Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0512: Analytic 0512

SQL stored procedures that invoke OS-level commands via `xp_cmdshell` equivalent or via UDF (User-Defined Functions) mechanisms.

EnterpriseAN0512AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic points to a high-risk database behavior: SQL logic being used to run operating-system commands on Linux through xp_cmdshell-like features or user-defined function mechanisms. For leaders, the significance is not the SQL feature itself; it is the boundary crossing from database access into host-level execution, which can turn a database security issue into an infrastructure and incident-response problem.

Executive priority

Prioritize this as a control-validation item for Linux-hosted database environments where stored procedures or UDFs are permitted. Security leaders should ask whether database audit logging, host process telemetry, and privilege governance can prove when database code invokes OS-level commands. This matters for resilience, audit evidence, and incident decision-making because weak visibility can leave teams unable to distinguish authorized administrative automation from potentially unsafe database-to-host execution.

Technical view

The supplied ATT&CK object is a detection analytic for Linux and describes SQL stored procedures invoking OS-level commands via xp_cmdshell-equivalent behavior or UDF mechanisms. Because no official detection logic or relationship context is provided, SOC and detection teams should validate coverage by correlating database-side events with Linux host telemetry: procedure or UDF creation/execution, database configuration changes that enable command execution, and OS process creation where the database service account is the parent or execution context. Tune carefully for legitimate DBA maintenance jobs and approved automation.

Likely telemetry

  • Database audit logs for stored procedure execution, UDF creation, UDF loading, and privileged SQL activity
  • Database query logs or statement logs showing calls to OS-command-capable procedures or UDF mechanisms
  • Linux process creation telemetry showing commands launched by the database service account or database daemon
  • File integrity or file write telemetry for database extension, plugin, or UDF-related locations where available
  • Database permission and role-change logs affecting who can create procedures, load UDFs, or execute privileged routines

Detection direction

  • Confirm whether Linux database hosts generate process telemetry that preserves parent process, user, command line, and timestamp context.
  • Correlate database audit events with host process creation to identify database-to-OS execution rather than relying on either source alone.
  • Baseline approved DBA automation and maintenance routines to reduce false positives while keeping alerting for unusual users, new routines, unexpected command interpreters, or rare execution paths.
  • Validate whether logging captures failed attempts as well as successful stored procedure or UDF execution, since sparse logging can hide early investigation signals.
  • Account for the ATT&CK limitation: tactics and official detection logic are not specified, so local database platforms and configurations must drive final detection content.

Mitigation priorities

  • Restrict the ability to create, modify, or execute stored procedures and UDFs that can invoke OS-level behavior to tightly governed administrative roles.
  • Disable or avoid OS-command-capable database features where they are not required for approved operations.
  • Run database services with least-privilege Linux service accounts to reduce host-level consequences if database-to-OS execution occurs.
  • Maintain audit logging for privileged SQL activity and Linux process execution on database hosts, and test that the two sources can be joined during investigations.
  • Document approved exceptions and administrative use cases so SOC, IR, and compliance teams can distinguish expected behavior from suspicious execution.
Analyst notes and limits

This Glexia take is based only on ATT&CK analytic AN0512, which describes SQL stored procedures invoking OS-level commands through xp_cmdshell-equivalent or UDF mechanisms on Linux. No ATT&CK relationships, tactics, aliases, or official detection text were supplied, so the emphasis is on defensive validation and evidence readiness rather than a specific rule.

The source object does not identify a specific database product, tactic, related technique, adversary behavior, or detection query. Local database technology, enabled features, logging configuration, and approved administrative workflows are required to determine severity, tuning, and response actions.

Official MITRE ATT&CK definition

Analytic 0512

SQL stored procedures that invoke OS-level commands via `xp_cmdshell` equivalent or via UDF (User-Defined Functions) mechanisms.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
15213c943571efee...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 15213c943571…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0512
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use