SQL Stored Procedures

Information

• Name: SQL Stored Procedures

• ID: T1505.001

• Tactics: TA0003

• Technique: T1505

Introduction

SQL Stored Procedures (T1505.001) is a sub-technique within the MITRE ATT&CK framework categorized under Persistence (T1505). Attackers exploit stored procedures, which are precompiled SQL statements stored in databases, to maintain persistent access, execute malicious commands, or facilitate lateral movement within a compromised environment. Since stored procedures are legitimate database features, adversaries leverage them to evade detection and maintain stealthy persistence.

Deep Dive Into Technique

SQL stored procedures are routines stored directly within database servers that can be invoked by users or applications. Attackers exploit these procedures because they execute with the privileges assigned to the database user context, potentially granting significant control over database resources.

Technical details include:

• Creation and modification of stored procedures: Attackers may create new procedures or modify existing ones to include malicious commands or logic. These commands may enable remote command execution, exfiltration of data, or privilege escalation.

• Execution privileges: Stored procedures typically execute with elevated database privileges, providing attackers with a powerful mechanism to execute commands or queries with minimal restrictions.

• Persistence and stealth: Malicious stored procedures allow attackers to maintain persistence within the database environment. Since stored procedures are legitimate database objects, malicious alterations are often overlooked during routine inspections.

• Commonly targeted database platforms: Microsoft SQL Server, Oracle Database, MySQL, PostgreSQL, and other widely-used database systems.

• Techniques for invoking malicious stored procedures:

  • Scheduled tasks or database jobs configured to periodically invoke the stored procedures.

  • Triggers activated by specific database events, such as data insertion, deletion, or modification.

  • Remote invocation via compromised web applications or database management interfaces.

When this Technique is Usually Used

Attackers typically employ SQL Stored Procedures during various stages of the cyber kill chain, including:

• Persistence: Maintaining long-term access to compromised environments by embedding malicious logic within legitimate database objects.

• Execution: Running malicious commands or scripts directly on the database server with elevated privileges.

• Privilege Escalation: Exploiting stored procedures running under privileged database accounts to escalate privileges and gain further access.

• Defense Evasion: Leveraging legitimate stored procedures to mask malicious activities, avoiding detection by security monitoring tools.

• Lateral Movement: Utilizing stored procedures to pivot from compromised databases to other internal systems within an organization's network.

• Data Exfiltration: Using stored procedures to query sensitive data and send it externally or stage it for later retrieval.

How this Technique is Usually Detected

Detection of malicious SQL Stored Procedures involves a combination of behavioral analysis, monitoring, and auditing tools:

• Database Auditing and Monitoring Tools: Tools such as IBM Guardium, Imperva SecureSphere, or native database audit logging capabilities can monitor and alert on unusual stored procedure creation or modification.

• Behavioral Analysis: Identify stored procedures that execute abnormal or suspicious queries, commands, or system-level operations.

• Integrity Checks: Regularly compare stored procedures against known-good baselines or golden images to detect unauthorized modifications.

• SIEM and Log Analysis: Integrate database logs into Security Information and Event Management (SIEM) systems to detect anomalies, such as unexpected stored procedure execution or changes.

• Indicators of Compromise (IoCs):

  • Unusual or unauthorized stored procedure creation or modification events.

  • Stored procedures containing suspicious code snippets, such as shell execution commands (e.g., xp_cmdshell in MS SQL Server).

  • Database logs showing stored procedures executing abnormal queries or making outbound network connections.

  • Scheduled database jobs or triggers invoking stored procedures at unusual intervals or times.

Why it is Important to Detect This Technique

Detecting malicious SQL Stored Procedures is critical due to the severe potential impacts on organizational security, including:

• Persistence and Long-term Compromise: Malicious procedures can maintain attacker persistence for extended periods, allowing continued unauthorized access.

• Data Exfiltration Risk: Attackers can leverage stored procedures to silently extract sensitive or confidential data from databases.

• Privilege Escalation and System Compromise: Exploited stored procedures running with elevated privileges can lead to full control over database systems and potentially other connected internal resources.

• Lateral Movement Facilitation: Stored procedures can serve as pivot points, enabling attackers to move laterally within the network environment, compromising additional systems and databases.

• Difficulty of Remediation: Malicious stored procedures embedded within legitimate database routines can be challenging to detect and remove, complicating incident response and remediation efforts.

Early detection of malicious stored procedures significantly reduces the window of opportunity for attackers, limiting damage, data loss, and remediation complexity.

Examples

Real-world examples of SQL Stored Procedures exploitation include:

• xp_cmdshell Abuse in Microsoft SQL Server:

  • Attackers frequently use the built-in extended stored procedure xp_cmdshell to execute operating system commands on compromised MS SQL servers.

  • Example scenario: Attackers compromise a web application and leverage SQL injection to enable and execute xp_cmdshell, allowing remote command execution.

  • Impact: Attackers gain full control over the compromised database server, enabling data exfiltration, lateral movement, and further compromise.

• FIN7 Group Attacks:

  • FIN7, a financially motivated threat group, has utilized SQL stored procedures to maintain persistence and execute malicious payloads within targeted environments.

  • Attack scenario: FIN7 used stored procedures to schedule malicious database jobs, enabling persistent remote access and data exfiltration.

  • Impact: Significant financial losses, data breaches, and long-term compromise within the targeted organizations.

• Oracle Database Malicious Stored Procedures:

  • Attackers have been known to embed malicious logic into Oracle database stored procedures, utilizing PL/SQL to execute unauthorized commands or queries.

  • Scenario: Attackers modify existing database triggers or procedures to exfiltrate sensitive data or escalate privileges.

  • Impact: Compromise of sensitive financial, customer, or intellectual property data, leading to severe reputational and financial damage.

• Magecart Attacks via Stored Procedures:

  • Magecart attackers have employed malicious stored procedures in e-commerce databases to inject JavaScript skimmers into web pages dynamically.

  • Scenario: Attackers compromise e-commerce databases, modify stored procedures to insert malicious JavaScript into web pages during checkout processes.

  • Impact: Theft of customer credit card details, financial fraud, and significant reputational harm to victim organizations.