1. Home
  2. ATT&CK Techniques
  3. T1505.001 SQL Stored Procedures

T1505.001 SQL Stored Procedures

Adversaries may abuse SQL stored procedures to establish persistent access to systems. SQL Stored Procedures are code that can be saved and reused so that database users do not waste time rewriting frequently used SQL queries. Stored procedures can be invoked via SQL statements to the database using the procedure name or via defined events (e.g. when a SQL server application is started/restarted).

Adversaries may craft malicious stored procedures that can provide a persistence mechanism in SQL database servers.(Citation: NetSPI Startup Stored Procedures)(Citation: Kaspersky MSSQL Aug 2019) To execute operating system commands through SQL syntax the adversary may have to enable additional functionality, such as xp_cmdshell for MSSQL Server.(Citation: NetSPI Startup Stored Procedures)(Citation: Kaspersky MSSQL Aug 2019)(Citation: Microsoft xp_cmdshell 2017)

Microsoft SQL Server can enable common language runtime (CLR) integration. With CLR integration enabled, application developers can write stored procedures using any .NET framework language (e.g. VB .NET, C#, etc.).(Citation: Microsoft CLR Integration 2017) Adversaries may craft or modify CLR assemblies that are linked to stored procedures since these CLR assemblies can be made to execute arbitrary commands.(Citation: NetSPI SQL Server CLR)

View in MITRE ATT&CK®

NIST 800-53 Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
AC-2 Account Management Protects T1505.001 SQL Stored Procedures
AC-3 Access Enforcement Protects T1505.001 SQL Stored Procedures
AC-5 Separation of Duties Protects T1505.001 SQL Stored Procedures
AC-6 Least Privilege Protects T1505.001 SQL Stored Procedures
CA-8 Penetration Testing Protects T1505.001 SQL Stored Procedures
CM-11 User-installed Software Protects T1505.001 SQL Stored Procedures
CM-2 Baseline Configuration Protects T1505.001 SQL Stored Procedures
CM-5 Access Restrictions for Change Protects T1505.001 SQL Stored Procedures
CM-6 Configuration Settings Protects T1505.001 SQL Stored Procedures
CM-8 System Component Inventory Protects T1505.001 SQL Stored Procedures
IA-2 Identification and Authentication (organizational Users) Protects T1505.001 SQL Stored Procedures
IA-9 Service Identification and Authentication Protects T1505.001 SQL Stored Procedures
RA-5 Vulnerability Monitoring and Scanning Protects T1505.001 SQL Stored Procedures
SA-10 Developer Configuration Management Protects T1505.001 SQL Stored Procedures
SA-11 Developer Testing and Evaluation Protects T1505.001 SQL Stored Procedures
SI-4 System Monitoring Protects T1505.001 SQL Stored Procedures
SI-7 Software, Firmware, and Information Integrity Protects T1505.001 SQL Stored Procedures
SR-11 Component Authenticity Protects T1505.001 SQL Stored Procedures
SR-4 Provenance Protects T1505.001 SQL Stored Procedures
SR-5 Acquisition Strategies, Tools, and Methods Protects T1505.001 SQL Stored Procedures
SR-6 Supplier Assessments and Reviews Protects T1505.001 SQL Stored Procedures

Azure Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
azure_policy Azure Policy technique_scores T1505.001 SQL Stored Procedures
Comments
This control may provide recommendations to enable other Azure controls that provide information on potentially exploitable SQL stored procedures. Recommendations to reduce unnecessary privileges from accounts and stored procedures can mitigate exploitable of this technique.
References
    sql_vulnerability_assessment SQL Vulnerability Assessment technique_scores T1505.001 SQL Stored Procedures
    Comments
    This control may scan for users with unnecessary access to SQL stored procedures.
    References