T1505.001 Microsoft Sentinel · KQL

Detect SQL Stored Procedures in Microsoft Sentinel

Adversaries abuse SQL stored procedures to establish persistent access to database servers. In MSSQL, the sp_addstartup or marking a procedure as a startup procedure causes it to execute automatically when SQL Server starts. Enabling xp_cmdshell allows execution of operating system commands. CLR assemblies compiled from .NET code can be registered and linked to stored procedures for arbitrary code execution. Stuxnet used xp_cmdshell for this purpose; Kaspersky documented attackers using startup procedures for persistent backdoor access.

MITRE ATT&CK

Tactic
Persistence
Technique
T1505 Server Software Component
Sub-technique
T1505.001 SQL Stored Procedures
Canonical reference
https://attack.mitre.org/techniques/T1505/001/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
// T1505.001 — SQL Stored Procedure persistence detection
// Focus on process execution from SQL Server processes
// Part 1: Detect OS commands spawned by SQL Server (xp_cmdshell execution)
let SQLShellExec = DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName in~ ("sqlservr.exe", "sqlagent.exe")
| where FileName in~ ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe",
                      "mshta.exe", "certutil.exe", "bitsadmin.exe", "rundll32.exe",
                      "net.exe", "net1.exe", "whoami.exe", "ipconfig.exe")
| extend DetectionType = "SQL_Server_OS_Command"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionType;
// Part 2: Detect SQL Server process writing files to disk (CLR assembly drop or payload)
let SQLFileWrite = DeviceFileEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName in~ ("sqlservr.exe", "sqlagent.exe")
| where ActionType == "FileCreated"
| where FolderPath !has "\\Microsoft SQL Server\\"
| where FolderPath !has "\\MSSQL\\"
| extend DetectionType = "SQL_Server_File_Write"
| project Timestamp, DeviceName, AccountName, FileName, FolderPath,
          InitiatingProcessFileName, DetectionType;
// Part 3: Detect registry changes related to SQL Server CLR/startup configuration
let SQLRegistryMod = DeviceRegistryEvents
| where Timestamp > ago(24h)
| where RegistryKey has_any ("SQL Server", "MSSQLSERVER", "SQLServer")
| where RegistryValueName has_any ("xp_cmdshell", "clr enabled", "startup", "CLR")
| extend DetectionType = "SQL_Server_Config_Change"
| project Timestamp, DeviceName, AccountName, RegistryKey, RegistryValueName, RegistryValueData,
          InitiatingProcessFileName, DetectionType;
union SQLShellExec, SQLFileWrite, SQLRegistryMod
| sort by Timestamp desc
high severity high confidence

Three-part detection for SQL Stored Procedure persistence. Part 1 detects OS command execution from SQL Server processes (sqlservr.exe, sqlagent.exe), indicating xp_cmdshell or CLR assembly executing system commands. Part 2 catches SQL Server writing files to non-standard directories (payload drops). Part 3 monitors SQL Server configuration registry keys related to xp_cmdshell enablement and CLR integration. Together these cover both the configuration and execution phases of SQL persistence.

Data Sources

Process: Process CreationFile: File CreationWindows Registry: Registry Value ModificationMicrosoft Defender for Endpoint

Required Tables

DeviceProcessEventsDeviceFileEventsDeviceRegistryEvents

False Positives & Tuning

  • Database maintenance scripts using xp_cmdshell for legitimate file system operations (backup to network share, log archival)
  • SQL Server Agent jobs that run OS commands as part of scheduled database maintenance
  • CLR assemblies deployed by legitimate database applications for custom data processing
  • DBA-initiated configuration changes to SQL Server settings during maintenance windows
Download portable Sigma rule (.yml)

Other platforms for T1505.001

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Enable and Execute xp_cmdshell (MSSQL)

    Expected signal: Sysmon EventCode 1: sqlservr.exe spawning cmd.exe with /c whoami. Security Event 4688 from the SQL Server service account context. Windows Application event log: SQL Server configuration change event.

  2. Test 2Create SQL Server Startup Stored Procedure

    Expected signal: Sysmon EventCode 1 (sqlcmd.exe execution). SQL Server error log entry for stored procedure creation. On next SQL Server restart, the startup procedure executes (logged in SQL Server error log).

  3. Test 3Query for Existing Startup Procedures and xp_cmdshell Status

    Expected signal: Sysmon EventCode 1: sqlcmd.exe process creation. SQL Server error log: login event for executing user.

Last updated: 2026-04-19 Research depth: deep
References (5)

Unlock Pro Content

Get the full detection package for T1505.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1505Server Software Component

Related Sub-techniques

T1505.002Transport AgentT1505.003Web ShellT1505.004IIS ComponentsT1505.005Terminal Services DLLT1505.006vSphere Installation Bundles

Related Techniques

T1505Server Software ComponentT1505.003Web ShellT1059.001PowerShellT1059.003Windows Command ShellT1078Valid AccountsT1190Exploit Public-Facing Application

Same Tactic: Persistence

Popular Detections