{"id":24563,"date":"2022-05-19T09:35:21","date_gmt":"2022-05-19T07:35:21","guid":{"rendered":"http:\/\/159.69.82.204\/win\/?p=24563"},"modified":"2022-11-04T11:40:55","modified_gmt":"2022-11-04T10:40:55","slug":"microsoft-beobachtet-angriffe-auf-microsoft-sql-server-per-powershell","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2022\/05\/19\/microsoft-beobachtet-angriffe-auf-microsoft-sql-server-per-powershell\/","title":{"rendered":"Microsoft observed attacks on Microsoft SQL Server via PowerShell"},"content":{"rendered":"<p><img decoding=\"async\" title=\"Sicherheit (Pexels, allgemeine Nutzung)\" style=\"float: left; margin: 0px 10px 0px 0px; display: inline\" alt=\"Sicherheit (Pexels, allgemeine Nutzung)\" src=\"https:\/\/www.borncity.com\/blog\/wp-content\/uploads\/2021\/04\/Sicherheit_klein.jpg\" width=\"200\">[<a href=\"https:\/\/www.borncity.com\/blog\/2022\/05\/19\/microsoft-beobachtet-angriffe-auf-microsoft-sql-server-per-powershell\/\" target=\"_blank\" rel=\"noopener\">German<\/a>]The Microsoft security team is currently warning about a campaign in which unknown attackers are targeting Microsoft SQL databases. Although a brute force approach is used to crack the database access. What is new is that the campaign uses the <em>sqlps.exe<\/em> tool in conjunction with PowerShell scripts.<\/p>\n<p><!--more--><\/p>\n<h2>Description of the campaign<\/h2>\n<p><img loading=\"lazy\" decoding=\"async\" alt=\"\" src=\"https:\/\/vg07.met.vgwort.de\/na\/032983e594a14fb692fc99f260e88901\" width=\"1\" height=\"1\">The information can be found in a series of <a href=\"https:\/\/twitter.com\/MsftSecIntel\/status\/1526680351858475008\" target=\"_blank\" rel=\"noopener\">tweets<\/a>, published by Microsoft Security Intelligence the days. According to the tweets, a campaign was recently observed by Microsoft's security team, which specifically targets Microsoft SQL Server.<\/p>\n<p><a href=\"https:\/\/twitter.com\/MsftSecIntel\/status\/1526680351858475008\" target=\"_blank\" rel=\"noopener\"><img decoding=\"async\" title=\"Campaign targeting Microsoft SQL Server\" alt=\"Campaign targeting Microsoft SQL Server\" src=\"https:\/\/i.imgur.com\/F7k9SEE.png\"><\/a><\/p>\n<p>A brute force approach is used to try to crack password-protected access to the SQL database. This is nothing new, the approach has been tried for years. However, a new feature, according to Microsoft, is the use of the <em>sqlps.exe<\/em> tool supplied with SQL Server in conjunction with PowerShell scripts. That's a utility that starts a Windows PowerShell session with the SQL Server PowerShell provider and cmdlets loaded and registered. Users can enter PowerShell commands or scripts that use the SQL Server PowerShell components to work with instances of SQL Server and its objects.<\/p>\n<blockquote>\n<p>Microsoft writes <a href=\"https:\/\/docs.microsoft.com\/en-us\/sql\/tools\/sqlps-utility?view=sql-server-ver15\" target=\"_blank\" rel=\"noopener\">here<\/a> that this feature will be removed in a future release of Microsoft SQL Server. The use of this feature should be avoided in new developments. <\/p>\n<\/blockquote>\n<p>The reason for using this utility is also mentioned by Microsoft. The attackers thus achieve so-called \"fileless persistence\" by launching the <em>sqlps.exe<\/em> utility, a PowerShell wrapper for executing SQL cmdlets. Then they drop commands to explore the database and try to change the SQL service startup mode to LocalSystem. The attackers also use<em> sqlps.exe<\/em> to create a new sysadmin account, which allows them to take full control over SQL Server. This allows them to perform other actions, such as providing payloads to crypto miners.<\/p>\n<h2>Monitor your PowerShell Scripte<\/h2>\n<p>Microsoft writes that Defender normally monitors the use of PowerShell in the given environment. The <em>sqlps.exe<\/em> utility, which comes standard with all SQL versions, has similar functionality for invoking a PowerShell session. However, by using the technique outlined above, no trace of the attack is left behind, as <a href=\"https:\/\/docs.microsoft.com\/en-us\/powershell\/module\/microsoft.powershell.core\/about\/about_logging_windows?view=powershell-7.2#enabling-script-block-logging\" target=\"_blank\" rel=\"noopener\">Script Block Logging<\/a>, which is logged in the Windows Event Viewer, is bypassed. <\/p>\n<p>The use of this unusual living-off-the-land binary (LOLBin), according to Microsoft, demonstrates the need to fully understand the runtime behavior of scripts in order to detect malicious code. Therefore, script execution via<em> sqlps.e<\/em>xe should also be monitored in this regard. <\/p>\n<p>This runtime behavior of scripts can be analyzed via the Antimalware Scan Interface (AMSI), an open interface that allows applications to request a synchronous scan of a memory buffer by an antimalware product at runtime. Microsoft Defender Antivirus integrates with AMSI and detects this threat as <em>Trojan:PowerShell\/SuspSQLUsage.A<\/em>.<\/p>\n<h2>Securing a SQL Server<\/h2>\n<p>In <a href=\"https:\/\/web.archive.org\/web\/20221026140759\/https:\/\/www.bleepingcomputer.com\/news\/security\/microsoft-warns-of-brute-force-attacks-targeting-mssql-servers\/\" target=\"_blank\" rel=\"noopener\">this article<\/a>, the colleagues from Bleeping Computer give some more hints on what administrators can do to secure an SQL server.&nbsp; <\/p>\n<p><a href=\"https:\/\/twitter.com\/BleepinComputer\/status\/1526917411731034115\" target=\"_blank\" rel=\"noopener\"><img decoding=\"async\" title=\"SQL Server attacks\" alt=\"SQL Server attacks\" src=\"https:\/\/i.imgur.com\/yhyqxl3.png\"><\/a><\/p>\n<p>In addition to the advice not to make the SQL server accessible via the Internet, one should also use a strong administrator password for access, which cannot be cracked so easily via brute force. One should also place the SQL server behind a firewall, and enable logging to monitor suspicious or unexpected activity or repeated login attempts. It should also be clear that the SQL server must be kept up to date with the latest patches.<\/p>\n<p><strong>Similar articles:<br \/><\/strong><a href=\"https:\/\/borncity.com\/win\/2022\/03\/17\/gh0stcringe-malware-zielt-auf-ungesicherte-microsoft-sql-und-mysql-server\/\">Gh0stCringe malware targets unsecured Microsoft SQL and MySQL servers<\/a><br \/><a href=\"https:\/\/borncity.com\/win\/2022\/02\/07\/windows-11-may-bricks-mssql-server-instances-no-longer-executable\/\">Windows 11 may bricks MSSQL server instances; no longer executable<\/a><br \/><a href=\"https:\/\/borncity.com\/win\/2020\/04\/02\/hackers-infects-thousands-of-ms-sql-servers-with-backdoors\/\">Hackers infects thousands of MS SQL servers with backdoors<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>[German]The Microsoft security team is currently warning about a campaign in which unknown attackers are targeting Microsoft SQL databases. Although a brute force approach is used to crack the database access. What is new is that the campaign uses the &hellip; <a href=\"https:\/\/borncity.com\/win\/2022\/05\/19\/microsoft-beobachtet-angriffe-auf-microsoft-sql-server-per-powershell\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[580,1547],"tags":[69,1544,2730],"class_list":["post-24563","post","type-post","status-publish","format-standard","hentry","category-security","category-software","tag-security","tag-software","tag-sql"],"_links":{"self":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/24563","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/comments?post=24563"}],"version-history":[{"count":0,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/24563\/revisions"}],"wp:attachment":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/media?parent=24563"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/categories?post=24563"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/tags?post=24563"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}