T1505.003 SuspiciousChildProcessOfSQLServer
T1505.003 - Suspicious Child Process Of SQL Server
DESCRIPTION
Detects suspicious child processes of the SQLServer process. This could indicate potential RCE or SQL Injection.
author: FPT.EagleEye Team, wagga
Example:
N/A
Reference:
https://github.com/SigmaHQ/sigma/blob/eb2f82cbc35909a9657aada437a59a70b5610818/rules/windows/process_creation/proc_creation_win_mssql_susp_child_process.yml
Related
common persistence - SQL Server
ATT&CK TACTICS
T1505.003 -
Server Software Component:
Web Shell
Data Source(s): Process - Process Creation
SENTINEL RULE QUERY
| DeviceProcessEvents
| where InitiatingProcessFolderPath endswith '\\sqlservr.exe' and FolderPath matches regex @".*(bash.exe|bitsadmin.exe|cmd.exe|netstat.exe|nltest.exe|ping.exe|powershell.exe|pwsh.exe|regsvr32.exe|rundll32.exe|sh.exe|systeminfo.exe|tasklist.exe|wsl.exe)$"
| where InitiatingProcessFolderPath !startswith "C:\\Program Files\\Microsoft SQL Server\\"
| where InitiatingProcessFolderPath !endswith "DATEV_DBENGINE\\MSSQL\\Binn\\sqlservr.exe"
| where FolderPath !contains 'C:\\Windows\\System32\\cmd.exe'
| where FolderPath !contains "C:\\Windows\\SysWOW64\\cmd.exe" //adding Win32 folder pathways
| where ProcessCommandLine !startswith "C:\\Windows\\system32\\cmd.exe"
| where ProcessCommandLine !startswith "C:\\Windows\\SysWOW64\\cmd.exe" //adding Win32 folder pathways
//| summarize count() , set_ProcessCommandLine = make_set(ProcessCommandLine) by DeviceName, AccountName, InitiatingProcessFolderPath,InitiatingProcessCommandLine, FolderPath, TenantId
|
Triage
- Examine the command lines
- Validate if this is expected behaviour from SQL server.
Falsepositives:
Backup process of database
VERSION
Version 1.2 (date: 29/01/2024)