IMPORTANT: No additional bug fixes or documentation updates
will be released for this version. For the latest information, see the
current release documentation.
Unusual Process For MSSQL Service Accounts
editUnusual Process For MSSQL Service Accounts
editIdentifies unusual process executions using MSSQL Service accounts, which can indicate the exploitation/compromise of SQL instances. Attackers may exploit exposed MSSQL instances for initial access or lateral movement.
Rule type: eql
Rule indices:
- logs-endpoint.events.process-*
Severity: low
Risk score: 21
Runs every: 5m
Searches indices from: now-9m (Date Math format, see also Additional look-back time)
Maximum alerts per execution: 100
References:
Tags:
- Domain: Endpoint
- OS: Windows
- Use Case: Threat Detection
- Tactic: Lateral Movement
- Tactic: Persistence
- Data Source: Elastic Defend
- Rule Type: BBR
Version: 4
Rule authors:
- Elastic
Rule license: Elastic License v2
Rule query
editprocess where event.type == "start" and host.os.type == "windows" and
user.name : (
"SQLSERVERAGENT", "SQLAGENT$*",
"MSSQLSERVER", "MSSQL$*",
"MSSQLServerOLAPService",
"ReportServer*", "MsDtsServer150",
"MSSQLFDLauncher*",
"SQLServer2005SQLBrowserUser$*",
"SQLWriter", "winmgmt"
) and user.domain : "NT SERVICE" and
not (
(
process.name : (
"sqlceip.exe", "sqlservr.exe", "sqlagent.exe",
"msmdsrv.exe", "ReportingServicesService.exe",
"MsDtsSrvr.exe", "sqlbrowser.exe", "DTExec.exe",
"SQLPS.exe", "fdhost.exe", "fdlauncher.exe",
"SqlDumper.exe", "sqlsqm.exe", "DatabaseMail.exe",
"ISServerExec.exe", "Microsoft.ReportingServices.Portal.WebHost.exe",
"bcp.exe", "SQLCMD.exe", "DatabaseMail.exe"
) or
process.executable : (
"?:\\Windows\\System32\\wermgr.exe",
"?:\\Windows\\System32\\conhost.exe",
"?:\\Windows\\System32\\WerFault.exe"
)
) and
(
process.code_signature.subject_name : ("Microsoft Corporation", "Microsoft Windows") and
process.code_signature.trusted == true
)
) and
not (
(process.name : "cmd.exe" and process.parent.name : "sqlservr.exe") or
(process.name : "cmd.exe" and process.parent.name : "forfiles.exe" and process.command_line : "/c echo *")
)
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Lateral Movement
- ID: TA0008
- Reference URL: https://attack.mitre.org/tactics/TA0008/
-
Technique:
- Name: Exploitation of Remote Services
- ID: T1210
- Reference URL: https://attack.mitre.org/techniques/T1210/
-
Tactic:
- Name: Persistence
- ID: TA0003
- Reference URL: https://attack.mitre.org/tactics/TA0003/
-
Technique:
- Name: Server Software Component
- ID: T1505
- Reference URL: https://attack.mitre.org/techniques/T1505/
-
Sub-technique:
- Name: SQL Stored Procedures
- ID: T1505.001
- Reference URL: https://attack.mitre.org/techniques/T1505/001/