
Summary
This detection rule aims to identify suspicious child processes initiated by the SQL Server process (sqlservr.exe) on Windows operating systems. The underlying intention is to monitor for potentially malicious activity that could suggest remote code execution (RCE) or SQL injection attacks. The rule specifically focuses on child processes that may typically be used by attackers to execute commands or scripts within the context of the SQL Server, thus potentially gaining unauthorized access or escalation of privileges. The defined detection conditions are set to trigger when any of a predefined list of executable files are executed as children of the trusted SQL Server process, given that they originate from a parent image linked to SQL Server. Notably, certain command patterns, such as those that manipulate the command line in a suspicious way, are also scrutinized for security risks. This rule's detection capabilities are tied to monitoring process creation events, specifically configured to raise alerts with a high severity level when anomalies are found.
Categories
- Windows
- Endpoint
- Infrastructure
Data Sources
- Process
Created: 2020-12-11