(src_ip) as source_ips, values(uri_stem) as uris by _sourceHost, alert_type
| sort by count descSumo Logic query detecting CVE-2024-43468 exploitation indicators across IIS, Windows Event, and Sysmon log sources by identifying SQL injection patterns in ConfigMgr URIs, SCCM service spawning suspicious child processes, and SQL Server error events.
Data Sources
Required Tables
False Positives & Tuning
- ConfigMgr reporting services generating complex queries that match SQL injection patterns superficially
- Legitimate software deployments via SCCM that invoke PowerShell or cmd.exe as part of installation scripts
- SQL Server replication or Always On availability group events generating error codes during failover
- Network monitoring tools performing deep packet inspection and logging ConfigMgr traffic with decoded payloads
Other platforms for CVE-2024-43468
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1ConfigMgr AdminService SQL Injection Probe
Expected signal: IIS W3C log entry showing the request to /AdminService/v1.0/Device with the encoded SQL payload in the query string. SQL Server error log should show a syntax error if the payload reaches the database layer.
- Test 2SCCM Service xp_cmdshell Execution Simulation via SQL
Expected signal: Windows Application Event Log: SQL Server events for sp_configure changes (EventID 15457). SQL Server error log: xp_cmdshell execution entry. Sysmon EventID 1: cmd.exe spawned with parent process sqlservr.exe executing the whoami/hostname/ipconfig commands.
- Test 3ConfigMgr Management Point Error Flood via Malformed Requests
Expected signal: IIS access log entries for each probed endpoint showing the SQL injection string in the query parameter. HTTP response codes (200, 400, 500) indicating which endpoints processed the request. Network flow records showing sequential HTTP connections from the attacker IP to port 80/443.
Unlock Pro Content
Get the full detection package for CVE-2024-43468 including response playbook, investigation guide, and atomic red team tests.