Detection: Windows SQL Server Startup Procedure

Description

This detection identifies when a startup procedure is registered or executed in SQL Server. Startup procedures automatically execute when SQL Server starts, making them an attractive persistence mechanism for attackers. The detection monitors for suspicious stored procedure names and patterns that may indicate malicious activity, such as attempts to execute operating system commands or gain elevated privileges.

 1`wineventlog_application` EventCode=17135 
 2| rex field=EventData_Xml "<Data>(?<startup_procedure>[^<]+)</Data>" 
 3| rename host as dest 
 4| eval risk_score=case( match(lower(startup_procedure), "xp_
 5|sp_
 6|cmdshell
 7|shell
 8|exec"), 90, true(), 70 ) 
 9| eval risk_message="SQL Server startup procedure '".startup_procedure."' was launched on host ".dest 
10| stats count min(_time) as firstTime max(_time) as lastTime by dest EventCode startup_procedure risk_message risk_score 
11| `security_content_ctime(firstTime)` 
12| `security_content_ctime(lastTime)` 
13| `windows_sql_server_startup_procedure_filter`

Data Source

Name Platform Sourcetype Source
Windows Event Log Application 17135 Windows icon Windows 'XmlWinEventLog' 'XmlWinEventLog:Application'

Macros Used

Name Value
security_content_ctime convert timeformat="%Y-%m-%dT%H:%M:%S" ctime($field$)
windows_sql_server_startup_procedure_filter search *
windows_sql_server_startup_procedure_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Annotations

- MITRE ATT&CK
+ Kill Chain Phases
+ NIST
+ CIS
- Threat Actors
ID Technique Tactic
T1505.001 SQL Stored Procedures Persistence
Installation
DE.AE
CIS 10

Default Configuration

This detection is configured by default in Splunk Enterprise Security to run with the following settings:

Setting Value
Disabled true
Cron Schedule 0 * * * *
Earliest Time -70m@m
Latest Time -10m@m
Schedule Window auto
Creates Risk Event True
This configuration file applies to all detections of type anomaly. These detections will use Risk Based Alerting.

Implementation

To successfully implement this detection, you need to be ingesting Windows Application Event Logs from SQL Server instances. The detection specifically looks for EventID 17135 which indicates startup procedure execution. Ensure proper logging is enabled for SQL Server startup events and that the logs are being forwarded to your SIEM.

Known False Positives

Legitimate startup procedures may be used by database administrators for maintenance, monitoring, or application functionality. Common legitimate uses include database maintenance and cleanup jobs, performance monitoring and statistics collection, application initialization procedures, and system health checks. To reduce false positives, organizations should document approved startup procedures, maintain an inventory of expected startup procedures, monitor for changes to startup procedure configurations, and create exceptions for known good procedures.

Associated Analytic Story

Risk Based Analytics (RBA)

Risk Message:

A SQL Server startup procedure "$startup_procedure$" was executed on host $dest$, which could indicate an attempt to establish persistence

Risk Object Risk Object Type Risk Score Threat Objects
dest system 90 No Threat Objects
startup_procedure other 70 No Threat Objects

References

Detection Testing

Test Type Status Dataset Source Sourcetype
Validation Passing N/A N/A N/A
Unit Passing Dataset XmlWinEventLog:Application XmlWinEventLog
Integration ✅ Passing Dataset XmlWinEventLog:Application XmlWinEventLog

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range


Source: GitHub | Version: 1