Product
Windows SQL Server xp_cmdshell Configuration Change Detected
2 rules 1 TTPDetection of changes to the xp_cmdshell configuration in SQL Server, a feature often abused by attackers for privilege escalation and lateral movement by enabling execution of operating system commands.
SQL Server Critical Procedures Enabled Leading to Potential Code Execution or Reconnaissance
2 rules 2 TTPsModification of critical SQL Server configuration options, such as 'Ad Hoc Distributed Queries', 'external scripts enabled', 'Ole Automation Procedures', 'clr enabled', and 'clr strict security', can enable attackers to perform Active Directory reconnaissance and execute arbitrary code, potentially leading to code execution or reconnaissance activities.
CVE-2026-40370: SQL Server External Control of File Name or Path Vulnerability
2 rules 1 TTP 1 CVECVE-2026-40370 allows an authorized attacker with control over file names or paths to execute code over a network in Microsoft SQL Server.
MSSQL xp_cmdshell Stored Procedure Abuse for Persistence
2 rules 2 TTPsAttackers may leverage the xp_cmdshell stored procedure in Microsoft SQL Server to execute arbitrary commands for privilege escalation and persistence, often bypassing default security configurations.
LSASS Memory Dump Creation Detection
2 rules 1 TTPThis rule identifies the creation of LSASS memory dump files, often indicative of credential access attempts using tools like Task Manager, SQLDumper, Dumpert, or AndrewSpecial, by monitoring for specific filenames and excluding legitimate dump locations.