From 3371628d0b2d485340d079230d8a94301630ecc6 Mon Sep 17 00:00:00 2001 From: Oddvar Moe Date: Wed, 12 Dec 2018 12:56:53 +0100 Subject: [PATCH] Converted pull request from keepwatch into yml format. Original request here: https://github.com/LOLBAS-Project/LOLBAS/pull/19 - Thanks for contributing --- yml/OtherMSBinaries/Sqlps.yml | 8 ++++++-- yml/OtherMSBinaries/Sqltoolsps.yml | 5 +++-- 2 files changed, 9 insertions(+), 4 deletions(-) diff --git a/yml/OtherMSBinaries/Sqlps.yml b/yml/OtherMSBinaries/Sqlps.yml index 8b27263..a6cc7b3 100644 --- a/yml/OtherMSBinaries/Sqlps.yml +++ b/yml/OtherMSBinaries/Sqlps.yml @@ -1,11 +1,11 @@ --- Name: Sqlps.exe -Description: Tool included with Microsoft SQL Server that loads SQL Server cmdlets. +Description: Tool included with Microsoft SQL Server that loads SQL Server cmdlets. Microsoft SQL Server\100 and 110 are Powershell v2. Microsoft SQL Server\120 and 130 are Powershell version 4. Replaced by SQLToolsPS.exe in SQL Server 2016, but will be included with installation for compatability reasons. Author: 'Oddvar Moe' Created: '2018-05-25' Commands: - Command: Sqlps.exe -noprofile - Description: Drop into a SQL Server PowerShell console without Module and ScriptBlock Logging. + Description: Run a SQL Server PowerShell mini-console without Module and ScriptBlock Logging. Usecase: Execute PowerShell commands without ScriptBlock logging. Category: Execute Privileges: User @@ -14,12 +14,16 @@ Commands: OperatingSystem: Windows Full_Path: - Path: C:\Program files (x86)\Microsoft SQL Server\100\Tools\Binn\sqlps.exe + - Path: C:\Program files (x86)\Microsoft SQL Server\110\Tools\Binn\sqlps.exe + - Path: C:\Program files (x86)\Microsoft SQL Server\120\Tools\Binn\sqlps.exe + - Path: C:\Program files (x86)\Microsoft SQL Server\130\Tools\Binn\sqlps.exe Code_Sample: - Code: Detection: - IOC: Resources: - Link: https://twitter.com/bryon_/status/975835709587075072 + - Link: https://docs.microsoft.com/en-us/sql/powershell/sql-server-powershell?view=sql-server-2017 Acknowledgement: - Person: Bryon Handle: '@bryon_' diff --git a/yml/OtherMSBinaries/Sqltoolsps.yml b/yml/OtherMSBinaries/Sqltoolsps.yml index 50d3dbe..3963cce 100644 --- a/yml/OtherMSBinaries/Sqltoolsps.yml +++ b/yml/OtherMSBinaries/Sqltoolsps.yml @@ -1,11 +1,11 @@ --- Name: SQLToolsPS.exe -Description: Tool included with Microsoft SQL that loads SQL Server cmdlts. A replacement for sqlps.exe. +Description: Tool included with Microsoft SQL that loads SQL Server cmdlts. A replacement for sqlps.exe. Successor to sqlps.exe in SQL Server 2016+. Author: 'Oddvar Moe' Created: '2018-05-25' Commands: - Command: SQLToolsPS.exe -noprofile -command Start-Process calc.exe - Description: Run PowerShell scripts and commands. + Description: Run a SQL Server PowerShell mini-console without Module and ScriptBlock Logging. Usecase: Execute PowerShell command. Category: Execute Privileges: User @@ -20,6 +20,7 @@ Detection: - IOC: Resources: - Link: https://twitter.com/pabraeken/status/993298228840992768 + - Link: https://docs.microsoft.com/en-us/sql/powershell/sql-server-powershell?view=sql-server-2017 Acknowledgement: - Person: Pierre-Alexandre Braeken Handle: '@pabraeken'