T1505.001 Google Chronicle · YARA-L

Detect SQL Stored Procedures in Google Chronicle

Adversaries abuse SQL stored procedures to establish persistent access to database servers. In MSSQL, the sp_addstartup or marking a procedure as a startup procedure causes it to execute automatically when SQL Server starts. Enabling xp_cmdshell allows execution of operating system commands. CLR assemblies compiled from .NET code can be registered and linked to stored procedures for arbitrary code execution. Stuxnet used xp_cmdshell for this purpose; Kaspersky documented attackers using startup procedures for persistent backdoor access.

MITRE ATT&CK

Tactic
Persistence
Technique
T1505 Server Software Component
Sub-technique
T1505.001 SQL Stored Procedures
Canonical reference
https://attack.mitre.org/techniques/T1505/001/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule sql_stored_procedure_persistence {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects SQL Server stored procedure abuse for persistence: xp_cmdshell OS command execution, CLR assembly file drops, and startup procedure/config registry changes (T1505.001)"
    severity = "HIGH"
    priority = "HIGH"
    mitre_attack_tactic = "Persistence"
    mitre_attack_technique = "T1505.001"
    reference = "https://attack.mitre.org/techniques/T1505/001/"
    false_positives = "SQL Agent maintenance jobs, DBA scripts, SSRS rendering processes"

  events:
    // Pattern 1: Shell process spawned by SQL Server (xp_cmdshell)
    (
      $e1.metadata.event_type = "PROCESS_LAUNCH"
      $e1.principal.process.file.full_path = /(?i)(sqlservr|sqlagent)\.exe$/
      $e1.target.process.file.full_path = /(?i)(cmd|powershell|wscript|cscript|mshta|certutil|bitsadmin|rundll32|net|net1|whoami|ipconfig)\.exe$/
    )
    OR
    // Pattern 2: SQL Server writing files outside default directories (CLR assembly drop)
    (
      $e1.metadata.event_type = "FILE_CREATION"
      $e1.principal.process.file.full_path = /(?i)(sqlservr|sqlagent)\.exe$/
      not $e1.target.file.full_path = /(?i)(Microsoft SQL Server|MSSQL)\/
    )
    OR
    // Pattern 3: Registry changes enabling xp_cmdshell, CLR, or startup procedures
    (
      $e1.metadata.event_type = "REGISTRY_MODIFICATION"
      $e1.target.registry.registry_key = /(?i)(SQL Server|MSSQLSERVER|SQLServer)/
      $e1.target.registry.registry_value_name = /(?i)(xp_cmdshell|clr enabled|startup|CLR)/
    )

  condition:
    $e1
}
high severity high confidence

Chronicle YARA-L 2.0 rule detecting T1505.001 SQL stored procedure persistence across three UDM event types: PROCESS_LAUNCH events where SQL Server spawns shell interpreters (xp_cmdshell indicator), FILE_CREATION events from SQL Server processes writing outside standard SQL directories (CLR assembly staging), and REGISTRY_MODIFICATION events targeting SQL Server configuration keys that enable xp_cmdshell or CLR assembly execution.

Data Sources

Google Chronicle UDMWindows Event Forwarding via Chronicle IngestionCrowdStrike Falcon via Chronicle IntegrationMicrosoft Defender for Endpoint via Chronicle Integration

Required Tables

UDM events: PROCESS_LAUNCH, FILE_CREATION, REGISTRY_MODIFICATION

False Positives & Tuning

  • Legitimate SQL Server Agent job steps configured by DBAs to execute PowerShell scripts for automated backup verification or index maintenance
  • SQL Server Integration Services (SSIS) packages writing staging files to non-default paths during ETL processing initiated from sqlservr.exe
  • Software deployment tools (SCCM, Ansible) modifying SQL Server registry keys during planned configuration management or patching windows
Download portable Sigma rule (.yml)

Other platforms for T1505.001

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Enable and Execute xp_cmdshell (MSSQL)

    Expected signal: Sysmon EventCode 1: sqlservr.exe spawning cmd.exe with /c whoami. Security Event 4688 from the SQL Server service account context. Windows Application event log: SQL Server configuration change event.

  2. Test 2Create SQL Server Startup Stored Procedure

    Expected signal: Sysmon EventCode 1 (sqlcmd.exe execution). SQL Server error log entry for stored procedure creation. On next SQL Server restart, the startup procedure executes (logged in SQL Server error log).

  3. Test 3Query for Existing Startup Procedures and xp_cmdshell Status

    Expected signal: Sysmon EventCode 1: sqlcmd.exe process creation. SQL Server error log: login event for executing user.

Last updated: 2026-04-19 Research depth: deep
References (5)

Unlock Pro Content

Get the full detection package for T1505.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1505Server Software Component

Related Sub-techniques

T1505.002Transport AgentT1505.003Web ShellT1505.004IIS ComponentsT1505.005Terminal Services DLLT1505.006vSphere Installation Bundles

Related Techniques

T1505Server Software ComponentT1505.003Web ShellT1059.001PowerShellT1059.003Windows Command ShellT1078Valid AccountsT1190Exploit Public-Facing Application

Same Tactic: Persistence

Popular Detections