Detectionhightest

Suspicious Child Process Of SQL Server

Detects suspicious child processes of the SQLServer process. This could indicate potential RCE or SQL Injection.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
FPT.EagleEye Team, waggaCreated Fri Dec 11Updated Thu May 04869b9ca7-9ea2-4a5a-8325-e80e62f75445windows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic
Detection Logic2 selectors
detection:
    selection:
        ParentImage|endswith: '\sqlservr.exe'
        Image|endswith:
            # You can add other uncommon or suspicious processes
            - '\bash.exe'
            - '\bitsadmin.exe'
            - '\cmd.exe'
            - '\netstat.exe'
            - '\nltest.exe'
            - '\ping.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
            - '\regsvr32.exe'
            - '\rundll32.exe'
            - '\sh.exe'
            - '\systeminfo.exe'
            - '\tasklist.exe'
            - '\wsl.exe'
    filter_optional_datev:
        ParentImage|startswith: 'C:\Program Files\Microsoft SQL Server\'
        ParentImage|endswith: 'DATEV_DBENGINE\MSSQL\Binn\sqlservr.exe'
        Image: 'C:\Windows\System32\cmd.exe'
        CommandLine|startswith: '"C:\Windows\system32\cmd.exe" '
    condition: selection and not 1 of filter_optional_*
References
1
Resolving title…
Internal Research
Related Rules
Similar

344482e4-a477-436c-aa70-7536d18a48c7

Rule not found
Rule Metadata
Rule ID
869b9ca7-9ea2-4a5a-8325-e80e62f75445
Status
test
Level
high
Type
Detection
Created
Fri Dec 11
Modified
Thu May 04
Path
rules/windows/process_creation/proc_creation_win_mssql_susp_child_process.yml
Raw Tags
attack.t1505.003attack.t1190attack.initial-accessattack.persistenceattack.privilege-escalation
View on GitHub