Techniques
Sample rules
Windows SQL Server Critical Procedures Enabled
- source: splunk
- technicques:
- T1505.001
Description
This detection identifies when critical SQL Server configuration options are modified, including “Ad Hoc Distributed Queries”, “external scripts enabled”, “Ole Automation Procedures”, “clr enabled”, and “clr strict security”. These features can be abused by attackers for various malicious purposes - Ad Hoc Distributed Queries enables Active Directory reconnaissance through ADSI provider, external scripts and Ole Automation allow execution of arbitrary code, and CLR features can be used to run custom assemblies. Enabling these features could indicate attempts to gain code execution or perform reconnaissance through SQL Server.
Detection logic
`wineventlog_application` EventCode=15457
| rex field=EventData_Xml "<Data>(?<config_name>[^<]+)</Data><Data>(?<new_value>[^<]+)</Data><Data>(?<old_value>[^<]+)</Data>"
| where config_name IN ("Ad Hoc Distributed Queries", "external scripts enabled", "Ole Automation Procedures", "clr enabled", "clr strict security")
| rename host as dest
| eval change_type=case( old_value="0" AND new_value="1", "enabled", old_value="1" AND new_value="0", "disabled", true(), "modified" )
| eval risk_score=case( change_type="enabled", 90, change_type="disabled", 60, true(), 70 )
| eval risk_message="SQL Server critical procedure ".config_name." was ".change_type." on host ".dest.", which may indicate attempts to gain code execution or perform reconnaissance"
| stats count min(_time) as firstTime max(_time) as lastTime by dest EventCode config_name change_type risk_message risk_score
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_sql_server_critical_procedures_enabled_filter`