This note documents detection patterns related to MSSQL xp_cmdshell Abuse within Active Directory environments.
Direct Indicators
| Log | Event ID | Meaning | Forensic Value | Notes |
|---|---|---|---|---|
| Security | 4624 | Successful logon | Medium | Logon associated with SQL service account or attacker account. |
| Security | 4688 | Process created | Critical | Command execution spawned from sqlservr.exe process. |
| Sysmon | 1 | Process creation | Critical | Child process of sqlservr.exe such as cmd.exe or powershell.exe. |
| Sysmon | 3 | Network connection | High | Outbound connections from sqlservr.exe child processes. |
| SQL Server Logs | N/A | xp_cmdshell execution | Critical | Execution of xp_cmdshell command recorded in SQL logs. |
| EDR Telemetry | N/A | Command execution from SQL service | Critical | Detection of shell commands launched via SQL service. |
Indirect Indicators
| Indicator | What To Look For | Forensic Value | Notes |
|---|---|---|---|
| sqlservr.exe spawning cmd.exe | SQL Server process launching shell commands | Critical | Strong indicator of xp_cmdshell abuse. |
| PowerShell executed by SQL service | sqlservr.exe → powershell.exe chain | Critical | Common exploitation technique. |
| Network connections from SQL child processes | Reverse shell or lateral movement attempts | High | Often used for pivoting. |
| Unusual SQL queries | EXEC xp_cmdshell commands | Critical | Direct evidence of command execution. |
| Service account performing administrative actions | SQL service account executing system commands | High | Often abused for privilege escalation. |
Common Tools
| Tool | Usage |
|---|---|
| sqlcmd | Executes SQL queries including xp_cmdshell commands. |
| Impacket mssqlclient | Allows remote SQL command execution. |
| PowerUpSQL | Enumerates SQL servers and abuses xp_cmdshell. |
| Metasploit MSSQL modules | Automates xp_cmdshell exploitation. |
| Custom SQL scripts | Used to execute OS commands via SQL server. |
Relevant Artifacts
- Windows Security logs (4624, 4688)
- SQL Server error logs and query logs
- Sysmon logs (1 process creation, 3 network connections)
- EDR telemetry detecting command execution
- Prefetch artifacts for cmd.exe or powershell.exe
- Network logs for lateral movement attempts
- File system artifacts created by executed commands
MITRE ATT&CK References
- T1059 Command and Scripting Interpreter
- T1505 Server Software Component
- T1047 Windows Management Instrumentation
Decision Tree
- Is the suspicious event present?
- Identify processes spawned by sqlservr.exe.
- What host generated the event?
- Determine which SQL server executed the command.
- Is the account expected to perform this action?
- Investigate whether administrative SQL activity is legitimate.
- Pivot:
- Source host → inspect SQL queries executed.
- Child processes → analyze command line arguments.
- Network → inspect outbound connections from SQL child processes.
- Confirm exploitation
- Determine whether attacker executed system commands through xp_cmdshell.
Example Detection Templates
KQL
DeviceProcessEvents
| where InitiatingProcessFileName == "sqlservr.exe"
| where FileName in ("cmd.exe","powershell.exe")
SecurityEvent
| where EventID == 4688
| where ParentProcessName has "sqlservr"
EQL
process where parent.name == "sqlservr.exe"
Sigma
title: MSSQL xp_cmdshell Abuse
id: mssql-xpcmdshell-detection
status: experimental
description: Detects command execution spawned from SQL Server process
logsource:
product: windows
category: process_creation
detection:
selection:
ParentImage|endswith: sqlservr.exe
Image|endswith:
- cmd.exe
- powershell.exe
condition: selection
fields:
- Image
- ParentImage
- CommandLine
falsepositives:
- Legitimate SQL administrative automation
level: high
tags:
- attack.execution
Mitigation & Hardening
| Control Area | Mitigation | Effectiveness | Notes |
|---|---|---|---|
| SQL configuration | Disable xp_cmdshell if not required | Critical | Removes attack capability. |
| Access control | Restrict SQL administrative privileges | High | Prevents unauthorized execution. |
| Monitoring | Alert on sqlservr.exe spawning shells | High | Strong detection signal. |
| Least privilege | Run SQL service with minimal privileges | Medium | Reduces impact of exploitation. |
| Threat hunting | Review SQL queries invoking xp_cmdshell | Medium | Detects suspicious activity. |