2018-06-09 00:15:06 +02:00
---
Name : Sqlps.exe
2018-12-12 12:56:53 +01:00
Description : Tool included with Microsoft SQL Server that loads SQL Server cmdlets. Microsoft SQL Server\100 and 110 are Powershell v2. Microsoft SQL Server\120 and 130 are Powershell version 4. Replaced by SQLToolsPS.exe in SQL Server 2016, but will be included with installation for compatability reasons.
2018-09-22 04:58:00 +02:00
Author : 'Oddvar Moe'
2021-01-10 16:04:52 +01:00
Created : 2018-05-25
2018-06-09 00:15:06 +02:00
Commands :
- Command : Sqlps.exe -noprofile
2018-12-12 12:56:53 +01:00
Description : Run a SQL Server PowerShell mini-console without Module and ScriptBlock Logging.
2018-09-22 04:58:00 +02:00
Usecase : Execute PowerShell commands without ScriptBlock logging.
2018-09-26 11:41:58 +02:00
Category : Execute
2018-09-22 04:58:00 +02:00
Privileges : User
MitreID : T1218
OperatingSystem : Windows
2018-12-10 14:28:12 +01:00
Full_Path :
2018-12-11 15:38:39 +01:00
- Path : C:\Program files (x86)\Microsoft SQL Server\100\Tools\Binn\sqlps.exe
2018-12-12 12:56:53 +01:00
- Path : C:\Program files (x86)\Microsoft SQL Server\110\Tools\Binn\sqlps.exe
- Path : C:\Program files (x86)\Microsoft SQL Server\120\Tools\Binn\sqlps.exe
- Path : C:\Program files (x86)\Microsoft SQL Server\130\Tools\Binn\sqlps.exe
2022-05-19 16:12:37 +02:00
- Path : C:\Program Files (x86)\Microsoft SQL Server\150\Tools\Binn\SQLPS.exe
2018-12-10 14:28:12 +01:00
Code_Sample :
2018-09-26 11:41:58 +02:00
- Code :
Detection :
2023-10-18 17:30:34 +02:00
- Sigma : https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_mssql_sqlps_susp_execution.yml
- Sigma : https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/image_load/image_load_dll_system_management_automation_susp_load.yml
2021-11-15 14:19:03 +01:00
- Elastic : https://github.com/elastic/detection-rules/blob/5bdf70e72c6cd4547624c521108189af994af449/rules/windows/execution_suspicious_powershell_imgload.toml
- Splunk : https://github.com/splunk/security_content/blob/aa9f7e0d13a61626c69367290ed1b7b71d1281fd/docs/_posts/2021-10-05-suspicious_copy_on_system32.md
2018-06-09 00:15:06 +02:00
Resources :
2022-05-19 16:12:37 +02:00
- Link : https://twitter.com/ManuelBerrueta/status/1527289261350760455
2018-09-26 11:41:58 +02:00
- Link : https://twitter.com/bryon_/status/975835709587075072
2018-12-12 12:56:53 +01:00
- Link : https://docs.microsoft.com/en-us/sql/powershell/sql-server-powershell?view=sql-server-2017
2018-09-22 04:58:00 +02:00
Acknowledgement :
- Person : Bryon
Handle : '@bryon_'
2022-05-19 16:12:37 +02:00
- Person : Manny
Handle : '@ManuelBerrueta'