Detects suspicious shell spawn from MSSQL process, this might be sigh…

…t of RCE or SQL Injection
hal308 · Dec 11, 2020 · edc79a8 · edc79a8
1 parent cfe60d1
commit edc79a8
Showing 1 changed file with 26 additions and 0 deletions.
diff --git a/rules/windows/process_creation/win_susp_shell_spawn_from_mssql.yml b/rules/windows/process_creation/win_susp_shell_spawn_from_mssql.yml
@@ -0,0 +1,26 @@
+title: Suspicious Shells Spawn by SQL Server
+id: 869b9ca7-9ea2-4a5a-8325-e80e62f75445
+description: Detects suspicious shell spawn from MSSQL process, this might be sight of RCE or SQL Injection
+status: experimental
+author: FPT.EagleEye Team 
+date: 2020/12/11
+tags:
+    - attack.t1100
+    - attack.t1190
+    - attack.initial_access
+    - attack.persistence
+    - attack.privilege_escalation
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+      ParentImage: '*\sqlservr.exe'
+      Image:
+              - '*\cmd.exe'
+              - '*\sh.exe'
+              - '*\bash.exe'
+              - '*\powershell.exe'
+              - '*\bitsadmin.exe'
+    condition: selection
+level: critical