Threat Actors Gain Fileless Persistence on Targeted SQL Servers Using a Built-in Utility

VTA-00415 – Threat Actors Gain Fileless Persistence on Targeted SQL Servers Using a Built-in Utility

Recently, Microsoft observed a malicious campaign that targeting SQL servers leveraging on a built-in PowerShell binary to achieve persistence on compromised systems. The attackers start by initiating brute-force attack as an initial compromise vector standing out for their use of the utility “sqlps.exe”. This “sqlps.exe” is a default utility in all versions of SQL servers. The attackers achieve fileless persistence by spawning the utility, a PowerShell wrapper for running SQL-built cmdlets, to run recon commands and change the start mode of the SQL service to LocalSystem. Furthermore, the attackers use the same module to create a new account with sysadmin role, in order to take full control of the SQL server.

Severity:
High

Attack Surfaces:
Database

Tactics:
Credential Access, Execution, Persistence

Techniques:
Impair Defenses, Rootkit, Software Deployment Tools, Process Discovery, Command and Scripting Interpreter, Command and Scripting Interpreter, Brute Force, Valid Accounts

Active Defense Tactics:
Collect, Detect, Disrupt

Active Defense Techniques:
Baseline, Security Controls, System Activity Monitoring

SuperPRO’s Threat Countermeasures Procedures: 
1) Ensure Passwords Are Set for All MySQL Accounts
2) Ensure CHECK_EXPIRATION’ Option should be set to ‘ON’ for All SQL Authenticated Logins Within the Sysadmin Role
3) Ensure ‘CHECK_POLICY’ Option is set to ‘ON’ for All SQL Authenticated Logins
4) Ensure ‘Ole Automation Procedures’ Server Configuration Option is set to ‘0’
5) Ensure ‘sa’ Login Account should be set to ‘Disabled’
6) Ensure ‘sa’ Login Account has been renamed
7) Ensure CONNECT permissions on the ‘guest user’ is Revoked within all SQL Server databases excluding the master, msdb and tempdb

Contributed by:  3h4d0w