Detection of PowerShell Execution via Sqlps.exe

This rule detects execution of a PowerShell code through the sqlps.exe utility, which is included in the standard set of utilities supplied with the MSSQL Server. Script blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs.

Sigma rule (View on GitHub)

 1title: Detection of PowerShell Execution via Sqlps.exe
 2id: 0152550d-3a26-4efd-9f0e-54a0b28ae2f3
 3status: test
 4description: |
 5  This rule detects execution of a PowerShell code through the sqlps.exe utility, which is included in the standard set of utilities supplied with the MSSQL Server.
 6  Script blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs.  
 7references:
 8    - https://learn.microsoft.com/en-us/sql/tools/sqlps-utility?view=sql-server-ver15
 9    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqlps/
10    - https://twitter.com/bryon_/status/975835709587075072
11author: 'Agro (@agro_sev) oscd.community'
12date: 2020-10-10
13modified: 2022-12-09
14tags:
15    - attack.execution
16    - attack.t1059.001
17    - attack.defense-evasion
18    - attack.t1127
19logsource:
20    category: process_creation
21    product: windows
22detection:
23    selection_parent:
24        ParentImage|endswith: '\sqlps.exe'
25    selection_image:
26        - Image|endswith: '\sqlps.exe'
27        - OriginalFileName: 'sqlps.exe'
28    filter_image:
29        ParentImage|endswith: '\sqlagent.exe'
30    condition: selection_parent or (selection_image and not filter_image)
31falsepositives:
32    - Direct PS command execution through SQLPS.exe is uncommon, childprocess sqlps.exe spawned by sqlagent.exe is a legitimate action.
33level: medium

References

Related rules

to-top