Suspicious Child Process Of SQL Server

Detects suspicious child processes of the SQLServer process. This could indicate potential RCE or SQL Injection.

Sigma rule (View on GitHub)

 1title: Suspicious Child Process Of SQL Server
 2id: 869b9ca7-9ea2-4a5a-8325-e80e62f75445
 3related:
 4    - id: 344482e4-a477-436c-aa70-7536d18a48c7
 5      type: obsoletes
 6status: test
 7description: Detects suspicious child processes of the SQLServer process. This could indicate potential RCE or SQL Injection.
 8references:
 9    - Internal Research
10author: FPT.EagleEye Team, wagga
11date: 2020/12/11
12modified: 2023/05/04
13tags:
14    - attack.t1505.003
15    - attack.t1190
16    - attack.initial_access
17    - attack.persistence
18    - attack.privilege_escalation
19logsource:
20    category: process_creation
21    product: windows
22detection:
23    selection:
24        ParentImage|endswith: '\sqlservr.exe'
25        Image|endswith:
26            # You can add other uncommon or suspicious processes
27            - '\bash.exe'
28            - '\bitsadmin.exe'
29            - '\cmd.exe'
30            - '\netstat.exe'
31            - '\nltest.exe'
32            - '\ping.exe'
33            - '\powershell.exe'
34            - '\pwsh.exe'
35            - '\regsvr32.exe'
36            - '\rundll32.exe'
37            - '\sh.exe'
38            - '\systeminfo.exe'
39            - '\tasklist.exe'
40            - '\wsl.exe'
41    filter_optional_datev:
42        ParentImage|startswith: 'C:\Program Files\Microsoft SQL Server\'
43        ParentImage|endswith: 'DATEV_DBENGINE\MSSQL\Binn\sqlservr.exe'
44        Image: 'C:\Windows\System32\cmd.exe'
45        CommandLine|startswith: '"C:\Windows\system32\cmd.exe" '
46    condition: selection and not 1 of filter_optional_*
47level: high

References

Related rules

to-top