Security News > 2022 > May > Hackers Gain Fileless Persistence on Targeted SQL Servers Using a Built-in Utility

Microsoft on Tuesday warned that it recently spotted a malicious campaign targeting SQL Servers that leverages a built-in PowerShell binary to achieve persistence on compromised systems.

The intrusions, which leverage brute-force attacks as an initial compromise vector, stand out for their use of the utility "Sqlps.exe," the tech giant said in a series of tweets.

Exe utility, which comes by default with all versions of SQL Servers, enables an SQL Agent - a Windows service to run scheduled tasks - to run jobs using the PowerShell subsystem.

"The attackers achieve fileless persistence by spawning the sqlps.exe utility, a PowerShell wrapper for running SQL-built cmdlets, to run recon commands and change the start mode of the SQL service to LocalSystem," Microsoft noted.

The attackers have also been observed using the same module to create a new account with sysadmin role, effectively making it possible to seize control over the SQL Server.

An advantage offered by such attacks is that they tend to be fileless because they do not leave any artifacts behind and the activities are less likely to be flagged by antivirus software owing to them using trusted software.

News URL

https://thehackernews.com/2022/05/hackers-gain-fileless-persistence-on.html