Skip to content

Hide Navigation Hide TOC

Detection of PowerShell Execution via Sqlps.exe (0152550d-3a26-4efd-9f0e-54a0b28ae2f3)

This rule detects execution of a PowerShell code through the sqlps.exe utility, which is included in the standard set of utilities supplied with the MSSQL Server. Script blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs.

Cluster A Galaxy A Cluster B Galaxy B Level
Detection of PowerShell Execution via Sqlps.exe (0152550d-3a26-4efd-9f0e-54a0b28ae2f3) Sigma-Rules PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern 1
Detection of PowerShell Execution via Sqlps.exe (0152550d-3a26-4efd-9f0e-54a0b28ae2f3) Sigma-Rules Trusted Developer Utilities Proxy Execution - T1127 (ff25900d-76d5-449b-a351-8824e62fc81b) Attack Pattern 1
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 2