database administrators may legitimately enable xp_cmdshell for maintenance tasks, such as database maintenance scripts requiring os-level operations, legacy applications, or automated system management tasks; however, this feature should generally remain disabled in production environments due to security risks. to reduce false positives, document when xp_cmdshell is required, monitor for unauthorized changes, create change control procedures for xp_cmdshell modifications, and consider alerting on the enabled state rather than configuration changes if preferred.

Techniques

T1505.001

Sample rules

Windows SQL Server xp_cmdshell Config Change

source: splunk
technicques:
- T1505.001

Description

This detection identifies when the xp_cmdshell configuration is modified in SQL Server. The xp_cmdshell extended stored procedure allows execution of operating system commands and programs from SQL Server, making it a high-risk feature commonly abused by attackers for privilege escalation and lateral movement.

Detection logic

`wineventlog_application` EventCode=15457
  
| rex field=EventData_Xml "<Data>(?<config_name>[^<]+)</Data><Data>(?<old_value>[^<]+)</Data><Data>(?<new_value>[^<]+)</Data>"
  
| rename host as dest
  
| where config_name="xp_cmdshell"
  
| eval change_type=case( old_value="0" AND new_value="1", "enabled", old_value="1" AND new_value="0", "disabled", true(), "modified" )
  
| eval risk_score=case( change_type="enabled", 90, change_type="disabled", 60, true(), 70 )
  
| eval risk_message="SQL Server xp_cmdshell was ".change_type." on host ".dest
  
| stats count min(_time) as firstTime max(_time) as lastTime
    BY dest EventCode config_name
       change_type risk_message risk_score
  
| `security_content_ctime(firstTime)`
  
| `security_content_ctime(lastTime)`
  
| `windows_sql_server_xp_cmdshell_config_change_filter`