DET0181 Detection Strategy for SQL Stored Procedures Abuse via T1505.001
| Item |
Value |
| ID |
DET0181 |
| Version |
1.0 |
| Created |
21 October 2025 |
| Last Modified |
21 October 2025 |
Technique Detected: T1505.001 (SQL Stored Procedures)
Analytics
Windows
AN0511
Creation or modification of stored procedures invoking xp_cmdshell or CLR assemblies for command execution and persistence.
Log Sources
| Data Component |
Name |
Channel |
| Script Execution (DC0029) |
WinEventLog:Application |
Stored procedure creation, modification, or xp_cmdshell invocation via SQL logs or SQL Server auditing |
| Process Creation (DC0032) |
WinEventLog:Sysmon |
EventCode=1 |
| Module Load (DC0016) |
WinEventLog:Application |
CLR Assembly creation, loading, or modification logs via MSSQL CLR integration |
Mutable Elements
| Field |
Description |
| xp_cmdshell_invocation_threshold |
Adjust if legitimate procedures use xp_cmdshell often in environment |
| CLRAssemblyNameWhitelist |
Organization-defined whitelist of legitimate CLR assemblies |
| TimeWindow |
Tune time window to correlate stored procedure creation with process execution |
Linux
AN0512
SQL stored procedures that invoke OS-level commands via xp_cmdshell equivalent or via UDF (User-Defined Functions) mechanisms.
Log Sources
Mutable Elements
| Field |
Description |
| CommandRegex |
Regex used to detect suspicious OS commands via SQL |
| TimeWindow |
Window for correlating procedure creation and command execution |