Detection of PowerShell Execution via Sqlps.exe

calendar Mar 5, 2023 · attack.execution attack.t1059.001 attack.defense_evasion attack.t1127  ·
Share on: linkedin copy

This rule detects execution of a PowerShell code through the sqlps.exe utility, which is included in the standard set of utilities supplied with the MSSQL Server. Script blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs.

Sigma rule (View on GitHub)

 1title: Detection of PowerShell Execution via Sqlps.exe
 2id: 0152550d-3a26-4efd-9f0e-54a0b28ae2f3
 3status: test
 4description: |
 5  This rule detects execution of a PowerShell code through the sqlps.exe utility, which is included in the standard set of utilities supplied with the MSSQL Server.
 6  Script blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs.  
 7references:
 8    - https://docs.microsoft.com/en-us/sql/tools/sqlps-utility?view=sql-server-ver15
 9    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqlps/
10    - https://twitter.com/bryon_/status/975835709587075072
11author: 'Agro (@agro_sev) oscd.community'
12date: 2020/10/10
13modified: 2022/12/09
14tags:
15    - attack.execution
16    - attack.t1059.001
17    - attack.defense_evasion
18    - attack.t1127
19logsource:
20    category: process_creation
21    product: windows
22detection:
23    selection_parent:
24        ParentImage|endswith: '\sqlps.exe'
25    selection_image:
26        - Image|endswith: '\sqlps.exe'
27        - OriginalFileName: 'sqlps.exe'
28    filter_image:
29        ParentImage|endswith: '\sqlagent.exe'
30    condition: selection_parent or (selection_image and not filter_image)
31falsepositives:
32    - Direct PS command execution through SQLPS.exe is uncommon, childprocess sqlps.exe spawned by sqlagent.exe is a legitimate action.
33level: medium

References

  • sqlps Utility - SQL Server

    The sqlps utility starts a Windows PowerShell session with the SQL Server PowerShell provider and cmdlets loaded and registered.


    Read More

  • Sqlps | LOLBAS

    .. /Sqlps.exe Star Execute Tool included with Microsoft SQL Server that loads SQL Server cmdlets. Microsoft SQL Server\100 and 110 are Powershell v2. Microsoft SQL Server\120 and 130 are Powershell...


    Read More

  • Something went wrong, but don’t fret — let’s give it another shot.


    Read More

Related rules

to-top