EXPLORE
Sign In
← Back to Explore
sigmamediumHunting

SQL Client Tools PowerShell Session Detection

This rule detects execution of a PowerShell code through the sqltoolsps.exe utility, which is included in the standard set of utilities supplied with the Microsoft SQL Server Management studio. Script blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs.

MITRE ATT&CK

T1059.001T1127
executiondefense-evasion

Detection Query

selection:
  - Image|endswith: \sqltoolsps.exe
  - ParentImage|endswith: \sqltoolsps.exe
  - OriginalFileName: \sqltoolsps.exe
filter:
  ParentImage|endswith: \smss.exe
condition: selection and not filter

Author

Agro (@agro_sev) oscd.communitly

Created

2020-10-13

Data Sources

windowsProcess Creation Events

Platforms

windows

References

Tags

attack.executionattack.t1059.001attack.defense-evasionattack.t1127
Raw Content
title: SQL Client Tools PowerShell Session Detection
id: a746c9b8-a2fb-4ee5-a428-92bee9e99060
status: test
description: |
  This rule detects execution of a PowerShell code through the sqltoolsps.exe utility, which is included in the standard set of utilities supplied with the Microsoft SQL Server Management studio.
  Script blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs.
references:
    - https://github.com/LOLBAS-Project/LOLBAS/blob/8283d8d91552213ded165fd36deb6cb9534cb443/yml/OtherMSBinaries/Sqltoolsps.yml
    - https://twitter.com/pabraeken/status/993298228840992768
author: 'Agro (@agro_sev) oscd.communitly'
date: 2020-10-13
modified: 2022-02-25
tags:
    - attack.execution
    - attack.t1059.001
    - attack.defense-evasion
    - attack.t1127
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Image|endswith: '\sqltoolsps.exe'
        - ParentImage|endswith: '\sqltoolsps.exe'
        - OriginalFileName: '\sqltoolsps.exe'
    filter:
        ParentImage|endswith: '\smss.exe'
    condition: selection and not filter
falsepositives:
    - Direct PS command execution through SQLToolsPS.exe is uncommon, childprocess sqltoolsps.exe spawned by smss.exe is a legitimate action.
level: medium