Detect SQL Stored Procedures in Splunk
Adversaries abuse SQL stored procedures to establish persistent access to database servers. In MSSQL, the sp_addstartup or marking a procedure as a startup procedure causes it to execute automatically when SQL Server starts. Enabling xp_cmdshell allows execution of operating system commands. CLR assemblies compiled from .NET code can be registered and linked to stored procedures for arbitrary code execution. Stuxnet used xp_cmdshell for this purpose; Kaspersky documented attackers using startup procedures for persistent backdoor access.
MITRE ATT&CK
- Tactic
- Persistence
- Technique
- T1505 Server Software Component
- Sub-technique
- T1505.001 SQL Stored Procedures
- Canonical reference
- https://attack.mitre.org/techniques/T1505/001/
SPL Detection Query
index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
| eval detection_type=case(
match(ParentImage, "(?i)(sqlservr|sqlagent)\.exe") AND
match(Image, "(?i)(cmd|powershell|wscript|cscript|mshta|certutil|bitsadmin|rundll32|net|whoami|ipconfig)\.exe"),
"SQL_Server_OS_Command_Execution",
match(Image, "(?i)(sqlservr|sqlagent)\.exe") AND
(match(CommandLine, "(?i)(xp_cmdshell|sp_addstartup|clr enabled|EXEC master)") OR
match(CommandLine, "(?i)(startup|CREATE PROCEDURE|ALTER PROCEDURE)")),
"SQL_Admin_Command",
true(), null()
)
| where isnotnull(detection_type)
| table _time, host, User, detection_type, Image, CommandLine, ParentImage, ParentCommandLine
| sort - _timeDetects SQL Stored Procedure persistence indicators via Sysmon EventCode 1. Primary signal is SQL Server processes (sqlservr.exe, sqlagent.exe) spawning OS shells or utilities — the direct result of xp_cmdshell execution. Secondary signal is any process running with SQL-related administrative commands in the command line. SQL Server spawning cmd.exe or PowerShell is rare in well-managed environments and highly suspicious.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Legitimate SQL Agent jobs executing OS commands for maintenance tasks
- DBA scripts using xp_cmdshell for authorized administrative operations
- SQL Server backup jobs spawning backup utility processes
Other platforms for T1505.001
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Enable and Execute xp_cmdshell (MSSQL)
Expected signal: Sysmon EventCode 1: sqlservr.exe spawning cmd.exe with /c whoami. Security Event 4688 from the SQL Server service account context. Windows Application event log: SQL Server configuration change event.
- Test 2Create SQL Server Startup Stored Procedure
Expected signal: Sysmon EventCode 1 (sqlcmd.exe execution). SQL Server error log entry for stored procedure creation. On next SQL Server restart, the startup procedure executes (logged in SQL Server error log).
- Test 3Query for Existing Startup Procedures and xp_cmdshell Status
Expected signal: Sysmon EventCode 1: sqlcmd.exe process creation. SQL Server error log: login event for executing user.
References (5)
- https://attack.mitre.org/techniques/T1505/001/
- https://www.netspi.com/blog/technical-blog/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/
- https://www.netspi.com/blog/technical-blog/adversary-simulation/attacking-sql-server-clr-assemblies/
- https://securelist.com/malicious-tasks-in-ms-sql-server/92167/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.001/T1505.001.md
Unlock Pro Content
Get the full detection package for T1505.001 including response playbook, investigation guide, and atomic red team tests.