Technique on mitre.org

T1505.001: SQL Stored Procedures

Adversaries may abuse SQL stored procedures to establish persistent access to systems. SQL Stored Procedures are code that can be saved and reused so that database users do not waste time rewriting frequently used SQL queries. Stored procedures can be invoked via SQL statements to the database using the procedure name or via defined events (e.g. when a SQL server application is started/restarted).

Adversaries may craft malicious stored procedures that can provide a persistence mechanism in SQL database servers. To execute operating system commands through SQL syntax the adversary may have to enable additional functionality, such as xp_cmdshell for MSSQL Server.

Microsoft SQL Server can enable common language runtime (CLR) integration. With CLR integration enabled, application developers can write stored procedures using any .NET framework language (e.g. VB .NET, C#, etc.). Adversaries may craft or modify CLR assemblies that are linked to stored procedures since these CLR assemblies can be made to execute arbitrary commands.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

mysql_database: PT-CR-617: MySQL_Code_Execution: Running a process under a database account may indicate an attempt of an attacker who gained the ability to execute queries to the database to escalate privileges postgresql_database: PT-CR-2336: PostgreSQL_SecDef_Function_PrivEsc: Creating and searching Security Definers as a potential privilege escalation element

Detection

ID	DS0015	Data source and component	Application Log: Application Log Content	Description	Monitor for third-party application logging, messaging, and/or other artifacts that may abuse SQL stored procedures to establish persistent access to systems. On a MSSQL Server, consider monitoring for xp_cmdshell usage. Consider enabling audit features that can log malicious startup activities.

ID	Data source and component	Description
DS0015	Application Log: Application Log Content	Monitor for third-party application logging, messaging, and/or other artifacts that may abuse SQL stored procedures to establish persistent access to systems. On a MSSQL Server, consider monitoring for xp_cmdshell usage. Consider enabling audit features that can log malicious startup activities.

Mitigation

ID	M1047	Name	Audit	Description	Regularly check component software on critical services that adversaries may target for persistence to verify the integrity of the systems and identify if unexpected changes have been made.

ID	M1045	Name	Code Signing	Description	Ensure all application component binaries are signed by the correct application developers.

ID	M1026	Name	Privileged Account Management	Description	Do not allow administrator accounts that have permissions to add component software on these services to be used for day-to-day operations that may expose them to potential adversaries on unprivileged systems.

ID	Name	Description
M1047	Audit	Regularly check component software on critical services that adversaries may target for persistence to verify the integrity of the systems and identify if unexpected changes have been made.
M1045	Code Signing	Ensure all application component binaries are signed by the correct application developers.
M1026	Privileged Account Management	Do not allow administrator accounts that have permissions to add component software on these services to be used for day-to-day operations that may expose them to potential adversaries on unprivileged systems.