Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.
Microsoft Flags Attack Targeting SQL Servers With Novel Approach
Attackers appear to have found a way around PowerShell monitoring by using a default utility instead.
1 Min Read
Source: Ian Dagnall via Alamy
Microsoft Security Intelligence this week tweeted a warning about an attack campaign targeting SQL servers and using a new approach to evade PowerShell monitoring.
Instead of PowerShell, these threat actors are using sqlps.exe, a utility that comes standard with every version of SQL and functions as a "wrapper for running SQL-built CMDlets, to run commands and change the start mode of the SQL service to LocalSystem," Microsoft explained in a tweet thread. The new campaign starts with a brute-force attack and ultimately allows attackers to take over the targeted servers and deploy malware such as coin miners.
Defenders should take note of the co-opting of the sqlps.exe utility and start to monitor their SQL server environments for its use as closely as they do for PowerShell, according to the Microsoft Security Intelligence team's advisory tweets.
"The use of this uncommon living-off-the-land binary (LOLBin) highlights the importance of gaining full visibility into the runtime behavior of scripts in order to expose malicious code," the team said.
About the Author
You May Also Like
More Insights
Webinars
Cybersecurity Day: How to Automate Security Analytics with AI and ML
Dec 17, 2024The Dirt on ROT Data
Dec 18, 2024
