Esc
SQL Stored Procedures - T1505.001
(ATT&CK® Technique)
Definition
Adversaries may abuse SQL stored procedures to establish persistent access to systems. SQL Stored Procedures are code that can be saved and reused so that database users do not waste time rewriting frequently used SQL queries. Stored procedures can be invoked via SQL statements to the database using the procedure name or via defined events (e.g. when a SQL server application is started/restarted).
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR;
T1505001["SQL Stored Procedures"] --> |invokes| CreateProcess["Create Process"]; class T1505001 OffensiveTechniqueNode;
class CreateProcess ArtifactNode; click CreateProcess href "/dao/artifact/d3f:CreateProcess";
click T1505001 href "/offensive-technique/attack/T1505.001/"; click CreateProcess href "/dao/artifact/d3f:CreateProcess"; T1505001["SQL Stored Procedures"] --> |creates| StoredProcedure["Stored Procedure"]; class T1505001 OffensiveTechniqueNode;
class StoredProcedure ArtifactNode; click StoredProcedure href "/dao/artifact/d3f:StoredProcedure";
click T1505001 href "/offensive-technique/attack/T1505.001/"; click StoredProcedure href "/dao/artifact/d3f:StoredProcedure"; SoftwareUpdate["Software Update"] -->
| updates | StoredProcedure["Stored Procedure"];
SoftwareUpdate["Software Update"] -.->
| may-harden | T1505001["SQL Stored Procedures"] ;
class SoftwareUpdate DefensiveTechniqueNode;
class StoredProcedure ArtifactNode;
click SoftwareUpdate href "/technique/d3f:SoftwareUpdate"; VariableInitialization["Variable Initialization"] -->
| hardens | StoredProcedure["Stored Procedure"];
VariableInitialization["Variable Initialization"] -.->
| may-harden | T1505001["SQL Stored Procedures"] ;
class VariableInitialization DefensiveTechniqueNode;
class StoredProcedure ArtifactNode;
click VariableInitialization href "/technique/d3f:VariableInitialization"; CredentialScrubbing["Credential Scrubbing"] -->
| hardens | StoredProcedure["Stored Procedure"];
CredentialScrubbing["Credential Scrubbing"] -.->
| may-harden | T1505001["SQL Stored Procedures"] ;
class CredentialScrubbing DefensiveTechniqueNode;
class StoredProcedure ArtifactNode;
click CredentialScrubbing href "/technique/d3f:CredentialScrubbing"; TrustedLibrary["Trusted Library"] -->
| hardens | StoredProcedure["Stored Procedure"];
TrustedLibrary["Trusted Library"] -.->
| may-harden | T1505001["SQL Stored Procedures"] ;
class TrustedLibrary DefensiveTechniqueNode;
class StoredProcedure ArtifactNode;
click TrustedLibrary href "/technique/d3f:TrustedLibrary"; ProcessSpawnAnalysis["Process Spawn Analysis"] -->
| analyzes | CreateProcess["Create Process"];
ProcessSpawnAnalysis["Process Spawn Analysis"] -.->
| may-detect | T1505001["SQL Stored Procedures"] ;
class ProcessSpawnAnalysis DefensiveTechniqueNode;
class CreateProcess ArtifactNode;
click ProcessSpawnAnalysis href "/technique/d3f:ProcessSpawnAnalysis"; SystemCallAnalysis["System Call Analysis"] -->
| analyzes | CreateProcess["Create Process"];
SystemCallAnalysis["System Call Analysis"] -.->
| may-detect | T1505001["SQL Stored Procedures"] ;
class SystemCallAnalysis DefensiveTechniqueNode;
class CreateProcess ArtifactNode;
click SystemCallAnalysis href "/technique/d3f:SystemCallAnalysis"; SystemCallFiltering["System Call Filtering"] -->
| filters | CreateProcess["Create Process"];
SystemCallFiltering["System Call Filtering"] -.->
| may-isolate | T1505001["SQL Stored Procedures"] ;
class SystemCallFiltering DefensiveTechniqueNode;
class CreateProcess ArtifactNode;
click SystemCallFiltering href "/technique/d3f:SystemCallFiltering"; ExecutableAllowlisting["Executable Allowlisting"] -->
| filters | CreateProcess["Create Process"];
ExecutableAllowlisting["Executable Allowlisting"] -.->
| may-isolate | T1505001["SQL Stored Procedures"] ;
class ExecutableAllowlisting DefensiveTechniqueNode;
class CreateProcess ArtifactNode;
click ExecutableAllowlisting href "/technique/d3f:ExecutableAllowlisting"; ExecutableDenylisting["Executable Denylisting"] -->
| filters | CreateProcess["Create Process"];
ExecutableDenylisting["Executable Denylisting"] -.->
| may-isolate | T1505001["SQL Stored Procedures"] ;
class ExecutableDenylisting DefensiveTechniqueNode;
class CreateProcess ArtifactNode;
click ExecutableDenylisting href "/technique/d3f:ExecutableDenylisting"; Hardware-basedProcessIsolation["Hardware-based Process Isolation"] -->
| restricts | CreateProcess["Create Process"];
Hardware-basedProcessIsolation["Hardware-based Process Isolation"] -.->
| may-isolate | T1505001["SQL Stored Procedures"] ;
class Hardware-basedProcessIsolation DefensiveTechniqueNode;
class CreateProcess ArtifactNode;
click Hardware-basedProcessIsolation href "/technique/d3f:Hardware-basedProcessIsolation"; Application-basedProcessIsolation["Application-based Process Isolation"] -->
| restricts | StoredProcedure["Stored Procedure"];
Application-basedProcessIsolation["Application-based Process Isolation"] -.->
| may-isolate | T1505001["SQL Stored Procedures"] ;
class Application-basedProcessIsolation DefensiveTechniqueNode;
class StoredProcedure ArtifactNode;
click Application-basedProcessIsolation href "/technique/d3f:Application-basedProcessIsolation"; RestoreSoftware["Restore Software"] -->
| restores | StoredProcedure["Stored Procedure"];
RestoreSoftware["Restore Software"] -.->
| may-restore | T1505001["SQL Stored Procedures"] ;
class RestoreSoftware DefensiveTechniqueNode;
class StoredProcedure ArtifactNode;
click RestoreSoftware href "/technique/d3f:RestoreSoftware";