public-mirrors/LOLBAS
1
0
Fork 0
mirror of https://github.com/LOLBAS-Project/LOLBAS synced 2025-01-30 15:23:07 +01:00
Code Issues Projects Releases Wiki Activity

Merge pull request #217 from ManuelBerrueta/master

Browse Source 
Updated yml/OtherMSBinaries/Sqlps.yml, used recently in a campaign sh…
This commit is contained in:
Chris "Lopi" Spehn 2022-05-19 10:19:22 -06:00 committed by GitHub
commit 82f19b22e7
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 4 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
yml/OtherMSBinaries/Sqlps.yml
View File

@ -16,6 +16,7 @@ Full_Path:
- Path: C:\Program files (x86)\Microsoft SQL Server\110\Tools\Binn\sqlps.exe - Path: C:\Program files (x86)\Microsoft SQL Server\110\Tools\Binn\sqlps.exe
- Path: C:\Program files (x86)\Microsoft SQL Server\120\Tools\Binn\sqlps.exe - Path: C:\Program files (x86)\Microsoft SQL Server\120\Tools\Binn\sqlps.exe
- Path: C:\Program files (x86)\Microsoft SQL Server\130\Tools\Binn\sqlps.exe - Path: C:\Program files (x86)\Microsoft SQL Server\130\Tools\Binn\sqlps.exe
- Path: C:\Program Files (x86)\Microsoft SQL Server\150\Tools\Binn\SQLPS.exe
Code_Sample: Code_Sample:
- Code: - Code:
Detection: Detection:
@ -24,9 +25,12 @@ Detection:
- Elastic: https://github.com/elastic/detection-rules/blob/5bdf70e72c6cd4547624c521108189af994af449/rules/windows/execution_suspicious_powershell_imgload.toml - Elastic: https://github.com/elastic/detection-rules/blob/5bdf70e72c6cd4547624c521108189af994af449/rules/windows/execution_suspicious_powershell_imgload.toml
- Splunk: https://github.com/splunk/security_content/blob/aa9f7e0d13a61626c69367290ed1b7b71d1281fd/docs/_posts/2021-10-05-suspicious_copy_on_system32.md - Splunk: https://github.com/splunk/security_content/blob/aa9f7e0d13a61626c69367290ed1b7b71d1281fd/docs/_posts/2021-10-05-suspicious_copy_on_system32.md
Resources: Resources:
- Link: https://twitter.com/ManuelBerrueta/status/1527289261350760455
- Link: https://twitter.com/bryon_/status/975835709587075072 - Link: https://twitter.com/bryon_/status/975835709587075072
- Link: https://docs.microsoft.com/en-us/sql/powershell/sql-server-powershell?view=sql-server-2017 - Link: https://docs.microsoft.com/en-us/sql/powershell/sql-server-powershell?view=sql-server-2017
Acknowledgement: Acknowledgement:
- Person: Bryon - Person: Bryon
Handle: '@bryon_' Handle: '@bryon_'
- Person: Manny
Handle: '@ManuelBerrueta'
--- ---