Classification:

attack

Tactic:

TA0003-persistence

Technique:

T1505-server-software-component

VIEW RULE IN DATADOG VIEW SIGNALS

Goal

Detects the use of “sp_procoption” in Microsoft SQL Server, which can be used by attackers to establish persistence by marking stored procedures to automatically execute on server startup.

Strategy

This rule monitors Windows event logs for SQL Server audit events with ID 33205 that capture the execution of the “sp_procoption” system stored procedure. The detection specifically looks for SQL statements containing EXEC and where the object_name is sp_procoption. The sp_procoption stored procedure is used to mark other stored procedures with the “startup” option, which causes SQL Server to automatically execute them when the database service starts. This is a powerful persistence mechanism that attackers can abuse to maintain access or execute malicious code with the privileges of the SQL Server service account. Such activity is rare in most environments and typically only used for legitimate database maintenance that has been thoroughly reviewed.

Triage & Response

• Analyze the full SQL statement to identify which stored procedure was configured to run at startup on {{host}}.
• Examine the content of the affected stored procedure to understand what actions it performs.
• Verify whether this configuration change was authorized through proper change management channels.
• Check who executed the sp_procoption command by reviewing the associated SQL Server authentication logs.
• Review the stored procedure to determine if it contains malicious code such as commands to interact with the operating system.