KQL Search

Query Details

HomeAI ToolsDevice Query

Suspicious SQL Children

Query

Tags:

Query:
    let suspiciousprocesses = pack_array ("cmd.exe","powershell","bitsadmin.exe","certutil.exe","bginfo.exe",'bash.exe''bitsadmin.exe','cmd.exe','netstat.exe','nltest.exe','ping.exe', 'powershell.exe','pwsh.exe','regsvr32.exe','rundll32.exe','sh.exe','systeminfo.exe','tasklist.exe','wsl.exe');
    DeviceProcessEvents 
      | where Timestamp >= ago(30d)
      | where InitiatingProcessFileName in~ ("sqlservr.exe", "sqlagent.exe", "sqlps.exe", "launchpad.exe")
      | where ProcessCommandLine has_any  (suspiciousprocesses) and ProcessCommandLine !contains @"MSSQL13.SQL1\MSSQL\Files\Scripts\"
      | where ProcessCommandLine != @"""cmd.exe"" /c rename C:\Windows\ServiceProfiles\NetworkService\HaImportDatabaseName.mdf HaDatabaseName.mdf"
      | where ProcessCommandLine != @"""cmd.exe"" /c rename C:\Windows\ServiceProfiles\NetworkService\HaImportDatabaseName_log.ldf HaDatabaseName_log.ldf"


References:
  https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_mssql_susp_child_process/

Explanation

This KQL (Kusto Query Language) query is designed to identify potentially suspicious processes that were initiated by SQL Server-related processes over the past 30 days. Here's a simplified breakdown:

  1. Define Suspicious Processes: A list of potentially suspicious processes is created, including common command-line tools like cmd.exe, powershell.exe, and others.

  2. Filter Device Process Events: The query looks at device process events that occurred in the last 30 days.

  3. Initiating Process: It specifically filters events where the initiating process is one of the SQL Server-related executables (sqlservr.exe, sqlagent.exe, sqlps.exe, launchpad.exe).

  4. Command Line Check: It further narrows down the results to those where the command line of the process contains any of the suspicious processes listed earlier, but excludes certain known safe command lines related to SQL Server operations.

  5. Exclusions: It excludes specific command lines that are known to be safe and related to SQL Server maintenance tasks, such as renaming database files.

In summary, this query helps in identifying unusual or potentially malicious child processes spawned by SQL Server processes, while excluding known safe operations.

Details

Ali Hussein profile picture

Ali Hussein

Released: October 5, 2023

Tables

DeviceProcessEvents

Keywords

Devices

Operators

letpack_array|where>=agoin~has_anyand!contains!=

Actions