Detection: Windows Sqlservr Spawning Shell

Updated Date: 2025-03-27 ID: d33aac9f-030c-4830-8701-0c2dd75bb6cb Author: Michael Haag, Splunk Type: TTP Product: Splunk Enterprise Security

Description

This analytic detects instances where the sqlservr.exe process spawns a command shell (cmd.exe) or PowerShell process. This behavior is often indicative of command execution initiated from within the SQL Server process, potentially due to exploitation of SQL injection vulnerabilities or the use of extended stored procedures like xp_cmdshell.

1
2| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name="sqlservr.exe" `process_cmd` OR `process_powershell` by Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product 
3| `drop_dm_object_name(Processes)` 
4| `security_content_ctime(firstTime)` 
5| `security_content_ctime(lastTime)` 
6| `windows_sqlservr_spawning_shell_filter`

Data Source

Name Platform Sourcetype Source
Sysmon EventID 1 Windows icon Windows 'xmlwineventlog' 'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational'
Windows Event Log Security 4688 Windows icon Windows 'xmlwineventlog' 'XmlWinEventLog:Security'

Macros Used

Name Value
process_cmd (Processes.process_name=cmd.exe OR Processes.original_file_name=Cmd.Exe)
windows_sqlservr_spawning_shell_filter search *
windows_sqlservr_spawning_shell_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Annotations

- MITRE ATT&CK
+ Kill Chain Phases
+ NIST
+ CIS
- Threat Actors
ID Technique Tactic
T1505.001 SQL Stored Procedures Persistence
Installation
DE.CM
CIS 10

Default Configuration

This detection is configured by default in Splunk Enterprise Security to run with the following settings:

Setting Value
Disabled true
Cron Schedule 0 * * * *
Earliest Time -70m@m
Latest Time -10m@m
Schedule Window auto
Creates Notable Yes
Rule Title %name%
Rule Description %description%
Notable Event Fields user, dest
Creates Risk Event True
This configuration file applies to all detections of type TTP. These detections will use Risk Based Alerting and generate Notable Events.

Implementation

To implement this detection, you need to be ingesting endpoint data that captures process creation events, specifically the parent-child process relationships. Ensure that you are collecting Sysmon Event ID 1 or Windows Event Log Security 4688 events. The data should be mapped to the Endpoint data model in Splunk.

Known False Positives

Legitimate administrative activities or monitoring tools might occasionally spawn command shells from sqlservr.exe. Review the process command-line arguments and consider filtering out known legitimate processes or users.

Associated Analytic Story

Risk Based Analytics (RBA)

Risk Message:

A command shell was spawned by sqlservr.exe on host $dest$ by user $user$. This may indicate unauthorized command execution.

Risk Object Risk Object Type Risk Score Threat Objects
user user 90 process_name, parent_process_name
dest system 90 process_name, parent_process_name

References

Detection Testing

Test Type Status Dataset Source Sourcetype
Validation Passing N/A N/A N/A
Unit Passing Dataset XmlWinEventLog:Microsoft-Windows-Sysmon/Operational XmlWinEventLog
Integration ✅ Passing Dataset XmlWinEventLog:Microsoft-Windows-Sysmon/Operational XmlWinEventLog

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

Source: GitHub | Version: 2