Description
Adversaries may abuse SQL stored procedures to establish persistent access to systems. SQL Stored Procedures are code that can be saved and reused so that database users do not waste time rewriting frequently used SQL queries. Stored procedures can be invoked via SQL statements to the database using the procedure name or via defined events (e.g. when a SQL server application is started/restarted).
Adversaries may craft malicious stored procedures that can provide a persistence mechanism in SQL database servers.(Citation: NetSPI Startup Stored Procedures)(Citation: Kaspersky MSSQL Aug 2019) To execute operating system commands through SQL syntax the adversary may have to enable additional functionality, such as xp_cmdshell for MSSQL Server.(Citation: NetSPI Startup Stored Procedures)(Citation: Kaspersky MSSQL Aug 2019)(Citation: Microsoft xp_cmdshell 2017)
Microsoft SQL Server can enable common language runtime (CLR) integration. With CLR integration enabled, application developers can write stored procedures using any .NET framework language (e.g. VB .NET, C#, etc.).(Citation: Microsoft CLR Integration 2017) Adversaries may craft or modify CLR assemblies that are linked to stored procedures since these CLR assemblies can be made to execute arbitrary commands.(Citation: NetSPI SQL Server CLR)
Platforms
Mitigations (3)
AuditM1047
Regularly check component software on critical services that adversaries may target for persistence to verify the integrity of the systems and identify if unexpected changes have been made.
Code SigningM1045
Ensure all application component binaries are signed by the correct application developers.
Privileged Account ManagementM1026
Do not allow administrator accounts that have permissions to add component software on these services to be used for day-to-day operations that may expose them to potential adversaries on unprivileged systems.
Associated Software (1)
| ID | Name | Type | Context |
|---|---|---|---|
| S0603 | Stuxnet | Malware | [Stuxnet](https://attack.mitre.org/software/S0603) used xp_cmdshell to store and execute SQL code.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chi... |
Related CWE Weaknesses
References
- Microsoft. (2017, June 19). Common Language Runtime Integration. Retrieved July 8, 2019.
- Microsoft. (2017, March 15). xp_cmdshell (Transact-SQL). Retrieved September 9, 2019.
- Plakhov, A., Sitchikhin, D. (2019, August 22). Agent 1433: remote attack on Microsoft SQL Server. Retrieved September 4, 2019.
- Sutherland, S. (2016, March 7). Maintaining Persistence via SQL Server – Part 1: Startup Stored Procedures. Retrieved September 12, 2024.
- Sutherland, S. (2017, July 13). Attacking SQL Server CLR Assemblies. Retrieved September 12, 2024.
Frequently Asked Questions
What is T1505.001 (SQL Stored Procedures)?
T1505.001 is a MITRE ATT&CK technique named 'SQL Stored Procedures'. It belongs to the Persistence tactic(s). Adversaries may abuse SQL stored procedures to establish persistent access to systems. SQL Stored Procedures are code that can be saved and reused so that database users do not waste time rewriting fr...
How can T1505.001 be detected?
Detection of T1505.001 (SQL Stored Procedures) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1505.001?
There are 3 documented mitigations for T1505.001. Key mitigations include: Audit, Code Signing, Privileged Account Management.
Which threat groups use T1505.001?
While specific threat group attribution may vary, this technique has been observed in various real-world attacks. Check the MITRE ATT&CK website for the latest threat intelligence.