Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0511: Analytic 0511

Creation or modification of stored procedures invoking xp_cmdshell or CLR assemblies for command execution and persistence.

EnterpriseAN0511AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic concerns changes to database stored procedures that enable command execution through xp_cmdshell or CLR assemblies. For leaders, the significance is that a database server can become a durable execution point, not just a data store. If attackers or unauthorized administrators can create or alter these objects, they may gain persistence and a path to run operating-system commands from a trusted Windows-hosted database environment.

Executive priority

Prioritize this as a control-validation item for critical Windows database systems because it links identity governance, database administration, change control, and incident response readiness. Executives should ask whether privileged database changes are logged, reviewed, and investigated quickly, and whether evidence exists to prove that risky command-execution capabilities are disabled, tightly governed, or monitored in regulated or business-critical environments.

Technical view

SOC and IR teams should validate visibility into creation and modification of stored procedures, especially those referencing xp_cmdshell or CLR assemblies. Because the ATT&CK object provides no detection logic and no relationships, teams should treat this as a detection-engineering requirement: confirm which Windows database hosts are in scope, which logs capture stored procedure definition changes, which identities performed them, and whether the change aligns with approved administration or deployment activity.

Likely telemetry

  • Database audit logs for stored procedure create, alter, and drop events
  • Database object definition or schema-change logs showing references to xp_cmdshell or CLR assemblies
  • Privileged database account activity and authentication records
  • Windows host logs from database servers that can correlate database changes with process or command execution
  • Change-management records for approved database deployments or administrative maintenance

Detection direction

  • Alert or hunt on stored procedure creation or modification containing references to xp_cmdshell or CLR assemblies, with environment-specific allowlisting for approved administrative use.
  • Correlate database object changes with privileged account use, unusual administrator source hosts, after-hours activity, and subsequent Windows process or command execution on the database server.
  • Tune carefully for legitimate DBA maintenance, deployment pipelines, or vendor applications that may use stored procedures or CLR features, while requiring documented business justification for command-execution capability.
  • Validate blind spots: many environments collect Windows logs but not database-level schema changes, and database audit settings may not retain full object definitions needed to identify risky procedure content.

Mitigation priorities

  • Inventory Windows database servers where stored procedures, xp_cmdshell, or CLR assemblies could be used for command execution.
  • Restrict privileges for creating or altering stored procedures and for enabling command-execution related database features.
  • Require change approval and review for database objects that can invoke operating-system commands or load CLR code.
  • Enable and retain database auditing sufficient to reconstruct who changed which object, when, from where, and what command-execution feature was referenced.
  • Include these events in SOC playbooks so responders can rapidly distinguish approved DBA activity from possible persistence or command execution.
Analyst notes and limits

This take is based only on the supplied ATT&CK analytic AN0511. The official description identifies creation or modification of stored procedures invoking xp_cmdshell or CLR assemblies for command execution and persistence. No official detection text, tactics, relationships, or external context were supplied, so recommendations focus on validation of telemetry and controls rather than a specific rule.

Coverage depends on local database products, audit configuration, privilege model, and log retention. The supplied object lists Windows as the platform but does not provide a complete detection strategy, associated techniques, adversary use, or mitigation references. Local baselining is required to separate legitimate database administration from suspicious persistence-oriented changes.

Official MITRE ATT&CK definition

Analytic 0511

Creation or modification of stored procedures invoking xp_cmdshell or CLR assemblies for command execution and persistence.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
23fea102286a7a23...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 23fea102286a…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0511
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use