t1505.001 | LoFP

t1505.001

Title	Tags
database administrators frequently make legitimate configuration changes for maintenance, performance tuning, and security hardening. to reduce false positives, establish a baseline of normal configuration changes, document approved configuration modifications, implement change control procedures, and maintain an inventory of expected settings.	t1505.001 windows splunk
database administrators may legitimately enable these features for valid business purposes such as cross-database queries, custom clr assemblies, automation scripts, or application requirements. to reduce false positives, document when these features are required, monitor for unauthorized changes, create change control procedures for configuration modifications, and consider alerting on the enabled state rather than configuration changes if preferred.	t1505.001 windows splunk
database administrators may legitimately enable xp_cmdshell for maintenance tasks, such as database maintenance scripts requiring os-level operations, legacy applications, or automated system management tasks; however, this feature should generally remain disabled in production environments due to security risks. to reduce false positives, document when xp_cmdshell is required, monitor for unauthorized changes, create change control procedures for xp_cmdshell modifications, and consider alerting on the enabled state rather than configuration changes if preferred.	t1505.001 windows splunk
inventory and monitoring activity	t1190 t1505 t1505.001 sigma
legitimate administrative activities or monitoring tools might occasionally spawn command shells from sqlservr.exe. review the process command-line arguments and consider filtering out known legitimate processes or users.	t1505.001 endpoint splunk
legitimate administrative activity and normal database operations may trigger this detection. common false positives include initial database startup and configuration, patch deployment and version updates, regular administrative tasks using extended stored procedures, and application servers that legitimately use ole automation.	t1059.009 t1505.001 windows splunk
legitimate applications	t1190 t1505 t1505.001 sigma
legitimate startup procedures may be used by database administrators for maintenance, monitoring, or application functionality. common legitimate uses include database maintenance and cleanup jobs, performance monitoring and statistics collection, application initialization procedures, and system health checks. to reduce false positives, organizations should document approved startup procedures, maintain an inventory of expected startup procedures, monitor for changes to startup procedure configurations, and create exceptions for known good procedures.	t1505.001 windows splunk
vulnerability scanners	t1078 t1078.004 t1110 t1190 t1505 t1505.001 azure sigma