• 5 min read
Guide to Detecting Sinister SQL Attacks
Comprehensive guide to detecting SQL Server attacks including xp_cmdshell abuse, credential theft, and lateral movement through database servers.
sql-server xp_cmdshell lateral-movement detection splunk
Originally published on the Splunk Security Blog
Read the full article: Guide to Detecting Sinister SQL Attacks
SQL Server: The Overlooked Attack Surface
Database servers often have:
- High privileges
- Network access to sensitive systems
- Stored credentials
- Inadequate monitoring
Attackers know this.
Common Attack Techniques
xp_cmdshell
The classic. Execute OS commands from SQL:
EXEC xp_cmdshell 'whoami';
EXEC xp_cmdshell 'powershell -e JABjAGwAaQBlAG4AdAA...';OLE Automation
DECLARE @shell INT;
EXEC sp_OACreate 'WScript.Shell', @shell OUTPUT;
EXEC sp_OAMethod @shell, 'Run', NULL, 'cmd /c whoami';CLR Assemblies
Load malicious .NET code into SQL Server.
Linked Servers
Pivot through trusted database links.
Detection Strategies
xp_cmdshell Execution
index=mssql
(statement="*xp_cmdshell*" OR statement="*sp_OACreate*")
| table _time, src_ip, database, user, statementSQL Server Spawning Processes
index=sysmon EventCode=1
ParentImage="*\\sqlservr.exe"
| table _time, Computer, User, Image, CommandLineSuspicious SQL Service Account Activity
index=windows EventCode=4688
SubjectUserName="*MSSQL*" OR SubjectUserName="*SQLServer*"
| where Image!="*sqlservr.exe"
| table _time, Computer, SubjectUserName, Image, CommandLineDefense Recommendations
- Disable xp_cmdshell if not needed
- Use SQL Server Audit
- Monitor for SQL spawning child processes
- Restrict SQL service account permissions
- Network segment database servers
Read the full guide: Guide to Detecting Sinister SQL Attacks
Related Modules
Active
SequelEyes
SQL, IIS, Oh My... Detection and hunting tools for SQL Server and IIS security.
sql iis windows detection +1