Home
ATT&CK Techniques
T1505.001 SQL Stored Procedures

T1505.001 SQL Stored Procedures

Adversaries may abuse SQL stored procedures to establish persistent access to systems. SQL Stored Procedures are code that can be saved and reused so that database users do not waste time rewriting frequently used SQL queries. Stored procedures can be invoked via SQL statements to the database using the procedure name or via defined events (e.g. when a SQL server application is started/restarted).

Adversaries may craft malicious stored procedures that can provide a persistence mechanism in SQL database servers.(Citation: NetSPI Startup Stored Procedures)(Citation: Kaspersky MSSQL Aug 2019) To execute operating system commands through SQL syntax the adversary may have to enable additional functionality, such as xp_cmdshell for MSSQL Server.(Citation: NetSPI Startup Stored Procedures)(Citation: Kaspersky MSSQL Aug 2019)(Citation: Microsoft xp_cmdshell 2017)

Microsoft SQL Server can enable common language runtime (CLR) integration. With CLR integration enabled, application developers can write stored procedures using any .NET framework language (e.g. VB .NET, C#, etc.).(Citation: Microsoft CLR Integration 2017) Adversaries may craft or modify CLR assemblies that are linked to stored procedures since these CLR assemblies can be made to execute arbitrary commands.(Citation: NetSPI SQL Server CLR)

View in MITRE ATT&CK®

CRI Profile Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name	Notes
PR.IR-01.06	Production environment segregation	Mitigates	T1505.001	SQL Stored Procedures	Comments This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise. References
PR.AA-05.02	Privileged system access	Mitigates	T1505.001	SQL Stored Procedures	Comments This diagnostic statement protects against SQL Stored Procedures through the use of privileged account management and the use of multi-factor authentication. References
DE.CM-09.01	Software and data integrity checking	Mitigates	T1505.001	SQL Stored Procedures	Comments This diagnostic statement protects against SQL Stored Procedures through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures. References
PR.PS-01.03	Configuration deviation	Mitigates	T1505.001	SQL Stored Procedures	Comments This diagnostic statement provides protection from SQL Stored Procedures through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations. References

NIST 800-53 Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name
CM-06	Configuration Settings	mitigates	T1505.001	SQL Stored Procedures
SA-10	Developer Configuration Management	mitigates	T1505.001	SQL Stored Procedures
SI-14	Non-persistence	mitigates	T1505.001	SQL Stored Procedures
CM-11	User-installed Software	mitigates	T1505.001	SQL Stored Procedures
SR-11	Component Authenticity	mitigates	T1505.001	SQL Stored Procedures
SR-04	Provenance	mitigates	T1505.001	SQL Stored Procedures
SR-05	Acquisition Strategies, Tools, and Methods	mitigates	T1505.001	SQL Stored Procedures
RA-05	Vulnerability Monitoring and Scanning	mitigates	T1505.001	SQL Stored Procedures
CM-08	System Component Inventory	mitigates	T1505.001	SQL Stored Procedures
SI-07	Software, Firmware, and Information Integrity	mitigates	T1505.001	SQL Stored Procedures
CM-02	Baseline Configuration	mitigates	T1505.001	SQL Stored Procedures
CM-02	Baseline Configuration	mitigates	T1505.001	SQL Stored Procedures
SA-11	Developer Testing and Evaluation	mitigates	T1505.001	SQL Stored Procedures

VERIS Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name
action.hacking.variety.Abuse of functionality	Abuse of functionality.	related-to	T1505.001	SQL Stored Procedures
action.malware.variety.Backdoor	Malware creates a backdoor capability for hacking. Child of 'RAT' when combined with 'Trojan'. Child of 'Backdoor or C2'.	related-to	T1505.001	SQL Stored Procedures
action.malware.variety.Backdoor or C2	Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'.	related-to	T1505.001	SQL Stored Procedures

Azure Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name	Notes
azure_policy	Azure Policy	technique_scores	T1505.001	SQL Stored Procedures	Comments This control may provide recommendations to enable other Azure controls that provide information on potentially exploitable SQL stored procedures. Recommendations to reduce unnecessary privileges from accounts and stored procedures can mitigate exploitable of this technique. References https://learn.microsoft.com/en-us/azure/governance/policy/overview
defender_for_azure_sql_databases	Microsoft Defender for Azure SQL Databases	technique_scores	T1505.001	SQL Stored Procedures	Comments This control may scan for users with unnecessary access to SQL stored procedures. References https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-sql-introduction

GCP Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name	Notes
security_command_center	Security Command Center	technique_scores	T1505.001	SQL Stored Procedures	Comments SCC ingests MySQL/PostgreSQL/SQL Server data access logs to track cloud sql instances that are backed-up outside the organization. This security solution detects potential database exfiltration attacks that were attempted and completed to an external resource. Because of the near-real time temporal factor this control was graded as significant. References ['https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview' 'https://github.com/GoogleCloudPlatform/security-analytics']