legitimate startup procedures may be used by database administrators for maintenance, monitoring, or application functionality. common legitimate uses include database maintenance and cleanup jobs, performance monitoring and statistics collection, application initialization procedures, and system health checks. to reduce false positives, organizations should document approved startup procedures, maintain an inventory of expected startup procedures, monitor for changes to startup procedure configurations, and create exceptions for known good procedures.

Techniques

T1505.001

Sample rules

Windows SQL Server Startup Procedure

source: splunk
technicques:
- T1505.001

Description

This detection identifies when a startup procedure is registered or executed in SQL Server. Startup procedures automatically execute when SQL Server starts, making them an attractive persistence mechanism for attackers. The detection monitors for suspicious stored procedure names and patterns that may indicate malicious activity, such as attempts to execute operating system commands or gain elevated privileges.

Detection logic

`wineventlog_application` EventCode=17135 
| rex field=EventData_Xml "<Data>(?<startup_procedure>[^<]+)</Data>" 
| rename host as dest 
| eval risk_score=case( match(lower(startup_procedure), "xp_
|sp_
|cmdshell
|shell
|exec"), 90, true(), 70 ) 
| eval risk_message="SQL Server startup procedure '".startup_procedure."' was launched on host ".dest 
| stats count min(_time) as firstTime max(_time) as lastTime by dest EventCode startup_procedure risk_message risk_score 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_sql_server_startup_procedure_filter`