{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/sql-server/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["SQL Server"],"_cs_severities":["medium"],"_cs_tags":["persistence","sql-server","xp_cmdshell","windows"],"_cs_type":"threat","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThe xp_cmdshell extended stored procedure in Microsoft SQL Server allows execution of operating system commands from within the SQL Server environment. Although disabled by default, its use can provide a direct pathway for attackers to run arbitrary commands on the underlying system with the privileges of the SQL Server service account. This account often has elevated privileges, allowing attackers to escalate their access and establish persistence mechanisms. This activity has been observed in intrusions where attackers seek to maintain control over compromised systems. Defenders should closely monitor for the enabling and use of xp_cmdshell, especially when combined with other suspicious activity.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a vulnerable SQL Server instance, possibly through SQL injection or compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to enable the xp_cmdshell stored procedure using \u003ccode\u003esp_configure 'xp_cmdshell', 1; RECONFIGURE;\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker uses xp_cmdshell to execute reconnaissance commands, such as \u003ccode\u003exp_cmdshell 'whoami'\u003c/code\u003e or \u003ccode\u003exp_cmdshell 'net user'\u003c/code\u003e to gather information about the system and user context.\u003c/li\u003e\n\u003cli\u003eThe attacker uses xp_cmdshell to download and execute a malicious payload (e.g., using \u003ccode\u003ecertutil.exe\u003c/code\u003e to download a file).\u003c/li\u003e\n\u003cli\u003eThe attacker establishes persistence by creating a scheduled task via xp_cmdshell executing the \u003ccode\u003eschtasks\u003c/code\u003e command. For example: \u003ccode\u003exp_cmdshell 'schtasks /create /tn \u0026quot;Malicious Task\u0026quot; /tr \u0026quot;C:\\\\Windows\\\\Temp\\\\evil.exe\u0026quot; /sc ONLOGON /ru SYSTEM'\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe scheduled task executes upon system logon, providing persistent access for the attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the persistent access to deploy additional tools or exfiltrate data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation enables attackers to execute arbitrary commands with elevated privileges on the SQL Server host. This can lead to data theft, system compromise, and the establishment of persistent backdoors. Lateral movement within the network is also possible, leveraging the compromised SQL Server as a pivot point. While specific victim counts and sectors are not provided, any organization using MSSQL Server is potentially vulnerable.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Suspicious xp_cmdshell Usage\u0026rdquo; to your SIEM to detect attempts to use xp_cmdshell for command execution.\u003c/li\u003e\n\u003cli\u003eDisable the xp_cmdshell stored procedure unless absolutely necessary. If required, implement strict monitoring and auditing of its usage (reference: rule description).\u003c/li\u003e\n\u003cli\u003eMonitor for process creation events with a parent process of \u003ccode\u003esqlservr.exe\u003c/code\u003e, specifically looking for command-line arguments indicative of exploitation (reference: Sigma rule).\u003c/li\u003e\n\u003cli\u003eEnsure SQL servers are not directly exposed to the internet and implement strict access controls, using allowlists to restrict connections to legitimate sources (reference: the \u0026ldquo;Response and remediation\u0026rdquo; section).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-mssql-xp-cmdshell-persistence/","summary":"Attackers may leverage the xp_cmdshell stored procedure in Microsoft SQL Server to execute arbitrary commands for privilege escalation and persistence, often bypassing default security configurations.","title":"MSSQL xp_cmdshell Stored Procedure Abuse for Persistence","url":"https://feed.craftedsignal.io/briefs/2024-01-mssql-xp-cmdshell-persistence/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Microsoft Defender XDR","SentinelOne Cloud Funnel","SQL Server","SQL Server Reporting Services"],"_cs_severities":["medium"],"_cs_tags":["credential_access","lsass","memory_dump","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic","Microsoft","SentinelOne"],"content_html":"\u003cp\u003eThis detection rule identifies the creation of LSASS memory dump files on Windows systems, which is a common technique used by attackers to extract credentials. The rule focuses on specific filenames associated with LSASS dumps and tools used for creating these dumps, such as \u003ccode\u003elsass*.dmp\u003c/code\u003e, \u003ccode\u003edumpert.dmp\u003c/code\u003e, \u003ccode\u003eAndrew.dmp\u003c/code\u003e, \u003ccode\u003eSQLDmpr*.mdmp\u003c/code\u003e, and \u003ccode\u003eCoredump.dmp\u003c/code\u003e. The rule excludes known legitimate crash analysis paths and SQLDumper dump locations to reduce false positives. The rule aims to detect credential access attempts through trusted utilities such as Task Manager or SQLDumper, or known tooling such as Dumpert and AndrewSpecial. It is designed to work with data from Elastic Defend, Microsoft Defender XDR, SentinelOne Cloud Funnel, and Sysmon.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system (e.g., through phishing or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker executes a tool or utility to create a memory dump of the LSASS process. This can be done using built-in tools like Task Manager or SQLDumper, or third-party tools like Dumpert or AndrewSpecial.\u003c/li\u003e\n\u003cli\u003eThe tool writes the LSASS memory dump to a file with a name matching a known pattern, such as \u003ccode\u003elsass.dmp\u003c/code\u003e, \u003ccode\u003edumpert.dmp\u003c/code\u003e, or \u003ccode\u003eSQLDmpr0001.mdmp\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe file is created in a location that is not a known legitimate crash dump location (e.g., not in \u003ccode\u003e\\Windows\\System32\\config\\systemprofile\\AppData\\Local\\CrashDumps\\\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker may move, copy, or archive the dump file to avoid detection or to prepare it for exfiltration.\u003c/li\u003e\n\u003cli\u003eThe attacker uses another tool, such as Mimikatz, to parse the LSASS memory dump and extract credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the extracted credentials to move laterally to other systems or to access sensitive data.\u003c/li\u003e\n\u003cli\u003eThe final objective is often to gain domain administrator privileges or to exfiltrate sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation and credential extraction can lead to complete domain compromise, unauthorized access to sensitive data, and significant financial or reputational damage. The impact is amplified if the compromised system is a domain controller, jump host, or privileged admin workstation. The rule is designed to detect the initial stage of credential access and prevent further damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon FileCreate events (Event ID 11) to capture the creation of LSASS memory dump files.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eLSASS Memory Dump Creation\u003c/code\u003e to your SIEM to detect suspicious LSASS memory dump creation events and tune for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the process executable, parent process, file path, and user context.\u003c/li\u003e\n\u003cli\u003eIf a suspicious LSASS memory dump is found, isolate the affected host and begin credential hygiene for implicated accounts and systems.\u003c/li\u003e\n\u003cli\u003eBlock known malicious tools like Dumpert and AndrewSpecial from running on your network.\u003c/li\u003e\n\u003cli\u003eMonitor for related credential-access, staging, privilege, or lateral-movement alerts for the same user or host.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-lsass-dump-creation/","summary":"This rule identifies the creation of LSASS memory dump files, often indicative of credential access attempts using tools like Task Manager, SQLDumper, Dumpert, or AndrewSpecial, by monitoring for specific filenames and excluding legitimate dump locations.","title":"LSASS Memory Dump Creation Detection","url":"https://feed.craftedsignal.io/briefs/2024-01-lsass-dump-creation/"}],"language":"en","title":"CraftedSignal Threat Feed — SQL Server","version":"https://jsonfeed.org/version/1.1"}