1. Home
  2. Techniques
  3. Enterprise
  4. Server Software Component
  5. SQL Stored Procedures

Server Software Component: SQL Stored Procedures

ID Name
T1505.001 SQL Stored Procedures
T1505.002 Transport Agent
T1505.003 Web Shell
T1505.004 IIS Components

Adversaries may abuse SQL stored procedures to establish persistent access to systems. SQL Stored Procedures are code that can be saved and reused so that database users do not waste time rewriting frequently used SQL queries. Stored procedures can be invoked via SQL statements to the database using the procedure name or via defined events (e.g. when a SQL server application is started/restarted).

Adversaries may craft malicious stored procedures that can provide a persistence mechanism in SQL database servers.[1][2] To execute operating system commands through SQL syntax the adversary may have to enable additional functionality, such as xp_cmdshell for MSSQL Server.[1][2][3]

Microsoft SQL Server can enable common language runtime (CLR) integration. With CLR integration enabled, application developers can write stored procedures using any .NET framework language (e.g. VB .NET, C#, etc.).[4] Adversaries may craft or modify CLR assemblies that are linked to stored procedures since these CLR assemblies can be made to execute arbitrary commands.[5]

ID: T1505.001
Sub-technique of:  T1505
Tactic: Persistence
Platforms: Linux, Windows
Permissions Required: Administrator, SYSTEM, root
Contributors: Carlos Borges, @huntingneo, CIP; Kaspersky; Lucas da Silva Pereira, @vulcanunsec, CIP
Version: 1.0
Created: 12 December 2019
Last Modified: 25 March 2020
Provided by LAYER 8

Procedure Examples

ID Name Description
G0034 Sandworm Team

Sandworm Team has used various MS-SQL stored procedures.[6]

S0603 Stuxnet

Stuxnet used xp_cmdshell to store and execute SQL code.[7]

Mitigations

ID Mitigation Description
M1047 Audit

Regularly check component software on critical services that adversaries may target for persistence to verify the integrity of the systems and identify if unexpected changes have been made.

M1045 Code Signing

Ensure all application component binaries are signed by the correct application developers.

M1026 Privileged Account Management

Do not allow administrator accounts that have permissions to add component software on these services to be used for day-to-day operations that may expose them to potential adversaries on unprivileged systems.

Detection

ID Data Source Data Component
DS0015 Application Log Application Log Content

On a MSSQL Server, consider monitoring for xp_cmdshell usage.[1] Consider enabling audit features that can log malicious startup activities.

References

  1. Sutherland, S. (2016, March 7). Maintaining Persistence via SQL Server – Part 1: Startup Stored Procedures. Retrieved July 8, 2019.
  2. Plakhov, A., Sitchikhin, D. (2019, August 22). Agent 1433: remote attack on Microsoft SQL Server. Retrieved September 4, 2019.
  3. Microsoft. (2017, March 15). xp_cmdshell (Transact-SQL). Retrieved September 9, 2019.
  4. Microsoft. (2017, June 19). Common Language Runtime Integration. Retrieved July 8, 2019.
  1. Sutherland, S. (2017, July 13). Attacking SQL Server CLR Assemblies. Retrieved July 8, 2019.
  2. Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020.
  3. Nicolas Falliere, Liam O. Murchu, Eric Chien. (2011, February). W32.Stuxnet Dossier. Retrieved December 7, 2020.