Detection rules › Splunk
Windows SQL Server Critical Procedures Enabled
This detection identifies when critical SQL Server configuration options are modified, including "Ad Hoc Distributed Queries", "external scripts enabled", "Ole Automation Procedures", "clr enabled", and "clr strict security". These features can be abused by attackers for various malicious purposes - Ad Hoc Distributed Queries enables Active Directory reconnaissance through ADSI provider, external scripts and Ole Automation allow execution of arbitrary code, and CLR features can be used to run custom assemblies. Enabling these features could indicate attempts to gain code execution or perform reconnaissance through SQL Server.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Persistence | T1505.001 Server Software Component: SQL Stored Procedures |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| MSSQLSERVER | 15457 |
Stages and Predicates
Stage 1: search
search EventCode=15457
Stage 2: rex
rex field=EventData_Xml ...
Stage 3: where
where config_name IN ("Ad Hoc Distributed Queries", "Ole Automation Procedures", "clr enabled", "clr strict security", "external scripts enabled")
Stage 4: rename
rename
Stage 5: eval
eval ... using (new_value, old_value)
Stage 6: eval
eval ... using (change_type)
Stage 7: eval
eval ... using (change_type, config_name, dest)
Stage 8: stats
stats BY dest, EventCode, config_name, change_type, risk_message, risk_score
Stage 9: search
search
Stage 10: search
search
Stage 11: search
search `macro`
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
EventCode | eq |
|
config_name | in |
|