MITRE ATT&CK Technique
Description
Adversaries may abuse SQL stored procedures to establish persistent access to systems. SQL Stored Procedures are code that can be saved and reused so that database users do not waste time rewriting frequently used SQL queries. Stored procedures can be invoked via SQL statements to the database using the procedure name or via defined events (e.g. when a SQL server application is started/restarted). Adversaries may craft malicious stored procedures that can provide a persistence mechanism in SQL database servers.(Citation: NetSPI Startup Stored Procedures)(Citation: Kaspersky MSSQL Aug 2019) To execute operating system commands through SQL syntax the adversary may have to enable additional functionality, such as xp_cmdshell for MSSQL Server.(Citation: NetSPI Startup Stored Procedures)(Citation: Kaspersky MSSQL Aug 2019)(Citation: Microsoft xp_cmdshell 2017) Microsoft SQL Server can enable common language runtime (CLR) integration. With CLR integration enabled, application developers can write stored procedures using any .NET framework language (e.g. VB .NET, C#, etc.).(Citation: Microsoft CLR Integration 2017) Adversaries may craft or modify CLR assemblies that are linked to stored procedures since these CLR assemblies can be made to execute arbitrary commands.(Citation: NetSPI SQL Server CLR)
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2019-12-12T14:59:58.168Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Adversaries may abuse SQL stored procedures to establish '
'persistent access to systems. SQL Stored Procedures are code '
'that can be saved and reused so that database users do not '
'waste time rewriting frequently used SQL queries. Stored '
'procedures can be invoked via SQL statements to the database '
'using the procedure name or via defined events (e.g. when a '
'SQL server application is started/restarted).\n'
'\n'
'Adversaries may craft malicious stored procedures that can '
'provide a persistence mechanism in SQL database '
'servers.(Citation: NetSPI Startup Stored '
'Procedures)(Citation: Kaspersky MSSQL Aug 2019) To execute '
'operating system commands through SQL syntax the adversary '
'may have to enable additional functionality, such as '
'xp_cmdshell for MSSQL Server.(Citation: NetSPI Startup Stored '
'Procedures)(Citation: Kaspersky MSSQL Aug 2019)(Citation: '
'Microsoft xp_cmdshell 2017) \n'
'\n'
'Microsoft SQL Server can enable common language runtime (CLR) '
'integration. With CLR integration enabled, application '
'developers can write stored procedures using any .NET '
'framework language (e.g. VB .NET, C#, etc.).(Citation: '
'Microsoft CLR Integration 2017) Adversaries may craft or '
'modify CLR assemblies that are linked to stored procedures '
'since these CLR assemblies can be made to execute arbitrary '
'commands.(Citation: NetSPI SQL Server CLR) ',
'external_references': [{'external_id': 'T1505.001',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1505/001'},
{'description': 'Microsoft. (2017, June 19). Common '
'Language Runtime Integration. '
'Retrieved July 8, 2019.',
'source_name': 'Microsoft CLR Integration 2017',
'url': 'https://docs.microsoft.com/en-us/sql/relational-databases/clr-integration/common-language-runtime-integration-overview?view=sql-server-2017'},
{'description': 'Microsoft. (2017, March 15). '
'xp_cmdshell (Transact-SQL). '
'Retrieved September 9, 2019.',
'source_name': 'Microsoft xp_cmdshell 2017',
'url': 'https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/xp-cmdshell-transact-sql?view=sql-server-2017'},
{'description': 'Plakhov, A., Sitchikhin, D. (2019, '
'August 22). Agent 1433: remote '
'attack on Microsoft SQL Server. '
'Retrieved September 4, 2019.',
'source_name': 'Kaspersky MSSQL Aug 2019',
'url': 'https://securelist.com/malicious-tasks-in-ms-sql-server/92167/'},
{'description': 'Sutherland, S. (2016, March 7). '
'Maintaining Persistence via SQL '
'Server – Part 1: Startup Stored '
'Procedures. Retrieved September 12, '
'2024.',
'source_name': 'NetSPI Startup Stored Procedures',
'url': 'https://www.netspi.com/blog/technical-blog/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/'},
{'description': 'Sutherland, S. (2017, July 13). '
'Attacking SQL Server CLR Assemblies. '
'Retrieved September 12, 2024.',
'source_name': 'NetSPI SQL Server CLR',
'url': 'https://www.netspi.com/blog/technical-blog/adversary-simulation/attacking-sql-server-clr-assemblies/'}],
'id': 'attack-pattern--f9e9365a-9ca2-4d9c-8e7c-050d73d1101a',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'persistence'}],
'modified': '2025-10-24T17:49:38.624Z',
'name': 'SQL Stored Procedures',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_contributors': ['Carlos Borges, @huntingneo, CIP',
'Lucas da Silva Pereira, @vulcanunsec, CIP',
'Kaspersky'],
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': True,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['Windows', 'Linux'],
'x_mitre_version': '1.1'}