| ID | Technique | Tactic |
|---|---|---|
| T1059.003 | Windows Command Shell | Execution |
Detection: Windows SQLCMD Execution
Description
This detection identifies potentially suspicious usage of sqlcmd.exe, focusing on command patterns that may indicate data exfiltration, reconnaissance, or malicious database operations. The detection looks for both short-form (-X) and long-form (--flag) suspicious parameter combinations, which have been observed in APT campaigns targeting high-value organizations. For example, threat actors like CL-STA-0048 have been known to abuse sqlcmd.exe for data theft and exfiltration from compromised MSSQL servers. The detection monitors for suspicious authentication attempts, output redirection, and potentially malicious query patterns that could indicate unauthorized database access or data theft.
Search
1
2| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_sqlcmd` by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id
3| `drop_dm_object_name(Processes)`
4| eval process_lower=lower(process)
5| eval is_help_check=case( match(process, "(?i)-[?]"), 1, match(process_lower, "(?i)--help"), 1, match(process_lower, "(?i)--version"), 1, true(), 0 ), has_parameters=if(match(process, "-[A-Za-z]"), 1, 0), has_query=case( match(process, "-[Qq]\\s+"), 1, match(process_lower, "--query\\s+"), 1, match(process_lower, "--initial-query\\s+"), 1, true(), 0 ), has_output=case( match(process, "-[oO]\\s+"), 1, match(process_lower, "--output-file\\s+"), 1, true(), 0 ), has_input=case( match(process, "-[iI]\\s+"), 1, match(process_lower, "--input-file\\s+"), 1, true(), 0 ), has_url_input=case( match(process, "-[iI]\\s+https?://"), 1, match(process_lower, "--input-file\\s+https?://"), 1, match(process, "-[iI]\\s+ftp://"), 1, match(process_lower, "--input-file\\s+ftp://"), 1, true(), 0 ), has_admin_conn=case( match(process, "-A"), 1, match(process_lower, "--dedicated-admin-connection"), 1, true(), 0 ), has_suspicious_auth=case( match(process, "-U\\s+sa\\b"), 1, match(process_lower, "--user-name\\s+sa\\b"), 1, match(process, "-U\\s+admin\\b"), 1, match(process_lower, "--user-name\\s+admin\\b"), 1, match(process, "-E\\b"), 1, match(process_lower, "--use-trusted-connection"), 1, true(), 0 ), has_local_server=case( match(process, "-S\\s+127\\.0\\.0\\.1"), 1, match(process_lower, "--server\\s+127\\.0\\.0\\.1"), 1, match(process, "-S\\s+localhost"), 1, match(process_lower, "--server\\s+localhost"), 1, true(), 0 ), has_suspicious_output=case( match(process_lower, "-o\\s+.*\\.(txt
6|csv
7|dat)"), 1, match(process_lower, "--output-file\\s+.*\\.(txt
8|csv
9|dat)"), 1, true(), 0 ), has_cert_bypass=case( match(process, "-C"), 1, match(process_lower, "--trust-server-certificate"), 1, true(), 0 ), has_suspicious_query=case( match(process_lower, "(xp_cmdshell
10|sp_oacreate
11|sp_execute_external
12|openrowset
13|bulk\\s+insert)"), 1, match(process_lower, "(master\\.\\.\\.sysdatabases
14|msdb\\.\\.\\.backuphistory
15|sysadmin
16|securityadmin)"), 1, match(process_lower, "(select.*from.*sys\\.
17|select.*password
18|dump\\s+database)"), 1, match(process_lower, "(sp_addextendedproc
19|sp_makewebtask
20|sp_addsrvrolemember)"), 1, match(process_lower, "(sp_configure.*show\\s+advanced
21|reconfigure
22|enable_xp_cmdshell)"), 1, match(process_lower, "(exec.*master\\.dbo\\.
23|exec.*msdb\\.dbo\\.)"), 1, match(process_lower, "(sp_password
24|sp_control_dbmasterkey_password
25|sp_dropextendedproc)"), 1, match(process_lower, "(powershell
26|cmd\\.exe
27|rundll32
28|regsvr32
29|certutil)"), 1, true(), 0 ), has_suspicious_path=case( match(process_lower, "(\\\\temp\\\\
30|\\\\windows\\\\
31|\\\\public\\\\
32|\\\\users\\\\public\\\\
33|\\\\programdata\\\\)"), 1, match(process_lower, "(\\\\desktop\\\\.*\\.(zip
34|rar
35|7z
36|tar
37|gz))"), 1, match(process_lower, "(\\\\downloads\\\\.*\\.(dat
38|bin
39|tmp))"), 1, match(process_lower, "(\\\\appdata\\\\local\\\\temp\\\\
40|\\\\windows\\\\tasks\\\\)"), 1, match(process_lower, "(\\\\recycler\\\\
41|\\\\system32\\\\
42|\\\\system volume information\\\\)"), 1, match(process_lower, "(\\.vbs
43|\\.ps1
44|\\.bat
45|\\.cmd
46|\\.exe)$"), 1, true(), 0 ), has_suspicious_combo=case( match(process, "-E") AND match(process_lower, "(?i)xp_cmdshell"), 1, match(process, "-Q") AND match(process_lower, "(?i)exec\\s+master"), 1, has_local_server=1 AND has_suspicious_query=1, 1, true(), 0 ), has_obfuscation=case( match(process_lower, "(char\\(
47|convert\\(
48|cast\\(
49|declare\\s+@)"), 1, match(process_lower, "(exec\\s+\\(
50|exec\\s+@
51|;\\s*exec)"), 1, match(process, "\\^
52|\\%
53|\\+\\+
54|\\-\\-"), 1, len(process) > 500, 1, true(), 0 ), has_data_exfil=case( match(process_lower, "(for\\s+xml
55|for\\s+json)"), 1, match(process_lower, "(bulk\\s+insert.*from)"), 1, match(process_lower, "(bcp.*queryout
56|bcp.*out)"), 1, match(process_lower, "(select.*into.*from
57|select.*into.*outfile)"), 1, true(), 0 )
58
59| eval risk_score=0
60| eval risk_score=case( is_help_check=1, 0, has_parameters=0, 0, has_suspicious_combo=1, risk_score + 90, has_suspicious_query=1, risk_score + 60, has_suspicious_path=1, risk_score + 40, has_url_input=1 AND has_output=1, risk_score + 80, has_query=1 AND has_output=1, risk_score + 30, has_query=1 AND has_suspicious_output=1, risk_score + 40, has_admin_conn=1, risk_score + 50, has_suspicious_auth=1, risk_score + 40, has_local_server=1 AND has_query=1, risk_score + 30, has_cert_bypass=1, risk_score + 20, has_obfuscation=1, risk_score + 70, has_data_exfil=1, risk_score + 60, true(), risk_score )
61
62| eval risk_factors=mvappend( if((is_help_check=0 AND has_parameters=0), null(), if(has_suspicious_combo=1, "High-risk command combination detected", null())), if((is_help_check=0 AND has_parameters=0), null(), if(has_suspicious_query=1, "Suspicious SQL query pattern", null())), if(has_suspicious_path=1, "Suspicious output path", null()), if(has_url_input=1 AND has_output=1, "File download attempt", null()), if(has_query=1 AND has_output=1, "Query output to file", null()), if(has_admin_conn=1, "Admin connection", null()), if(has_suspicious_auth=1, "Suspicious authentication", null()), if(has_local_server=1, "Local server connection", null()), if(has_cert_bypass=1, "Certificate validation bypass", null()), if(has_obfuscation=1, "Command obfuscation detected", null()), if(has_data_exfil=1, "Potential data exfiltration", null()) )
63| eval risk_message="SQLCMD execution with risk factors: ".mvjoin(risk_factors, ", ")
64
65| where is_help_check=0 AND (risk_score >= 30 OR (has_parameters=1 AND has_suspicious_query=1))
66| `security_content_ctime(firstTime)`
67| `security_content_ctime(lastTime)`
68| `windows_sqlcmd_execution_filter`
Data Source
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| CrowdStrike ProcessRollup2 | N/A | 'crowdstrike:events:sensor' |
'crowdstrike' |
| Sysmon EventID 1 |  Windows |
'xmlwineventlog' |
'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational' |
| Windows Event Log Security 4688 | Windows |
'xmlwineventlog' |
'XmlWinEventLog:Security' |
Macros Used
| Name | Value |
|---|---|
| process_sqlcmd | (Processes.process_name=sqlcmd.exe OR Processes.original_file_name=sqlcmd.exe) |
| windows_sqlcmd_execution_filter | search * |
windows_sqlcmd_execution_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Annotations
MITRE ATT&CK
Kill Chain Phases
NIST
CIS
Threat Actors
Installation
DE.AE
CIS 10
APT18
APT28
APT3
APT32
APT37
APT38
APT41
APT5
Agrius
Aquatic Panda
BRONZE BUTLER
Blue Mockingbird
Chimera
Cinnamon Tempest
Cobalt Group
Dark Caracal
Darkhotel
Dragonfly
FIN10
FIN13
FIN6
FIN7
FIN8
Fox Kitten
GALLIUM
Gamaredon Group
Gorgon Group
HAFNIUM
Higaisa
INC Ransom
Indrik Spider
Ke3chang
Kimsuky
Lazarus Group
LazyScripter
Machete
Magic Hound
Metador
MuddyWater
Mustang Panda
Nomadic Octopus
OilRig
Patchwork
Play
Rancor
RedCurl
Saint Bear
Silence
Sowbug
Suckfly
TA505
TA551
TA577
TeamTNT
Threat Group-1314
Threat Group-3390
ToddyCat
Tropic Trooper
Turla
Volt Typhoon
Winter Vivern
Wizard Spider
ZIRCONIUM
admin@338
menuPass
Default Configuration
This detection is configured by default in Splunk Enterprise Security to run with the following settings:
| Setting | Value |
|---|---|
| Disabled | true |
| Cron Schedule | 0 * * * * |
| Earliest Time | -70m@m |
| Latest Time | -10m@m |
| Schedule Window | auto |
| Creates Risk Event | False |
This configuration file applies to all detections of type hunting.
Implementation
The analytic will need to be tuned based on organization specific data. Currently, set to hunting to allow for tuning. SQLCmd is a legitimate tool for database management and scripting tasks within enterprise environments. The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the Processes node of the Endpoint data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.
Known False Positives
Database administrators and developers commonly use sqlcmd.exe legitimately for database management and scripting tasks within enterprise environments. These legitimate activities often include database backups and restores, schema deployment scripts, automated database maintenance, and ETL processes. However, it's important to note that some organizations may have no sqlcmd.exe usage at all, making any detection highly suspicious. To effectively manage false positives, organizations should whitelist known administrator accounts, create exceptions for approved script paths and output locations, and add legitimate usage patterns to the filter macro as needed. Recommend running this detection first as a hunt to review usage patterns. Following, modify the risk score and false positive list as needed.
Associated Analytic Story
References
Detection Testing
| Test Type | Status | Dataset | Source | Sourcetype |
|---|---|---|---|---|
| Validation | ✅ Passing | N/A | N/A | N/A |
| Unit | ✅ Passing | Dataset | XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
XmlWinEventLog |
| Integration | ✅ Passing | Dataset | XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
XmlWinEventLog |
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
Source: GitHub | Version: 1