Suspicious Commands by SQL Server
Detects suspicious commands created from sqlservr process.
Sigma rule (View on GitHub)
1title: Suspicious Commands by SQL Server
2id: 9a73f4cc-a727-4b26-a9d8-81d2724b7f5e
3description: Detects suspicious commands created from sqlservr process.
4status: experimental
5author: 'TheDFIRReport'
6references:
7 - https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver
8date: 2022-07-11
9modified: 2022-12-16
10tags:
11 - attack.initial-access
12 - attack.persistence
13 - attack.privilege-escalation
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection:
19 ParentImage|endswith: '\sqlservr.exe'
20 Image|endswith: '\cmd.exe'
21 CommandLine|contains:
22 - 'del'
23 - 'cacls'
24 - 'attrib +s +h'
25 - 'takeown'
26 - 'taskkill'
27 - 'net'
28 - 'reg add'
29 - 'echo'
30 - 'cscript'
31 - 'whoami'
32 - 'netsh'
33 condition: selection
34level: high
References
-
In March 2022, we observed an intrusion on a public-facing Microsoft SQL Server. The end goal of this intrusion was to deploy a coin miner. Although deploying a coin miner on a vulnerable server af…
Read More
Related rules
- Potential CVE-2024-3400 Exploitation - Palo Alto GlobalProtect OS Command Injection
- AWS Key Pair Import Activity
- Suspicious Processes Spawned by Java.EXE
- Account Tampering - Suspicious Failed Logon Reasons
- Activity From Anonymous IP Address