This note documents detection patterns related to MSSQL Linked Server Abuse within Active Directory environments.
Direct Indicators
| Log | Event ID | Meaning | Forensic Value | Notes |
|---|---|---|---|---|
| Security | 4624 | Successful logon | Medium | Authentication associated with SQL service account or attacker account. |
| Security | 4688 | Process created | High | Processes spawned due to command execution from SQL server context. |
| Sysmon | 1 | Process creation | High | Child processes launched from sqlservr.exe due to linked server execution. |
| SQL Server Logs | N/A | Linked server query execution | Critical | Execution of distributed queries across linked servers. |
| EDR Telemetry | N/A | Command execution triggered by SQL server | Critical | Indicators of commands executed through SQL linked server abuse. |
| Network Logs | N/A | Connections between SQL servers | High | Network activity between SQL servers used for pivoting. |
Indirect Indicators
| Indicator | What To Look For | Forensic Value | Notes |
|---|---|---|---|
| Distributed queries between SQL servers | EXEC AT or OPENQUERY statements | Critical | Common linked server exploitation pattern. |
| Authentication using SQL service accounts | Service accounts authenticating to remote SQL servers | High | May indicate lateral movement. |
| sqlservr.exe spawning shell processes | cmd.exe or powershell.exe launched via SQL execution | Critical | Often follows xp_cmdshell via linked server. |
| Unexpected network connections between SQL hosts | SQL server communicating with additional SQL instances | High | Potential lateral movement. |
| SQL queries modifying server configuration | Enabling xp_cmdshell remotely | High | Used to escalate access through linked server. |
Common Tools
| Tool | Usage |
|---|---|
| PowerUpSQL | Enumerates and abuses SQL linked servers. |
| Impacket mssqlclient | Executes commands across SQL linked servers. |
| sqlcmd | Runs distributed queries against linked servers. |
| Metasploit MSSQL modules | Automates exploitation of SQL linked servers. |
| Custom SQL scripts | Used for lateral movement across SQL infrastructure. |
Relevant Artifacts
- Windows Security logs (4624, 4688)
- SQL Server query logs and audit logs
- Sysmon logs (1 process creation)
- EDR telemetry detecting suspicious SQL command execution
- Network logs for communication between SQL servers
- Prefetch artifacts for shell commands spawned by SQL processes
- Database audit logs
MITRE ATT&CK References
- T1021 Remote Services
- T1047 Windows Management Instrumentation
- T1505 Server Software Component
Decision Tree
- Is the suspicious event present?
- Identify distributed SQL queries using linked servers.
- What host generated the event?
- Determine which SQL server initiated the query.
- Is the account expected to perform this action?
- Investigate whether account normally performs SQL administrative tasks.
- Pivot:
- Source SQL server → inspect executed queries.
- Destination SQL server → review command execution.
- Network → analyze SQL communication between hosts.
- Confirm exploitation
- Determine whether attacker used linked servers for lateral movement or command execution.
Example Detection Templates
KQL
DeviceProcessEvents
| where InitiatingProcessFileName == "sqlservr.exe"
| where FileName in ("cmd.exe","powershell.exe")
SecurityEvent
| where EventID == 4688
| where ParentProcessName has "sqlservr"
EQL
process where parent.name == "sqlservr.exe"
Sigma
title: MSSQL Linked Server Abuse
id: mssql-linked-server-abuse
status: experimental
description: Detects suspicious processes spawned from SQL Server which may indicate linked server abuse
logsource:
product: windows
category: process_creation
detection:
selection:
ParentImage|endswith: sqlservr.exe
Image|endswith:
- cmd.exe
- powershell.exe
condition: selection
fields:
- Image
- ParentImage
- CommandLine
falsepositives:
- Legitimate SQL administrative automation
level: high
tags:
- attack.lateral_movement
Mitigation & Hardening
| Control Area | Mitigation | Effectiveness | Notes |
|---|---|---|---|
| SQL configuration | Restrict linked server functionality | High | Reduces lateral movement paths. |
| Access control | Limit SQL administrative privileges | High | Prevents unauthorized server access. |
| Monitoring | Alert on sqlservr.exe spawning shells | High | Strong detection signal. |
| Network segmentation | Restrict communication between SQL servers | Medium | Limits lateral movement. |
| Threat hunting | Review distributed queries across servers | Medium | Detects suspicious activity. |