Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0181: Detection Strategy for SQL Stored Procedures Abuse via T1505.001

This detection strategy matters because it is tied to SQL stored procedure abuse for persistence. In business terms, database-resident logic can become a d...

EnterpriseDET0181Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This detection strategy matters because it is tied to SQL stored procedure abuse for persistence. In business terms, database-resident logic can become a durable foothold that may survive normal application restarts and can be missed if monitoring focuses only on endpoints or network traffic. Leaders should treat this as a database security, SOC visibility, and incident response readiness question: can the organization prove it would notice suspicious creation, modification, or execution of stored procedures in important SQL environments?

Executive priority

Prioritize validation for business-critical databases on Windows and Linux where stored procedures are used. The decision value is not whether ATT&CK provides a complete detection here—it does not—but whether the organization has audit evidence, ownership, and response procedures for database-level persistence. This is relevant to operational resilience, compliance evidence around privileged database changes, and incident decision-making when persistence may exist outside standard endpoint controls.

Technical view

The ATT&CK object is a detection strategy for T1505.001, SQL Stored Procedures, under persistence. Because the official object provides no detection text and no platform list of its own, SOC and detection teams should anchor validation to the related technique: adversaries may craft malicious stored procedures that can be invoked directly or via defined events such as SQL server application start or restart. Validate whether database auditing, change monitoring, and privileged activity review can identify unusual stored procedure creation, modification, permission changes, and execution patterns in SQL environments on supported Windows and Linux database hosts.

Likely telemetry

  • Database audit logs for stored procedure creation, alteration, deletion, and execution
  • Database server logs showing startup or restart-related procedure execution where available
  • Privileged database account activity and authentication records
  • Change management records for approved stored procedure deployments
  • Host logs from Windows or Linux database servers that can correlate database changes with process, service, or administrative activity

Detection direction

  • Baseline legitimate stored procedure deployment and maintenance activity so detections can distinguish approved database releases from unexpected persistence-related changes.
  • Alert or review on stored procedure creation or modification by unusual accounts, outside approved change windows, or on high-value databases.
  • Correlate database changes with privileged logons, server restart events, and host activity on the database server to support incident triage.
  • Check for blind spots where endpoint detection exists but database audit logging is disabled, not centralized, or lacks stored procedure-level detail.
  • Tune for administrative and application deployment false positives by integrating change tickets, release windows, and known database owner activity.

Mitigation priorities

  • Identify critical SQL environments and assign ownership for stored procedure governance and monitoring.
  • Ensure database auditing captures stored procedure lifecycle events and privileged database activity where the platform supports it.
  • Restrict who can create or modify stored procedures using least-privilege database administration practices.
  • Require change control for stored procedure deployments and retain evidence for audit and incident review.
  • Include database-resident persistence checks in incident response playbooks for suspected persistence, especially on Windows and Linux database servers.
Analyst notes and limits

The supplied ATT&CK detection strategy object has no official description or detection guidance. The useful context comes from its relationship to T1505.001, SQL Stored Procedures, which is a persistence technique affecting Windows and Linux platforms. Treat this as a prompt to assess local database telemetry and control maturity rather than as a ready-made analytic.

This take is limited to the supplied STIX fields, the MITRE external reference for DET0181, and the stated relationship to T1505.001. It does not establish active exploitation, actor attribution, product coverage, or guaranteed detection. Local database technologies, audit configuration, and change-management practices are required to determine actual coverage.

Official MITRE ATT&CK definition

Detection Strategy for SQL Stored Procedures Abuse via T1505.001

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1505.001 SQL Stored Procedures Sub-technique This object detects SQL Stored Procedures.
Relationship explorer

All related ATT&CK context

detects · Technique T1505.001: SQL Stored Procedures Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
bf6d5449c98b9a29...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle bf6d5449c98b…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0181
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use