Name:Windows Sqlservr Spawning Shell id:d33aac9f-030c-4830-8701-0c2dd75bb6cb version:1 date:2025-02-04 author:Michael Haag, Splunk status:production type:TTP Description:This analytic detects instances where the sqlservr.exe process spawns a command shell (cmd.exe) or PowerShell process. This behavior is often indicative of command execution initiated from within the SQL Server process, potentially due to exploitation of SQL injection vulnerabilities or the use of extended stored procedures like xp_cmdshell. Data_source:
-Sysmon EventID 1
-Windows Event Log Security 4688
search:| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name="sqlservr.exe" `process_cmd` OR `process_powershell` by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.original_file_name Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_sqlservr_spawning_shell_filter`
how_to_implement:To implement this detection, you need to be ingesting endpoint data that captures process creation events, specifically the parent-child process relationships. Ensure that you are collecting Sysmon Event ID 1 or Windows Event Log Security 4688 events. The data should be mapped to the Endpoint data model in Splunk. known_false_positives:Legitimate administrative activities or monitoring tools might occasionally spawn command shells from sqlservr.exe. Review the process command-line arguments and consider filtering out known legitimate processes or users. References: -https://attack.mitre.org/techniques/T1505/001/ -https://github.com/MHaggis/notes/tree/master/utilities/SQLSSTT drilldown_searches: name:'View the detection results for - "$dest$" and "$process_name$"' search:'%original_detection_search% | search dest = "$dest$" process_name = "$process_name$"' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' name:'View risk events for the last 7 days for - "$dest$" and "$user$"' search:'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' tags: analytic_story: - 'SQL Server Abuse' asset_type:Endpoint mitre_attack_id: - 'T1505.001' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' security_domain:endpoint cve:
