Researchers from Microsoft Security Intelligence recently reported on continued use of the sqlps.exe Living Off the Land Binary (LOLBIN) technique in recent attacks. The use of sqlps.exe, installed by default on all SQL servers, allows an SQL Agent to run scheduled SQL jobs as a Windows service. Once attackers have achieved the necessary access, this module can be used for reconnaissance and changing the start mode of the SQL service to Local System. This in turn enables privilege escalation, such as adding a new sysadmin account to the SQL server, which would grant total control over the SQL server.
LOLBIN techniques allow attackers the opportunity to execute malicious jobs while blending in with legitimate activity occurring on SQL Servers, as well as other critical servers and systems. Attack Surface Reduction techniques such as security architecture that employs the principles of least privilege and least functionality are essential in maintaining the confidentiality and integrity of organizations’ assets. In addition, the use of such techniques presumes that attackers have already gained initial access to sensitive systems. Organizations are recommended to employ a post exploitation component of a defense in depth strategy, such as deploying the MDR and Threat Hunting services offered by Binary Defense, as a necessary element of risk mitigation.
Microsoft recently observed a campaign targeting SQL servers that, like many attacks, uses brute force methods for initial compromise. What makes this campaign stand out is its use of the in-box utility sqlps.exe.
— Microsoft Security Intelligence (@MsftSecIntel) May 17, 2022