database administrators may legitimately enable xp_cmdshell for maintenance tasks, such as database maintenance scripts requiring os-level operations, legacy applications, or automated system management tasks; however, this feature should generally remain disabled in production environments due to security risks. to reduce false positives, document when xp_cmdshell is required, monitor for unauthorized changes, create change control procedures for xp_cmdshell modifications, and consider alerting on the enabled state rather than configuration changes if preferred.

Techniques

T1505.001

Sample rules

Windows SQL Server xp_cmdshell Config Change

source: splunk
technicques:
- T1505.001

Description

This detection identifies when the xp_cmdshell configuration is modified in SQL Server. The xp_cmdshell extended stored procedure allows execution of operating system commands and programs from SQL Server, making it a high-risk feature commonly abused by attackers for privilege escalation and lateral movement.

Detection logic

`wineventlog_application` EventCode=15457 
| rex field=EventData_Xml "<Data>(?<config_name>[^<]+)</Data><Data>(?<new_value>[^<]+)</Data><Data>(?<old_value>[^<]+)</Data>" 
| rename host as dest 
| where config_name="xp_cmdshell" 
| eval change_type=case( old_value="0" AND new_value="1", "enabled", old_value="1" AND new_value="0", "disabled", true(), "modified" ) 
| eval risk_score=case( change_type="enabled", 90, change_type="disabled", 60, true(), 70 ) 
| eval risk_message="SQL Server xp_cmdshell was ".change_type." on host ".dest 
| stats count min(_time) as firstTime max(_time) as lastTime by dest EventCode config_name change_type risk_message risk_score 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_sql_server_xp_cmdshell_config_change_filter`