← Back to SOC feed Coverage →

Suspicious Child Process Of SQL Server

sigma HIGH SigmaHQ
T1505.003T1190
imProcessCreate
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at SigmaHQ →
Retrieved: 2026-05-11T11:00:00Z · Confidence: medium

Hunt Hypothesis

Detects suspicious child processes of the SQLServer process. This could indicate potential RCE or SQL Injection.

Detection Rule

Sigma (Original)

title: Suspicious Child Process Of SQL Server
id: 869b9ca7-9ea2-4a5a-8325-e80e62f75445
related:
    - id: 344482e4-a477-436c-aa70-7536d18a48c7
      type: obsolete
status: test
description: Detects suspicious child processes of the SQLServer process. This could indicate potential RCE or SQL Injection.
references:
    - Internal Research
author: FPT.EagleEye Team, wagga
date: 2020-12-11
modified: 2023-05-04
tags:
    - attack.t1505.003
    - attack.t1190
    - attack.initial-access
    - attack.persistence
    - attack.privilege-escalation
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\sqlservr.exe'
        Image|endswith:
            # You can add other uncommon or suspicious processes
            - '\bash.exe'
            - '\bitsadmin.exe'
            - '\cmd.exe'
            - '\netstat.exe'
            - '\nltest.exe'
            - '\ping.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
            - '\regsvr32.exe'
            - '\rundll32.exe'
            - '\sh.exe'
            - '\systeminfo.exe'
            - '\tasklist.exe'
            - '\wsl.exe'
    filter_optional_datev:
        ParentImage|startswith: 'C:\Program Files\Microsoft SQL Server\'
        ParentImage|endswith: 'DATEV_DBENGINE\MSSQL\Binn\sqlservr.exe'
        Image: 'C:\Windows\System32\cmd.exe'
        CommandLine|startswith: '"C:\Windows\system32\cmd.exe" '
    condition: selection and not 1 of filter_optional_*
level: high

KQL (Azure Sentinel)

imProcessCreate
| where ((ParentProcessName endswith "\\sqlservr.exe" or ActingProcessName endswith "\\sqlservr.exe") and (TargetProcessName endswith "\\bash.exe" or TargetProcessName endswith "\\bitsadmin.exe" or TargetProcessName endswith "\\cmd.exe" or TargetProcessName endswith "\\netstat.exe" or TargetProcessName endswith "\\nltest.exe" or TargetProcessName endswith "\\ping.exe" or TargetProcessName endswith "\\powershell.exe" or TargetProcessName endswith "\\pwsh.exe" or TargetProcessName endswith "\\regsvr32.exe" or TargetProcessName endswith "\\rundll32.exe" or TargetProcessName endswith "\\sh.exe" or TargetProcessName endswith "\\systeminfo.exe" or TargetProcessName endswith "\\tasklist.exe" or TargetProcessName endswith "\\wsl.exe")) and (not(((ParentProcessName startswith "C:\\Program Files\\Microsoft SQL Server\\" or ActingProcessName startswith "C:\\Program Files\\Microsoft SQL Server\\") and (ParentProcessName endswith "DATEV_DBENGINE\\MSSQL\\Binn\\sqlservr.exe" or ActingProcessName endswith "DATEV_DBENGINE\\MSSQL\\Binn\\sqlservr.exe") and TargetProcessName =~ "C:\\Windows\\System32\\cmd.exe" and TargetProcessCommandLine startswith "\"C:\\Windows\\system32\\cmd.exe\" ")))

Required Data Sources

Sentinel TableNotes
imProcessCreateEnsure this data connector is enabled

False Positive Guidance

No known false positives documented.

MITRE ATT&CK Context

References

Original source: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_mssql_susp_child_process.yml