title: SQL Stored Procedures (T1505.001)
id: df00tech-t1505-001
status: experimental
description: "Adversaries abuse SQL stored procedures to establish persistent access to database servers. In MSSQL, the sp_addstartup or marking a procedure as a startup procedure causes it to execute automatically when SQL Server starts. Enabling xp_cmdshell allows execution of operating system commands. CLR assemblies compiled from .NET code can be registered and linked to stored procedures for arbitrary code execution. Stuxnet used xp_cmdshell for this purpose; Kaspersky documented attackers using startup procedures for persistent backdoor access."
references:
  - https://attack.mitre.org/techniques/T1505/001/
  - https://df00tech.com/detections/T1505.001
author: df00tech
date: 2026/04/19
tags:
  - attack.t1505.001
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Database maintenance scripts using xp_cmdshell for legitimate file system operations (backup to network share, log archival)"
  - SQL Server Agent jobs that run OS commands as part of scheduled database maintenance
  - CLR assemblies deployed by legitimate database applications for custom data processing
  - DBA-initiated configuration changes to SQL Server settings during maintenance windows
level: high