← Back to Explore
splunk_escuHunting
Windows Sqlservr Spawning Shell
This analytic detects instances where the sqlservr.exe process spawns a command shell (cmd.exe) or PowerShell process. This behavior is often indicative of command execution initiated from within the SQL Server process, potentially due to exploitation of SQL injection vulnerabilities or the use of extended stored procedures like xp_cmdshell.
MITRE ATT&CK
Detection Query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
WHERE Processes.parent_process_name="sqlservr.exe" `process_cmd`
OR
`process_powershell`
BY Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_sqlservr_spawning_shell_filter`Author
Michael Haag, Splunk
Created
2026-03-24
Data Sources
Sysmon EventID 1Windows Event Log Security 4688
References
Tags
SQL Server Abuse
Raw Content
name: Windows Sqlservr Spawning Shell
id: d33aac9f-030c-4830-8701-0c2dd75bb6cb
version: 6
date: '2026-03-24'
author: Michael Haag, Splunk
status: production
type: Hunting
description: This analytic detects instances where the sqlservr.exe process spawns a command shell (cmd.exe) or PowerShell process. This behavior is often indicative of command execution initiated from within the SQL Server process, potentially due to exploitation of SQL injection vulnerabilities or the use of extended stored procedures like xp_cmdshell.
data_source:
- Sysmon EventID 1
- Windows Event Log Security 4688
search: |-
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
WHERE Processes.parent_process_name="sqlservr.exe" `process_cmd`
OR
`process_powershell`
BY Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_sqlservr_spawning_shell_filter`
how_to_implement: To implement this detection, you need to be ingesting endpoint data that captures process creation events, specifically the parent-child process relationships. Ensure that you are collecting Sysmon Event ID 1 or Windows Event Log Security 4688 events. The data should be mapped to the Endpoint data model in Splunk.
known_false_positives: Legitimate administrative activities or monitoring tools might occasionally spawn command shells from sqlservr.exe. Review the process command-line arguments and consider filtering out known legitimate processes or users.
references:
- https://attack.mitre.org/techniques/T1505/001/
- https://github.com/MHaggis/notes/tree/master/utilities/SQLSSTT
tags:
analytic_story:
- SQL Server Abuse
asset_type: Endpoint
mitre_attack_id:
- T1505.001
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
security_domain: endpoint
cve: []
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.001/simulation/sqlservr-windows_sysmon.log
sourcetype: XmlWinEventLog
source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational