Researchers from Microsoft Security Intelligence recently reported on continued use of the sqlps.exe Living Off the Land Binary (LOLBIN) technique in recent attacks. The use of sqlps.exe, installed by default on all SQL servers, allows an SQL Agent to run scheduled SQL jobs as a Windows service. Once attackers have achieved the necessary access, this module can be used for reconnaissance and changing the start mode of the SQL service to Local System. This in turn enables privilege escalation, such as adding a new sysadmin account to the SQL server, which would grant total control over the SQL server.
By Akshay Rohatgi and Randy Pargman About this Student Research Project Binary Defense’s mission is