Adversaries may abuse SQL Server’s scripting and automation capabilities to execute malicious commands or exfiltrate data undetected. SOC teams should proactively hunt for this behavior to identify potential command and control activities or data theft leveraging SQL Server’s legitimate tools.
KQL Query
DeviceProcessEvents
| where Timestamp >= ago(10d)
| where InitiatingProcessFileName in~ ("sqlservr.exe", "sqlagent.exe",
"sqlps.exe", "launchpad.exe")
| summarize tostring(makeset(ProcessCommandLine))
by DeviceId, bin(Timestamp, 2m)
| where
set_ProcessCommandLine has "certutil" or
set_ProcessCommandLine has "netstat" or
set_ProcessCommandLine has "ping" or
set_ProcessCommandLine has "sysinfo" or
set_ProcessCommandLine has "systeminfo" or
set_ProcessCommandLine has "taskkill" or
set_ProcessCommandLine has "wget" or
set_ProcessCommandLine has "whoami" or
set_ProcessCommandLine has "Invoke-WebRequest" or
set_ProcessCommandLine has "Copy-Item" or
set_ProcessCommandLine has "WebClient" or
set_ProcessCommandLine has "advpack.dll" or
set_ProcessCommandLine has "appvlp.exe" or
set_ProcessCommandLine has "atbroker.exe" or
set_ProcessCommandLine has "bash.exe" or
set_ProcessCommandLine has "bginfo.exe" or
set_ProcessCommandLine has "bitsadmin.exe" or
set_ProcessCommandLine has "cdb.exe" or
set_ProcessCommandLine has "certutil.exe" or
set_ProcessCommandLine has "cl_invocation.ps1" or
set_ProcessCommandLine has "cl_mutexverifiers.ps1" or
set_ProcessCommandLine has "cmstp.exe" or
set_ProcessCommandLine has "csi.exe" or
set_ProcessCommandLine has "diskshadow.exe" or
set_ProcessCommandLine has "dnscmd.exe" or
set_ProcessCommandLine has "dnx.exe" or
set_ProcessCommandLine has "dxcap.exe" or
set_ProcessCommandLine has "esentutl.exe" or
set_ProcessCommandLine has "expand.exe" or
set_ProcessCommandLine has "extexport.exe" or
set_ProcessCommandLine has "extrac32.exe" or
set_ProcessCommandLine has "findstr.exe" or
set_ProcessCommandLine has "forfiles.exe" or
set_ProcessCommandLine has "ftp.exe" or
set_ProcessCommandLine has "gpscript.exe" or
set_ProcessCommandLine has "hh.exe" or
set_ProcessCommandLine has "ie4uinit.exe" or
set_ProcessCommandLine has "ieadvpack.dll" or
set_ProcessCommandLine has "ieaframe.dll" or
set_ProcessCommandLine has "ieexec.exe" or
set_ProcessCommandLine has "infdefaultinstall.exe" or
set_ProcessCommandLine has "installutil.exe" or
set_ProcessCommandLine has "makecab.exe" or
set_ProcessCommandLine has "manage-bde.wsf" or
set_ProcessCommandLine has "mavinject.exe" or
set_ProcessCommandLine has "mftrace.exe" or
set_ProcessCommandLine has "microsoft.workflow.compiler.exe" or
set_ProcessCommandLine has "mmc.exe" or
set_ProcessCommandLine has "msbuild.exe" or
set_ProcessCommandLine has "msconfig.exe" or
set_ProcessCommandLine has "msdeploy.exe" or
set_ProcessCommandLine has "msdt.exe" or
set_ProcessCommandLine has "mshta.exe" or
set_ProcessCommandLine has "mshtml.dll" or
set_ProcessCommandLine has "msiexec.exe" or
set_ProcessCommandLine has "msxsl.exe" or
set_ProcessCommandLine has "odbcconf.exe" or
set_ProcessCommandLine has "pcalua.exe" or
set_ProcessCommandLine has "pcwrun.exe" or
set_ProcessCommandLine has "pcwutl.dll" or
set_ProcessCommandLine has "pester.bat" or
set_ProcessCommandLine has "presentationhost.exe" or
set_ProcessCommandLine has "pubprn.vbs" or
set_ProcessCommandLine has "rcsi.exe" or
set_ProcessCommandLine has "regasm.exe" or
set_ProcessCommandLine has "register-cimprovider.exe" or
set_ProcessCommandLine has "regsvcs.exe" or
set_ProcessCommandLine has "regsvr32.exe" or
set_ProcessCommandLine has "replace.exe" or
set_ProcessCommandLine has "rundll32.exe" or
set_ProcessCommandLine has "runonce.exe" or
set_ProcessCommandLine has "runscripthelper.exe" or
set_ProcessCommandLine has "schtasks.exe" or
set_ProcessCommandLine has "scriptrunner.exe" or
set_ProcessCommandLine has "setupapi.dll" or
set_ProcessCommandLine has "shdocvw.dll" or
set_ProcessCommandLine has "shell32.dll" or
set_ProcessCommandLine has "slmgr.vbs" or
set_ProcessCommandLine has "sqltoolsps.exe" or
set_ProcessCommandLine has "syncappvpublishingserver.exe" or
set_ProcessCommandLine has "syncappvpublishingserver.vbs" or
set_ProcessCommandLine has "syssetup.dll" or
set_ProcessCommandLine has "te.exe" or
set_ProcessCommandLine has "tracker.exe" or
set_ProcessCommandLine has "url.dll" or
set_ProcessCommandLine has "verclsid.exe" or
set_ProcessCommandLine has "vsjitdebugger.exe" or
set_ProcessCommandLine has "wab.exe" or
set_ProcessCommandLine has "winrm.vbs" or
set_ProcessCommandLine has "wmic.exe" or
set_ProcessCommandLine has "xwizard.exe" or
set_ProcessCommandLine has "zipfldr.dll"
| sort by DeviceId , Timestamp asc
id: 8ff94182-f58f-4377-914c-dca523b8e180
name: sql-server-abuse
description: |
This query was originally published in the threat analytics report, SQL Server abuse.
SQL Server offers a vast array of tools for automating tasks, exporting data, and running scripts. These legitimate tools can be repurposed by attackers. Because there are so many powerful commands an attacker might exploit, hunting for malicious activity involving SQL Server can be complicated.
This query detects instances of a SQL Server process launching a shell to run one or more suspicious commands.
Reference - https://docs.microsoft.com/sql/relational-databases/security/securing-sql-server?view=sql-server-ver15
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
tactics:
- Execution
query: |
DeviceProcessEvents
| where Timestamp >= ago(10d)
| where InitiatingProcessFileName in~ ("sqlservr.exe", "sqlagent.exe",
"sqlps.exe", "launchpad.exe")
| summarize tostring(makeset(ProcessCommandLine))
by DeviceId, bin(Timestamp, 2m)
| where
set_ProcessCommandLine has "certutil" or
set_ProcessCommandLine has "netstat" or
set_ProcessCommandLine has "ping" or
set_ProcessCommandLine has "sysinfo" or
set_ProcessCommandLine has "systeminfo" or
set_ProcessCommandLine has "taskkill" or
set_ProcessCommandLine has "wget" or
set_ProcessCommandLine has "whoami" or
set_ProcessCommandLine has "Invoke-WebRequest" or
set_ProcessCommandLine has "Copy-Item" or
set_ProcessCommandLine has "WebClient" or
set_ProcessCommandLine has "advpack.dll" or
set_ProcessCommandLine has "appvlp.exe" or
set_ProcessCommandLine has "atbroker.exe" or
set_ProcessCommandLine has "bash.exe" or
set_ProcessCommandLine has "bginfo.exe" or
set_ProcessCommandLine has "bitsadmin.exe" or
set_ProcessCommandLine has "cdb.exe" or
set_ProcessCommandLine has "certutil.exe" or
set_ProcessCommandLine has "cl_invocation.ps1" or
set_ProcessCommandLine has "cl_mutexverifiers.ps1" or
set_ProcessCommandLine has "cmstp.exe" or
set_ProcessCommandLine has "csi.exe" or
set_ProcessCommandLine has "diskshadow.exe" or
set_ProcessCommandLine has "dnscmd.exe" or
set_ProcessCommandLine has "dnx.exe" or
set_ProcessCommandLine has "dxcap.exe" or
set_ProcessCommandLine has "esentutl.exe" or
set_ProcessCommandLine has "expand.exe" or
set_ProcessCommandLine has "extexport.exe" or
set_ProcessCommandLine has "extrac32.exe" or
set_ProcessCommandLine has "findstr.exe" or
set_ProcessCommandLine has "forfiles.exe" or
set_ProcessCommandLine has "ftp.exe" or
set_ProcessCommandLine has "gpscript.exe" or
set_ProcessCommandLine has "hh.exe" or
set_ProcessCommandLine has "ie4uinit.exe" or
set_ProcessCommandLine has "ieadvpack.dll" or
set_ProcessCommandLine has "ieaframe.dll" or
set_ProcessCommandLine has "ieexec.exe" or
set_ProcessCommandLine has "infdefaultinstall.exe" or
set_Pr| Sentinel Table | Notes |
|---|---|
DeviceProcessEvents | Ensure this data connector is enabled |
Scenario: A system administrator is using SQL Server Agent to schedule a routine data export job that uses bcp (Bulk Copy Program) to export data to a CSV file.
Filter/Exclusion: Exclude queries containing bcp or xp_cmdshell when executed by a known admin account with scheduled job privileges.
Scenario: A DBA is running a T-SQL script via SQL Server Management Studio (SSMS) to perform a database backup using BACKUP DATABASE command.
Filter/Exclusion: Exclude queries containing BACKUP DATABASE or RESTORE DATABASE when executed from SSMS or by a DBA account with elevated privileges.
Scenario: An IT team is using SQL Server Integration Services (SSIS) to automate ETL processes, which includes executing external scripts or calling external tools.
Filter/Exclusion: Exclude queries involving EXEC sp_execute_external_script or SSIS package execution when originating from known ETL workflows or scheduled SSIS jobs.
Scenario: A developer is using SQL Server Profiler to monitor and analyze query performance, which may include capturing and replaying queries for debugging.
Filter/Exclusion: Exclude queries that match known SQL Server Profiler activity or are executed from a development environment with specific IP ranges or user roles.
Scenario: A security team is performing a penetration test using SQLMap to test for SQL injection vulnerabilities in a controlled environment.
Filter/Exclusion: Exclude queries that match known SQLMap payloads or originate from a test environment IP range or user account.