Suspicious Child Process Of SQL Server
Last updated on:
In this page
Rule name | Rule type | Log sources | MITRE ATT&CK tags | Severity |
Suspicious Child Process of SQL Server | Standard | Windows | Initial Access: Exploit Public-Facing Application (T1190) | Critical |
About the rule
Rule Type
Standard
Rule Description
This detection identifies unusual child processes spawned by sqlservr.exe, the main executable for Microsoft SQL Server. Threat actors may exploit SQL Server through misconfigurations or by using xp_cmdshell to execute arbitrary commands, leading to suspicious child processes like PowerShell, cmd.exe, or certutil. Such behavior often indicates post-exploitation activity or lateral movement originating from the database server.
Severity
Trouble
Rule journey
Attack chain scenario
Initial Access → Execution → Persistence → Privilege Escalation → Lateral Movement → Defense Evasion
Impact
- Ransomware deployment
- Command and Control
- Data Exfiltration
Rule Requirement
Prerequisites
Using Windows event viewer:
To enable detailed process tracking in a domain environment, log in to a domain controller using domain admin credentials and open the Group Policy Management Console (GPMC). Create or edit a GPO linked to the target OU and navigate to the Advanced Audit Policy Configuration section to enable success auditing for both process creation and termination. To capture command-line details, enable the Include command line in process creation events setting under Audit Process Creation. Additionally, create the Microsoft-Windows-Security-Auditing/Operational registry key in the specified EventLog path to support enhanced auditing.
Using Sysmon:
To enable detailed process monitoring using Sysmon, first download and install it from Microsoft Sysinternals. Run Command Prompt as an administrator and install Sysmon with a configuration file that includes process creation tracking using sysmon.exe -i [configfile.xml]. Ensure your configuration includes a <ProcessCreate> filter to capture all process creation events. Additionally, create the Microsoft-Windows-Sysmon/Operational registry key under the EventLog path if it doesn’t already exist.
Criteria
Action1: actionname = "Process started" AND (PARENTPROCESSNAME endswith "\sqlservr.exe" AND PROCESSNAME endswith "\bash.exe,\bitsadmin.exe,\cmd.exe,\netstat.exe,\nltest.exe,\ping.exe,\powershell.exe,\pwsh.exe,\regsvr32.exe,\rundll32.exe,\sh.exe,\systeminfo.exe,\tasklist.exe,\wsl.exe") AND (PARENTPROCESSNAME notstartswith "C:\Program Files\Microsoft SQL Server" OR PARENTPROCESSNAME notendswith "DATEV_DBENGINE\MSSQL\Binn\sqlservr.exe" OR PROCESSNAME != "C:\Windows\System32\cmd.exe" OR COMMANDLINE notstartswith ""C:\Windows\system32\cmd.exe" ") select Action1.HOSTNAME,Action1.MESSAGE,Action1.COMMANDLINE,Action1.FILE_NAME,Action1.PROCESSNAME,Action1.USERNAME,Action1.PARENTPROCESSNAME
Detection
Execution Mode
realtime
Log Sources
Windows
MITRE ATT&CK
Initial Access: Exploit Public-Facing Application (T1190)
Persistence: Server Software Component - Web Shell (T1505.003)
Security Standards
Enabling this rule will help you meet the security standard's requirement listed below:
DE.AE-07 (Cyber threat intelligence and other contextual information are integrated into the analysis)
When this rule is triggered, you're notified of suspicious child processes spawned by SQL Server binaries—an indication that an attacker might be abusing SQL Server for system-level command execution.
Author
FPT.EagleEye Team, wagga
Future actions
Known False Positives
Legitimate maintenance scripts or administrative tasks triggered via SQL Server that spawn system processes like cmd.exe or powershell.exe.
Next Steps
When this rule is triggered, the following measures can be implemented:
- Identification: Review the parent-child process relationship involving sqlservr.exe and inspect if the spawned process is expected in your environment.
- Analysis: Investigate the command-line arguments, user context, and execution timeline. Correlate with any recent database or application activity logs.
- Response: Terminate the process and isolate the host, conduct a full compromise assessment, and revoke any abused credentials.
- Restrict xp_cmdshell: Restrict xp_cmdshell and other system-level SQL Server features unless absolutely required.
Mitigation
Mitigation ID | Mitigation Name | Mitigation description |
M1048 | Application isolation will limit what other processes and system features the exploited target can access. | |
M1050 | Web Application Firewalls may be used to limit exposure of applications to prevent exploit traffic from reaching the application. | |
M1030 | Segment externally facing servers and services from the rest of the network with a DMZ or on separate hosting infrastructure. | |
M1026 | Use least privilege for service accounts will limit what permissions the exploited process gets on the rest of the system. | |
M1051 | Update software regularly by employing patch management for externally exposed applications. | |
M1016 | Regularly scan externally facing systems for vulnerabilities and establish procedures to rapidly patch systems when critical vulnerabilities are discovered through scanning and through public disclosure. | |
M1042 | Consider disabling functions from web technologies such as PHP’s evaI() that may be abused for web shells. | |
M1018 | Enforce the principle of least privilege by limiting privileges of user accounts so only authorized accounts can modify the web directory. |
