SQL Server abuse

# SQL Server abuse

This query was originally published in the threat analytics report, **SQL Server abuse**.

[SQL Server](https://docs.microsoft.com/sql/relational-databases/security/securing-sql-server?view=sql-server-ver15) offers a vast array of tools for automating tasks, exporting data, and running scripts. These legitimate tools can be repurposed by attackers. Because there are so many powerful commands an attacker might exploit, hunting for malicious activity involving SQL Server can be complicated.

This query detects instances of a SQL Server process launching a shell to run one or more suspicious commands.

## Query

```Kusto
DeviceProcessEvents 
| where Timestamp  >= ago(10d)
| where InitiatingProcessFileName in~ ("sqlservr.exe", "sqlagent.exe", 
"sqlps.exe", "launchpad.exe")
| summarize tostring(makeset(ProcessCommandLine)) 
by DeviceId, bin(Timestamp, 2m)
| where
set_ProcessCommandLine has "certutil" or 
set_ProcessCommandLine has "netstat" or 
set_ProcessCommandLine has "ping" or 
set_ProcessCommandLine has "sysinfo" or 
set_ProcessCommandLine has "systeminfo" or 
set_ProcessCommandLine has "taskkill" or 
set_ProcessCommandLine has "wget" or 
set_ProcessCommandLine has "whoami" or 
set_ProcessCommandLine has "Invoke-WebRequest" or 
set_ProcessCommandLine has "Copy-Item" or 
set_ProcessCommandLine has "WebClient" or 
set_ProcessCommandLine has "advpack.dll" or 
set_ProcessCommandLine has "appvlp.exe" or 
set_ProcessCommandLine has "atbroker.exe" or 
set_ProcessCommandLine has "bash.exe" or 
set_ProcessCommandLine has "bginfo.exe" or 
set_ProcessCommandLine has "bitsadmin.exe" or 
set_ProcessCommandLine has "cdb.exe" or 
set_ProcessCommandLine has "certutil.exe" or 
set_ProcessCommandLine has "cl_invocation.ps1" or 
set_ProcessCommandLine has "cl_mutexverifiers.ps1" or 
set_ProcessCommandLine has "cmstp.exe" or 
set_ProcessCommandLine has "csi.exe" or 
set_ProcessCommandLine has "diskshadow.exe" or 
set_ProcessCommandLine has "dnscmd.exe" or 
set_ProcessCommandLine has "dnx.exe" or 
set_ProcessCommandLine has "dxcap.exe" or 
set_ProcessCommandLine has "esentutl.exe" or 
set_ProcessCommandLine has "expand.exe" or 
set_ProcessCommandLine has "extexport.exe" or 
set_ProcessCommandLine has "extrac32.exe" or 
set_ProcessCommandLine has "findstr.exe" or 
set_ProcessCommandLine has "forfiles.exe" or 
set_ProcessCommandLine has "ftp.exe" or 
set_ProcessCommandLine has "gpscript.exe" or 
set_ProcessCommandLine has "hh.exe" or 
set_ProcessCommandLine has "ie4uinit.exe" or 
set_ProcessCommandLine has "ieadvpack.dll" or 
set_ProcessCommandLine has "ieaframe.dll" or 
set_ProcessCommandLine has "ieexec.exe" or 
set_ProcessCommandLine has "infdefaultinstall.exe" or 
set_ProcessCommandLine has "installutil.exe" or 
set_ProcessCommandLine has "makecab.exe" or 
set_ProcessCommandLine has "manage-bde.wsf" or 
set_ProcessCommandLine has "mavinject.exe" or 
set_ProcessCommandLine has "mftrace.exe" or 
set_ProcessCommandLine has "microsoft.workflow.compiler.exe" or 
set_ProcessCommandLine has "mmc.exe" or 
set_ProcessCommandLine has "msbuild.exe" or 
set_ProcessCommandLine has "msconfig.exe" or 
set_ProcessCommandLine has "msdeploy.exe" or 
set_ProcessCommandLine has "msdt.exe" or 
set_ProcessCommandLine has "mshta.exe" or 
set_ProcessCommandLine has "mshtml.dll" or 
set_ProcessCommandLine has "msiexec.exe" or 
set_ProcessCommandLine has "msxsl.exe" or 
set_ProcessCommandLine has "odbcconf.exe" or 
set_ProcessCommandLine has "pcalua.exe" or 
set_ProcessCommandLine has "pcwrun.exe" or 
set_ProcessCommandLine has "pcwutl.dll" or 
set_ProcessCommandLine has "pester.bat" or 
set_ProcessCommandLine has "presentationhost.exe" or 
set_ProcessCommandLine has "pubprn.vbs" or 
set_ProcessCommandLine has "rcsi.exe" or 
set_ProcessCommandLine has "regasm.exe" or 
set_ProcessCommandLine has "register-cimprovider.exe" or 
set_ProcessCommandLine has "regsvcs.exe" or 
set_ProcessCommandLine has "regsvr32.exe" or 
set_ProcessCommandLine has "replace.exe" or 
set_ProcessCommandLine has "rundll32.exe" or 
set_ProcessCommandLine has "runonce.exe" or 
set_ProcessCommandLine has "runscripthelper.exe" or 
set_ProcessCommandLine has "schtasks.exe" or 
set_ProcessCommandLine has "scriptrunner.exe" or 
set_ProcessCommandLine has "setupapi.dll" or 
set_ProcessCommandLine has "shdocvw.dll" or 
set_ProcessCommandLine has "shell32.dll" or 
set_ProcessCommandLine has "slmgr.vbs" or 
set_ProcessCommandLine has "sqltoolsps.exe" or 
set_ProcessCommandLine has "syncappvpublishingserver.exe" or 
set_ProcessCommandLine has "syncappvpublishingserver.vbs" or 
set_ProcessCommandLine has "syssetup.dll" or 
set_ProcessCommandLine has "te.exe" or 
set_ProcessCommandLine has "tracker.exe" or 
set_ProcessCommandLine has "url.dll" or 
set_ProcessCommandLine has "verclsid.exe" or 
set_ProcessCommandLine has "vsjitdebugger.exe" or 
set_ProcessCommandLine has "wab.exe" or 
set_ProcessCommandLine has "winrm.vbs" or 
set_ProcessCommandLine has "wmic.exe" or 
set_ProcessCommandLine has "xwizard.exe" or 
set_ProcessCommandLine has "zipfldr.dll"
| sort by DeviceId  , Timestamp asc
```

## Category

This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states.

| Technique, tactic, or state | Covered? (v=yes) | Notes |
|------------------------|----------|-------|
| Initial access |  |  |
| Execution | v | The events detected by this query may be legitimate or malicious. Administrators should investigate further. In particular, a series of these events being recorded within a short timeframe may be strongly indicative of malicious activity. |
| Persistence |  |  |
| Privilege escalation |  |  |
| Defense evasion |  |  |
| Credential Access |  |  |
| Discovery |  |  |
| Lateral movement |  |  |
| Collection |  |  |
| Command and control |  |  |
| Exfiltration |  |  |
| Impact |  |  |
| Vulnerability |  |  |
| Misconfiguration |  |  |
| Malware, component |  |  |

## Contributor info

**Contributor:** Microsoft Threat Protection team