Attackers appear to have found a way around PowerShell monitoring by using a default utility instead.

Dark Reading Staff, Dark Reading

May 18, 2022

1 Min Read
Corporate building with Microsoft sign/logo in front.
Source: Ian Dagnall via Alamy

Microsoft Security Intelligence this week tweeted a warning about an attack campaign targeting SQL servers and using a new approach to evade PowerShell monitoring. 

Instead of PowerShell, these threat actors are using sqlps.exe, a utility that comes standard with every version of SQL and functions as a "wrapper for running SQL-built CMDlets, to run commands and change the start mode of the SQL service to LocalSystem," Microsoft explained in a tweet thread. The new campaign starts with a brute-force attack and ultimately allows attackers to take over the targeted servers and deploy malware such as coin miners. 

Defenders should take note of the co-opting of the sqlps.exe utility and start to monitor their SQL server environments for its use as closely as they do for PowerShell, according to the Microsoft Security Intelligence team's advisory tweets

"The use of this uncommon living-off-the-land binary (LOLBin) highlights the importance of gaining full visibility into the runtime behavior of scripts in order to expose malicious code," the team said.

About the Author(s)

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights