Detection of PowerShell Execution via Sqlps.exe

Original Source: [Sigma source]

Title: Detection of PowerShell Execution via Sqlps.exe
Status: test
Description:This rule detects execution of a PowerShell code through the sqlps.exe utility, which is included in the standard set of utilities supplied with the MSSQL Server. Script blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs.
References:
-https://learn.microsoft.com/en-us/sql/tools/sqlps-utility?view=sql-server-ver15
-https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqlps/
-https://twitter.com/bryon_/status/975835709587075072
Author: Agro (@agro_sev) oscd.community
Date: 2020-10-10
modified:2022-12-09
Tags:

-'attack.execution'
-'attack.t1059.001'
-'attack.defense-evasion'
-'attack.t1127'

Logsource:

category: process_creation
product: windows

Detection:
selection_parent:
ParentImage|endswith: '\sqlps.exe'
selection_image:
Image|endswith:'\sqlps.exe' OriginalFileName:'sqlps.exe' filter_image:
ParentImage|endswith: '\sqlagent.exe'
condition:selection_parent or (selection_image and not filter_image)
Falsepositives:
-Direct PS command execution through SQLPS.exe is uncommon, childprocess sqlps.exe spawned by sqlagent.exe is a legitimate action.
Level: medium

Sign Up to Personalize and Manage Your Detection

Detection of PowerShell Execution via Sqlps.exe