| ID | Technique | Tactic |
|---|---|---|
| T1505.001 | SQL Stored Procedures | Persistence |
| T1059.009 | Cloud API | Execution |
Detection: Windows SQL Server Extended Procedure DLL Loading Hunt
Description
This analytic detects when SQL Server loads DLLs to execute extended stored procedures. This is particularly important for security monitoring as it indicates the first-time use or version changes of potentially dangerous procedures like xp_cmdshell, sp_OACreate, and others. While this is a legitimate operation, adversaries may abuse these procedures for execution, discovery, or privilege escalation.
Search
1`wineventlog_application` EventCode=8128
2| rex field=EventData_Xml "<Data>(?<dll_name>[^<]+)</Data><Data>(?<dll_version>[^<]+)</Data><Data>(?<procedure_name>[^<]+)</Data>"
3| rename host as dest
4| eval dll_category=case( dll_name=="xpstar.dll", "Extended Procedures", dll_name=="odsole70.dll", "OLE Automation", dll_name=="xplog70.dll", "Logging Procedures", true(), "Other")
5| stats count as execution_count, values(procedure_name) as procedures_used, latest(_time) as last_seen by dest dll_name dll_category dll_version
6| sort - execution_count
7| `windows_sql_server_extended_procedure_dll_loading_hunt_filter`
Data Source
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| Windows Event Log Application 8128 |  Windows |
'XmlWinEventLog' |
'XmlWinEventLog:Application' |
Macros Used
| Name | Value |
|---|---|
| wineventlog_application | eventtype="wineventlog_application" OR Channel="application" OR source="XmlWinEventLog:Application" OR source="WinEventLog:Application" |
| windows_sql_server_extended_procedure_dll_loading_hunt_filter | search * |
windows_sql_server_extended_procedure_dll_loading_hunt_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Annotations
Default Configuration
This detection is configured by default in Splunk Enterprise Security to run with the following settings:
| Setting | Value |
|---|---|
| Disabled | true |
| Cron Schedule | 0 * * * * |
| Earliest Time | -70m@m |
| Latest Time | -10m@m |
| Schedule Window | auto |
| Creates Risk Event | False |
This configuration file applies to all detections of type hunting.
Implementation
To successfully implement this detection, ensure Windows Event Log collection is enabled and collecting from the Application channel. SQL Server must be configured to log to the Windows Application log (enabled by default). The Splunk Windows TA is also required.
Known False Positives
Legitimate administrative activity and normal database operations may trigger this detection. Common false positives include initial database startup and configuration, patch deployment and version updates, regular administrative tasks using extended stored procedures, and application servers that legitimately use OLE automation.
Associated Analytic Story
References
Detection Testing
| Test Type | Status | Dataset | Source | Sourcetype |
|---|---|---|---|---|
| Validation | ✅ Passing | N/A | N/A | N/A |
| Unit | ✅ Passing | Dataset | XmlWinEventLog:Application |
XmlWinEventLog |
| Integration | ✅ Passing | Dataset | XmlWinEventLog:Application |
XmlWinEventLog |
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
Source: GitHub | Version: 1