SQL Client Tools PowerShell Session Detection

calendarMar 5, 2023 · attack.execution attack.t1059.001 attack.defense_evasion attack.t1127  ·
Share on: linkedincopy

This rule detects execution of a PowerShell code through the sqltoolsps.exe utility, which is included in the standard set of utilities supplied with the Microsoft SQL Server Management studio. Script blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs.

Sigma rule (View on GitHub)

 1title: SQL Client Tools PowerShell Session Detection
 2id: a746c9b8-a2fb-4ee5-a428-92bee9e99060
 3status: test
 4description: |
 5  This rule detects execution of a PowerShell code through the sqltoolsps.exe utility, which is included in the standard set of utilities supplied with the Microsoft SQL Server Management studio.
 6  Script blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs.  
 7references:
 8    - https://github.com/LOLBAS-Project/LOLBAS/blob/8283d8d91552213ded165fd36deb6cb9534cb443/yml/OtherMSBinaries/Sqltoolsps.yml
 9    - https://twitter.com/pabraeken/status/993298228840992768
10author: 'Agro (@agro_sev) oscd.communitly'
11date: 2020/10/13
12modified: 2022/02/25
13tags:
14    - attack.execution
15    - attack.t1059.001
16    - attack.defense_evasion
17    - attack.t1127
18logsource:
19    category: process_creation
20    product: windows
21detection:
22    selection:
23        - Image|endswith: '\sqltoolsps.exe'
24        - ParentImage|endswith: '\sqltoolsps.exe'
25        - OriginalFileName: '\sqltoolsps.exe'
26    filter:
27        ParentImage|endswith: '\smss.exe'
28    condition: selection and not filter
29falsepositives:
30    - Direct PS command execution through SQLToolsPS.exe is uncommon, childprocess sqltoolsps.exe spawned by smss.exe is a legitimate action.
31level: medium

Related rules

to-top