KQL Search

Query Details

HomeAI ToolsDevice Query

EDR Evasion Inject Shellcode Via MSSQL CLR Assembly Detection

Query

// EDR Evasion - Inject Shellcode via MSSQL CLR Assembly Detection

// Blog: https://blog.pyn3rd.com/2024/11/22/How-to-use-MSSQL-CLR-assembly-to-bypass-EDR/

let VSId = dynamic(["Microsoft Visual Studio"]);
let Condition1 =
DeviceFileEvents
| where InitiatingProcessVersionInfoFileDescription has_any(VSId)
| where ActionType == "FileCreated" and tolower(FileName) endswith ".sql"
| distinct DeviceName;
let SQLStudioId = dynamic(["Microsoft SQL Server Management Studio"]);
let Condition2 =
DeviceFileEvents
| where InitiatingProcessVersionInfoFileDescription has_any(SQLStudioId)
| distinct DeviceName;
DeviceProcessEvents
| where ActionType == "ProcessCreated"
| where FileName == "sqlservr.exe"
| where DeviceName has_any (Condition1) and DeviceName has_any(Condition2)

Explanation

This KQL (Kusto Query Language) query is designed to detect potential EDR (Endpoint Detection and Response) evasion techniques involving the injection of shellcode via Microsoft SQL Server CLR (Common Language Runtime) assemblies. Here's a simplified breakdown of what the query does:

  1. Identify Devices with Visual Studio Activity:

    • It first looks for file creation events where the initiating process is Microsoft Visual Studio and the created file has a .sql extension. It collects the names of devices where this activity occurs.

  2. Identify Devices with SQL Server Management Studio Activity:

    • It then looks for any file events initiated by Microsoft SQL Server Management Studio, collecting the names of devices where this activity is detected.

  3. Detect SQL Server Process Creation:

    • Finally, it searches for the creation of the sqlservr.exe process (which is the SQL Server process) on devices that have been identified in both of the previous steps (i.e., devices that have shown activity from both Visual Studio and SQL Server Management Studio).

The query is essentially trying to find devices where there is a combination of activities involving Visual Studio, SQL Server Management Studio, and the creation of the SQL Server process, which could indicate an attempt to use SQL Server CLR assemblies to bypass security measures.

Details

Steven Lim profile picture

Steven Lim

Released: February 18, 2025

Tables

DeviceFileEventsDeviceProcessEvents

Keywords

DeviceFileEventsProcessEvents

Operators

letdynamichas_anywhere==tolowerendswithanddistinct

Actions