EXPLORE
Sign In
← Back to Explore
sigmamediumHunting

Detection of PowerShell Execution via Sqlps.exe

This rule detects execution of a PowerShell code through the sqlps.exe utility, which is included in the standard set of utilities supplied with the MSSQL Server. Script blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs.

MITRE ATT&CK

T1059.001T1127
executiondefense-evasion

Detection Query

selection_parent:
  ParentImage|endswith: \sqlps.exe
selection_image:
  - Image|endswith: \sqlps.exe
  - OriginalFileName: sqlps.exe
filter_image:
  ParentImage|endswith: \sqlagent.exe
condition: selection_parent or (selection_image and not filter_image)

Author

Agro (@agro_sev) oscd.community

Created

2020-10-10

Data Sources

windowsProcess Creation Events

Platforms

windows

References

Tags

attack.executionattack.t1059.001attack.defense-evasionattack.t1127
Raw Content
title: Detection of PowerShell Execution via Sqlps.exe
id: 0152550d-3a26-4efd-9f0e-54a0b28ae2f3
status: test
description: |
  This rule detects execution of a PowerShell code through the sqlps.exe utility, which is included in the standard set of utilities supplied with the MSSQL Server.
  Script blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs.
references:
    - https://learn.microsoft.com/en-us/sql/tools/sqlps-utility?view=sql-server-ver15
    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqlps/
    - https://twitter.com/bryon_/status/975835709587075072
author: 'Agro (@agro_sev) oscd.community'
date: 2020-10-10
modified: 2022-12-09
tags:
    - attack.execution
    - attack.t1059.001
    - attack.defense-evasion
    - attack.t1127
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        ParentImage|endswith: '\sqlps.exe'
    selection_image:
        - Image|endswith: '\sqlps.exe'
        - OriginalFileName: 'sqlps.exe'
    filter_image:
        ParentImage|endswith: '\sqlagent.exe'
    condition: selection_parent or (selection_image and not filter_image)
falsepositives:
    - Direct PS command execution through SQLPS.exe is uncommon, childprocess sqlps.exe spawned by sqlagent.exe is a legitimate action.
level: medium