Creation or modification of stored procedures invoking xp_cmdshell or CLR assemblies for command execution and persistence.
| Data Component | Name | Channel |
|---|---|---|
| Script Execution (DC0029) | WinEventLog:Application | Stored procedure creation, modification, or xp_cmdshell invocation via SQL logs or SQL Server auditing |
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| Module Load (DC0016) | WinEventLog:Application | CLR Assembly creation, loading, or modification logs via MSSQL CLR integration |
| Field | Description |
|---|---|
| xp_cmdshell_invocation_threshold | Adjust if legitimate procedures use xp_cmdshell often in environment |
| CLRAssemblyNameWhitelist | Organization-defined whitelist of legitimate CLR assemblies |
| TimeWindow | Tune time window to correlate stored procedure creation with process execution |
SQL stored procedures that invoke OS-level commands via xp_cmdshell equivalent or via UDF (User-Defined Functions) mechanisms.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | auditd:SYSCALL | execve |
| Script Execution (DC0029) | ApplicationLogs:SQL | Stored procedure creation or modification with shell invocation (e.g., system(), exec()) |
| Field | Description |
|---|---|
| CommandRegex | Regex used to detect suspicious OS commands via SQL |
| TimeWindow | Window for correlating procedure creation and command execution |