| ID | Technique | Tactic |
|---|---|---|
| T1505.001 | SQL Stored Procedures | Persistence |
Detection: Windows SQL Server Startup Procedure
Description
This detection identifies when a startup procedure is registered or executed in SQL Server. Startup procedures automatically execute when SQL Server starts, making them an attractive persistence mechanism for attackers. The detection monitors for suspicious stored procedure names and patterns that may indicate malicious activity, such as attempts to execute operating system commands or gain elevated privileges.
Search
1`wineventlog_application` EventCode=17135
2| rex field=EventData_Xml "<Data>(?<startup_procedure>[^<]+)</Data>"
3| rename host as dest
4| eval risk_score=case( match(lower(startup_procedure), "xp_
5|sp_
6|cmdshell
7|shell
8|exec"), 90, true(), 70 )
9| eval risk_message="SQL Server startup procedure '".startup_procedure."' was launched on host ".dest
10| stats count min(_time) as firstTime max(_time) as lastTime by dest EventCode startup_procedure risk_message risk_score
11| `security_content_ctime(firstTime)`
12| `security_content_ctime(lastTime)`
13| `windows_sql_server_startup_procedure_filter`
Data Source
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| Windows Event Log Application 17135 |  Windows |
'XmlWinEventLog' |
'XmlWinEventLog:Application' |
Macros Used
| Name | Value |
|---|---|
| security_content_ctime | convert timeformat="%Y-%m-%dT%H:%M:%S" ctime($field$) |
| windows_sql_server_startup_procedure_filter | search * |
windows_sql_server_startup_procedure_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Annotations
MITRE ATT&CK
Kill Chain Phases
NIST
CIS
Threat Actors
Installation
DE.AE
CIS 10
Default Configuration
This detection is configured by default in Splunk Enterprise Security to run with the following settings:
| Setting | Value |
|---|---|
| Disabled | true |
| Cron Schedule | 0 * * * * |
| Earliest Time | -70m@m |
| Latest Time | -10m@m |
| Schedule Window | auto |
| Creates Risk Event | True |
This configuration file applies to all detections of type anomaly. These detections will use Risk Based Alerting.
Implementation
To successfully implement this detection, you need to be ingesting Windows Application Event Logs from SQL Server instances. The detection specifically looks for EventID 17135 which indicates startup procedure execution. Ensure proper logging is enabled for SQL Server startup events and that the logs are being forwarded to your SIEM.
Known False Positives
Legitimate startup procedures may be used by database administrators for maintenance, monitoring, or application functionality. Common legitimate uses include database maintenance and cleanup jobs, performance monitoring and statistics collection, application initialization procedures, and system health checks. To reduce false positives, organizations should document approved startup procedures, maintain an inventory of expected startup procedures, monitor for changes to startup procedure configurations, and create exceptions for known good procedures.
Associated Analytic Story
Risk Based Analytics (RBA)
Risk Message:
A SQL Server startup procedure "$startup_procedure$" was executed on host $dest$, which could indicate an attempt to establish persistence
| Risk Object | Risk Object Type | Risk Score | Threat Objects |
|---|---|---|---|
| startup_procedure | other | 70 | No Threat Objects |
| dest | system | 90 | No Threat Objects |
References
Detection Testing
| Test Type | Status | Dataset | Source | Sourcetype |
|---|---|---|---|---|
| Validation | ✅ Passing | N/A | N/A | N/A |
| Unit | ✅ Passing | Dataset | XmlWinEventLog:Application |
XmlWinEventLog |
| Integration | ✅ Passing | Dataset | XmlWinEventLog:Application |
XmlWinEventLog |
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
Source: GitHub | Version: 1