Detectionhightest
Suspicious Child Process Of SQL Server
Detects suspicious child processes of the SQLServer process. This could indicate potential RCE or SQL Injection.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
FPT.EagleEye Team, waggaCreated Fri Dec 11Updated Thu May 04869b9ca7-9ea2-4a5a-8325-e80e62f75445windows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
Detection Logic
Detection Logic2 selectors
detection:
selection:
ParentImage|endswith: '\sqlservr.exe'
Image|endswith:
# You can add other uncommon or suspicious processes
- '\bash.exe'
- '\bitsadmin.exe'
- '\cmd.exe'
- '\netstat.exe'
- '\nltest.exe'
- '\ping.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\sh.exe'
- '\systeminfo.exe'
- '\tasklist.exe'
- '\wsl.exe'
filter_optional_datev:
ParentImage|startswith: 'C:\Program Files\Microsoft SQL Server\'
ParentImage|endswith: 'DATEV_DBENGINE\MSSQL\Binn\sqlservr.exe'
Image: 'C:\Windows\System32\cmd.exe'
CommandLine|startswith: '"C:\Windows\system32\cmd.exe" '
condition: selection and not 1 of filter_optional_*References
1
Resolving title…
Internal ResearchMITRE ATT&CK
Related Rules
Similar
Rule not found344482e4-a477-436c-aa70-7536d18a48c7
Rule Metadata
Rule ID
869b9ca7-9ea2-4a5a-8325-e80e62f75445
Status
test
Level
high
Type
Detection
Created
Fri Dec 11
Modified
Thu May 04
Author
Path
rules/windows/process_creation/proc_creation_win_mssql_susp_child_process.yml
Raw Tags
attack.t1505.003attack.t1190attack.initial-accessattack.persistenceattack.privilege-escalation