T1505.001

SQL Stored Procedures

Adversaries abuse SQL stored procedures to establish persistent access to database servers. In MSSQL, the sp_addstartup or marking a procedure as a startup procedure causes it to execute automatically when SQL Server starts. Enabling xp_cmdshell allows execution of operating system commands. CLR assemblies compiled from .NET code can be registered and linked to stored procedures for arbitrary code execution. Stuxnet used xp_cmdshell for this purpose; Kaspersky documented attackers using startup procedures for persistent backdoor access.

Microsoft Sentinel / Defender

kusto

// T1505.001 — SQL Stored Procedure persistence detection
// Focus on process execution from SQL Server processes
// Part 1: Detect OS commands spawned by SQL Server (xp_cmdshell execution)
let SQLShellExec = DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName in~ ("sqlservr.exe", "sqlagent.exe")
| where FileName in~ ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe",
                      "mshta.exe", "certutil.exe", "bitsadmin.exe", "rundll32.exe",
                      "net.exe", "net1.exe", "whoami.exe", "ipconfig.exe")
| extend DetectionType = "SQL_Server_OS_Command"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionType;
// Part 2: Detect SQL Server process writing files to disk (CLR assembly drop or payload)
let SQLFileWrite = DeviceFileEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName in~ ("sqlservr.exe", "sqlagent.exe")
| where ActionType == "FileCreated"
| where FolderPath !has "\\Microsoft SQL Server\\"
| where FolderPath !has "\\MSSQL\\"
| extend DetectionType = "SQL_Server_File_Write"
| project Timestamp, DeviceName, AccountName, FileName, FolderPath,
          InitiatingProcessFileName, DetectionType;
// Part 3: Detect registry changes related to SQL Server CLR/startup configuration
let SQLRegistryMod = DeviceRegistryEvents
| where Timestamp > ago(24h)
| where RegistryKey has_any ("SQL Server", "MSSQLSERVER", "SQLServer")
| where RegistryValueName has_any ("xp_cmdshell", "clr enabled", "startup", "CLR")
| extend DetectionType = "SQL_Server_Config_Change"
| project Timestamp, DeviceName, AccountName, RegistryKey, RegistryValueName, RegistryValueData,
          InitiatingProcessFileName, DetectionType;
union SQLShellExec, SQLFileWrite, SQLRegistryMod
| sort by Timestamp desc

high severity high confidence

Data Sources

Process: Process Creation File: File Creation Windows Registry: Registry Value Modification Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents DeviceFileEvents DeviceRegistryEvents

False Positives

Database maintenance scripts using xp_cmdshell for legitimate file system operations (backup to network share, log archival)
SQL Server Agent jobs that run OS commands as part of scheduled database maintenance
CLR assemblies deployed by legitimate database applications for custom data processing
DBA-initiated configuration changes to SQL Server settings during maintenance windows

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  "username",
  "sourceip",
  "hostname",
  QIDNAME(qid) AS event_name,
  "EventID",
  "ParentProcessName",
  "ProcessName",
  "CommandLine",
  CASE
    WHEN LOWER("ParentProcessName") LIKE '%sqlservr.exe%' OR LOWER("ParentProcessName") LIKE '%sqlagent.exe%'
      AND (LOWER("ProcessName") LIKE '%cmd.exe%' OR LOWER("ProcessName") LIKE '%powershell.exe%'
           OR LOWER("ProcessName") LIKE '%wscript.exe%' OR LOWER("ProcessName") LIKE '%cscript.exe%'
           OR LOWER("ProcessName") LIKE '%mshta.exe%' OR LOWER("ProcessName") LIKE '%certutil.exe%'
           OR LOWER("ProcessName") LIKE '%bitsadmin.exe%' OR LOWER("ProcessName") LIKE '%rundll32.exe%'
           OR LOWER("ProcessName") LIKE '%whoami.exe%')
      THEN 'SQL_Server_OS_Command_Execution'
    WHEN LOWER("ProcessName") LIKE '%sqlservr.exe%'
      AND (LOWER("CommandLine") LIKE '%xp_cmdshell%' OR LOWER("CommandLine") LIKE '%sp_addstartup%'
           OR LOWER("CommandLine") LIKE '%clr enabled%' OR LOWER("CommandLine") LIKE '%startup procedure%')
      THEN 'SQL_Server_Config_Abuse'
    ELSE 'SQL_Server_Suspicious_File_Write'
  END AS detection_type
FROM events
WHERE
  LOGSOURCETYPEID IN (12, 13, 15)
  AND "EventID" IN ('1', '4688', '11', '13')
  AND (
    (LOWER("ParentProcessName") LIKE '%sqlservr%' OR LOWER("ParentProcessName") LIKE '%sqlagent%')
    OR (LOWER("ProcessName") LIKE '%sqlservr%'
        AND (LOWER("CommandLine") LIKE '%xp_cmdshell%'
             OR LOWER("CommandLine") LIKE '%sp_addstartup%'
             OR LOWER("CommandLine") LIKE '%clr enabled%'))
  )
  AND starttime > NOW() - 1 DAYS
ORDER BY starttime DESC
LAST 1000

high severity medium confidence

Data Sources

Microsoft Windows Sysmon via WinCollect Windows Security Event Log via WinCollect QRadar DSM for Microsoft Windows

Required Tables

events

False Positives

DBA-initiated SQL Agent jobs with OS command steps for legitimate backup automation using xp_cmdshell
SQL Server integration services (SSIS) packages that invoke PowerShell or cmd for ETL pipeline processing
Third-party SQL monitoring tools (SolarWinds DPA, SentryOne) that attach to sqlservr.exe and execute diagnostic child processes

Sumo Logic CSE

sql

(_sourceCategory="windows/sysmon" OR _sourceCategory="windows/security")
| parse "<EventID>*</EventID>" as event_id
| parse "<Image>*</Image>" as process_image nodrop
| parse "<ParentImage>*</ParentImage>" as parent_image nodrop
| parse "<CommandLine>*</CommandLine>" as command_line nodrop
| parse "<TargetFilename>*</TargetFilename>" as target_filename nodrop
| parse "<TargetObject>*</TargetObject>" as registry_key nodrop
| parse "<Details>*</Details>" as registry_value nodrop
| parse "<User>*</User>" as user nodrop
| parse "<ComputerName>*</ComputerName>" as host nodrop
| where event_id in ("1", "11", "13")
| eval is_sql_parent = if(matches(toLowerCase(parent_image), ".*sql(servr|agent)\.exe.*"), 1, 0)
| eval is_sql_process = if(matches(toLowerCase(process_image), ".*sql(servr|agent)\.exe.*"), 1, 0)
| eval is_shell_child = if(matches(toLowerCase(process_image),
    ".*(cmd|powershell|wscript|cscript|mshta|certutil|bitsadmin|rundll32|net|whoami|ipconfig)\.exe.*"), 1, 0)
| eval is_sql_cmdline = if(matches(toLowerCase(command_line),
    ".*(xp_cmdshell|sp_addstartup|clr enabled|exec master|startup procedure|create procedure|alter procedure).*"), 1, 0)
| eval is_nondefault_path = if(!matches(target_filename, ".*(Microsoft SQL Server|MSSQL).*"), 1, 0)
| eval is_sql_registry = if(matches(toLowerCase(registry_key), ".*(sql server|mssqlserver|sqlserver).*")
    and matches(toLowerCase(registry_value), ".*(xp_cmdshell|clr enabled|startup|clr).*"), 1, 0)
| eval detection_type = if(event_id == "1" and is_sql_parent == 1 and is_shell_child == 1, "SQL_Server_OS_Command_Execution",
    if(event_id == "1" and is_sql_process == 1 and is_sql_cmdline == 1, "SQL_Admin_Command_Abuse",
    if(event_id == "11" and is_sql_process == 1 and is_nondefault_path == 1, "SQL_Server_File_Write",
    if(event_id == "13" and is_sql_registry == 1, "SQL_Server_Config_Change", null))))
| where !isNull(detection_type)
| table _messageTime, host, user, detection_type, process_image, command_line, parent_image, target_filename, registry_key, registry_value
| sort by _messageTime desc

high severity high confidence

Data Sources

Sysmon via Sumo Logic Windows Agent Windows Security Event Log Sumo Logic Cloud SIEM Enterprise

Required Tables

_sourceCategory=windows/sysmon _sourceCategory=windows/security

False Positives

SQL Server Reporting Services (SSRS) or Analysis Services processes spawning child processes for legitimate report rendering or data processing
Database administrators running DBCC commands or executing maintenance stored procedures that invoke system-level diagnostics
SQL Server CLR integration used legitimately by developers for custom aggregate functions or geospatial data processing via registered assemblies

Google Chronicle / SecOps

yaral

rule sql_stored_procedure_persistence {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects SQL Server stored procedure abuse for persistence: xp_cmdshell OS command execution, CLR assembly file drops, and startup procedure/config registry changes (T1505.001)"
    severity = "HIGH"
    priority = "HIGH"
    mitre_attack_tactic = "Persistence"
    mitre_attack_technique = "T1505.001"
    reference = "https://attack.mitre.org/techniques/T1505/001/"
    false_positives = "SQL Agent maintenance jobs, DBA scripts, SSRS rendering processes"

  events:
    // Pattern 1: Shell process spawned by SQL Server (xp_cmdshell)
    (
      $e1.metadata.event_type = "PROCESS_LAUNCH"
      $e1.principal.process.file.full_path = /(?i)(sqlservr|sqlagent)\.exe$/
      $e1.target.process.file.full_path = /(?i)(cmd|powershell|wscript|cscript|mshta|certutil|bitsadmin|rundll32|net|net1|whoami|ipconfig)\.exe$/
    )
    OR
    // Pattern 2: SQL Server writing files outside default directories (CLR assembly drop)
    (
      $e1.metadata.event_type = "FILE_CREATION"
      $e1.principal.process.file.full_path = /(?i)(sqlservr|sqlagent)\.exe$/
      not $e1.target.file.full_path = /(?i)(Microsoft SQL Server|MSSQL)\/
    )
    OR
    // Pattern 3: Registry changes enabling xp_cmdshell, CLR, or startup procedures
    (
      $e1.metadata.event_type = "REGISTRY_MODIFICATION"
      $e1.target.registry.registry_key = /(?i)(SQL Server|MSSQLSERVER|SQLServer)/
      $e1.target.registry.registry_value_name = /(?i)(xp_cmdshell|clr enabled|startup|CLR)/
    )

  condition:
    $e1
}

high severity high confidence

Data Sources

Google Chronicle UDM Windows Event Forwarding via Chronicle Ingestion CrowdStrike Falcon via Chronicle Integration Microsoft Defender for Endpoint via Chronicle Integration

Required Tables

UDM events: PROCESS_LAUNCH, FILE_CREATION, REGISTRY_MODIFICATION

False Positives

Legitimate SQL Server Agent job steps configured by DBAs to execute PowerShell scripts for automated backup verification or index maintenance
SQL Server Integration Services (SSIS) packages writing staging files to non-default paths during ETL processing initiated from sqlservr.exe
Software deployment tools (SCCM, Ansible) modifying SQL Server registry keys during planned configuration management or patching windows

CrowdStrike LogScale (CQL)

cql

// T1505.001 — SQL Server Stored Procedure Persistence
// Pattern 1: Shell processes spawned by SQL Server (xp_cmdshell)
#event_simpleName=ProcessRollup2
| ParentBaseFileName = /(?i)^(sqlservr|sqlagent)\.exe$/
| FileName = /(?i)^(cmd|powershell|wscript|cscript|mshta|certutil|bitsadmin|rundll32|net|net1|whoami|ipconfig)\.exe$/
| DetectionType := "SQL_Server_OS_Command_Execution"
| table([_time, ComputerName, UserName, DetectionType, FileName, CommandLine, ParentBaseFileName, ParentCommandLine])

// Pattern 2: Files written by SQL Server outside default directories (CLR assembly drop)
// Run separately or union with Pattern 1
// #event_simpleName=PeFileWritten OR #event_simpleName=SuspiciousFileWrite
// | ImageFileName = /(?i)(sqlservr|sqlagent)\.exe/
// | not TargetFileName = /(?i)(Microsoft SQL Server|MSSQL)/
// | DetectionType := "SQL_Server_File_Write"
// | table([_time, ComputerName, UserName, DetectionType, TargetFileName, ImageFileName])

// Pattern 3: Registry modifications for SQL Server xp_cmdshell or CLR config
// #event_simpleName=RegValueUpdate
// | TargetObject = /(?i)(SQL Server|MSSQLSERVER|SQLServer)/
// | TargetValueName = /(?i)(xp_cmdshell|clr enabled|startup|CLR)/
// | DetectionType := "SQL_Server_Config_Change"
// | table([_time, ComputerName, UserName, DetectionType, TargetObject, TargetValueName, TargetValueData, ImageFileName])

| groupBy([ComputerName, UserName, DetectionType], function=[count(as=event_count), collect([FileName, CommandLine, ParentBaseFileName])])
| sort(event_count, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon Endpoint Protection Falcon Event Stream — ProcessRollup2 Falcon Event Stream — PeFileWritten Falcon Event Stream — RegValueUpdate

Required Tables

ProcessRollup2 PeFileWritten SuspiciousFileWrite RegValueUpdate

False Positives

SQL Server Agent scheduled jobs legitimately configured with CmdExec job steps that invoke cmd.exe or PowerShell for maintenance automation
Third-party database monitoring solutions (Redgate, Idera, SolarWinds) that hook into sqlservr.exe and spawn child diagnostic processes
SQL Server Full-Text Search or Reporting Services processes spawning filter daemon (msftefd.exe) or rendering worker processes that match shell process patterns

Last updated: 2026-04-19 Research depth: deep

References (5)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1505.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Parent Technique

T1505Server Software Component

Related Sub-techniques

T1505.002Transport Agent T1505.003Web Shell T1505.004IIS Components T1505.005Terminal Services DLL T1505.006vSphere Installation Bundles

SQL Stored Procedures

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Persistence

Popular Detections