Techniques
Sample rules
Windows SQL Server Startup Procedure
- source: splunk
- technicques:
- T1505.001
Description
This detection identifies when a startup procedure is registered or executed in SQL Server. Startup procedures automatically execute when SQL Server starts, making them an attractive persistence mechanism for attackers. The detection monitors for suspicious stored procedure names and patterns that may indicate malicious activity, such as attempts to execute operating system commands or gain elevated privileges.
Detection logic
`wineventlog_application` EventCode=17135
| rex field=EventData_Xml "<Data>(?<startup_procedure>[^<]+)</Data>"
| rename host as dest
| eval risk_score=case( match(lower(startup_procedure), "xp_
|sp_
|cmdshell
|shell
|exec"), 90, true(), 70 )
| eval risk_message="SQL Server startup procedure '".startup_procedure."' was launched on host ".dest
| stats count min(_time) as firstTime max(_time) as lastTime by dest EventCode startup_procedure risk_message risk_score
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_sql_server_startup_procedure_filter`