Microsoft Flags Attack Targeting SQL Servers With Novel Approach
Attackers appear to have found a way around PowerShell monitoring by using a default utility instead.
Microsoft Security Intelligence this week tweeted a warning about an attack campaign targeting SQL servers and using a new approach to evade PowerShell monitoring.
Instead of PowerShell, these threat actors are using sqlps.exe, a utility that comes standard with every version of SQL and functions as a "wrapper for running SQL-built CMDlets, to run commands and change the start mode of the SQL service to LocalSystem," Microsoft explained in a tweet thread. The new campaign starts with a brute-force attack and ultimately allows attackers to take over the targeted servers and deploy malware such as coin miners.
Defenders should take note of the co-opting of the sqlps.exe utility and start to monitor their SQL server environments for its use as closely as they do for PowerShell, according to the Microsoft Security Intelligence team's advisory tweets.
"The use of this uncommon living-off-the-land binary (LOLBin) highlights the importance of gaining full visibility into the runtime behavior of scripts in order to expose malicious code," the team said.
About the Author(s)
You May Also Like
Key Findings from the State of AppSec Report 2024
May 7, 2024Is AI Identifying Threats to Your Network?
May 14, 2024Where and Why Threat Intelligence Makes Sense for Your Enterprise Security Strategy
May 15, 2024Safeguarding Political Campaigns: Defending Against Mass Phishing Attacks
May 16, 2024Why Effective Asset Management is Critical to Enterprise Cybersecurity
May 21, 2024
Black Hat USA - August 3-8 - Learn More
August 3, 2024Cybersecurity's Hottest New Technologies: What You Need To Know
March 21, 2024