This note documents detection patterns related to MSSQL Privilege Escalation within Active Directory environments.
Direct Indicators
| Log | Event ID | Meaning | Forensic Value | Notes |
|---|---|---|---|---|
| Security | 4688 | Process created | Critical | Commands spawned from sqlservr.exe indicating OS-level execution. |
| Security | 4624 | Successful logon | Medium | Authentication associated with SQL service account or attacker account. |
| Security | 4672 | Special privileges assigned | High | Privileges granted to compromised SQL service account. |
| Sysmon | 1 | Process creation | Critical | cmd.exe, powershell.exe, or other binaries spawned by sqlservr.exe. |
| Sysmon | 10 | Process access | High | Access to LSASS or other sensitive processes following escalation. |
| SQL Server Logs | N/A | Role modification | Critical | Changes to SQL roles such as adding user to sysadmin. |
Indirect Indicators
| Indicator | What To Look For | Forensic Value | Notes |
|---|---|---|---|
| SQL user added to sysadmin role | Role escalation in SQL Server | Critical | Direct sign of privilege escalation. |
| EXECUTE AS statements | Impersonation of higher privileged SQL logins | High | Often used to escalate privileges. |
| SQL configuration changes | Enabling xp_cmdshell or unsafe assemblies | High | Used after privilege escalation. |
| sqlservr.exe spawning system shells | cmd.exe or powershell.exe launched by SQL server | Critical | OS-level execution after escalation. |
| Service account performing administrative actions | SQL service account accessing system resources | High | May indicate compromise. |
Common Tools
| Tool | Usage |
|---|---|
| PowerUpSQL | Enumerates SQL misconfigurations and escalates privileges. |
| Impacket mssqlclient | Allows execution of SQL commands for privilege escalation. |
| Metasploit MSSQL modules | Automates SQL privilege escalation. |
| sqlcmd | Executes SQL queries modifying roles or permissions. |
| Custom SQL scripts | Manipulate SQL roles or impersonation chains. |
Relevant Artifacts
- Windows Security logs (4624, 4688, 4672)
- SQL Server audit logs and query logs
- Sysmon logs (1 process creation, 10 process access)
- EDR telemetry identifying suspicious SQL activity
- Prefetch artifacts for cmd.exe or powershell.exe
- Network logs showing lateral movement from SQL host
- Database role modification logs
MITRE ATT&CK References
- T1068 Exploitation for Privilege Escalation
- T1505 Server Software Component
- T1059 Command and Scripting Interpreter
Decision Tree
- Is the suspicious event present?
- Identify SQL role modifications or impersonation queries.
- What host generated the event?
- Determine which SQL server executed the activity.
- Is the account expected to perform this action?
- Investigate whether SQL administrator performed the change.
- Pivot:
- SQL logs → review queries modifying roles or permissions.
- Process logs → inspect sqlservr.exe child processes.
- Network logs → analyze connections originating from SQL server.
- Confirm exploitation
- Determine whether attacker escalated privileges to sysadmin or executed OS commands.
Example Detection Templates
KQL
DeviceProcessEvents
| where InitiatingProcessFileName == "sqlservr.exe"
| where FileName in ("cmd.exe","powershell.exe")
SecurityEvent
| where EventID == 4688
| where ParentProcessName has "sqlservr"
EQL
process where parent.name == "sqlservr.exe"
Sigma
title: MSSQL Privilege Escalation Activity
id: mssql-privilege-escalation
status: experimental
description: Detects suspicious process execution spawned from SQL Server process
logsource:
product: windows
category: process_creation
detection:
selection:
ParentImage|endswith: sqlservr.exe
Image|endswith:
- cmd.exe
- powershell.exe
condition: selection
fields:
- Image
- ParentImage
- CommandLine
falsepositives:
- Legitimate SQL administrative automation
level: high
tags:
- attack.privilege_escalation
Mitigation & Hardening
| Control Area | Mitigation | Effectiveness | Notes |
|---|---|---|---|
| SQL permissions | Restrict sysadmin role membership | Critical | Prevents privilege escalation. |
| Monitoring | Alert on sqlservr.exe spawning shells | High | Strong detection signal. |
| Least privilege | Run SQL service with minimal OS privileges | High | Limits escalation impact. |
| Audit logging | Enable SQL audit logs for role changes | High | Improves visibility. |
| Threat hunting | Review SQL impersonation queries | Medium | Detects abuse of EXECUTE AS. |