legitimate administrative activity and normal database operations may trigger this detection. common false positives include initial database startup and configuration, patch deployment and version updates, regular administrative tasks using extended stored procedures, and application servers that legitimately use ole automation.

Techniques

Sample rules

Windows SQL Server Extended Procedure DLL Loading Hunt

source: splunk
technicques:
- T1505.001
- T1059.009

Description

This analytic detects when SQL Server loads DLLs to execute extended stored procedures. This is particularly important for security monitoring as it indicates the first-time use or version changes of potentially dangerous procedures like xp_cmdshell, sp_OACreate, and others. While this is a legitimate operation, adversaries may abuse these procedures for execution, discovery, or privilege escalation.

Detection logic

`wineventlog_application` EventCode=8128 
| rex field=EventData_Xml "<Data>(?<dll_name>[^<]+)</Data><Data>(?<dll_version>[^<]+)</Data><Data>(?<procedure_name>[^<]+)</Data>" 
| rename host as dest 
| eval dll_category=case( dll_name=="xpstar.dll", "Extended Procedures", dll_name=="odsole70.dll", "OLE Automation", dll_name=="xplog70.dll", "Logging Procedures", true(), "Other") 
| stats count as execution_count, values(procedure_name) as procedures_used, latest(_time) as last_seen by dest dll_name dll_category dll_version 
| sort - execution_count 
| `windows_sql_server_extended_procedure_dll_loading_hunt_filter`