Threat Watch

Researchers Detail Additional Campaigns Employing sqlps.exe LOLBIN

Researchers from Microsoft Security Intelligence recently reported on continued use of the sqlps.exe Living Off the Land Binary (LOLBIN) technique in recent attacks. The use of sqlps.exe, installed by default on all SQL servers, allows an SQL Agent to run scheduled SQL jobs as a Windows service. Once attackers have achieved the necessary access, this module can be used for reconnaissance and changing the start mode of the SQL service to Local System. This in turn enables privilege escalation, such as adding a new sysadmin account to the SQL server, which would grant total control over the SQL server.

ANALYST NOTES

LOLBIN techniques allow attackers the opportunity to execute malicious jobs while blending in with legitimate activity occurring on SQL Servers, as well as other critical servers and systems. Attack Surface Reduction techniques such as security architecture that employs the principles of least privilege and least functionality are essential in maintaining the confidentiality and integrity of organizations’ assets. In addition, the use of such techniques presumes that attackers have already gained initial access to sensitive systems. Organizations are recommended to employ a post exploitation component of a defense in depth strategy, such as deploying the MDR and Threat Hunting services offered by Binary Defense, as a necessary element of risk mitigation.

https://thehackernews.com/2022/05/hackers-gain-fileless-persistence-on.html