Detection rules › Sigma
Detection of PowerShell Execution via Sqlps.exe
This rule detects execution of a PowerShell code through the sqlps.exe utility, which is included in the standard set of utilities supplied with the MSSQL Server. Script blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Execution | T1059.001 Command and Scripting Interpreter: PowerShell |
| Defense Evasion | T1127 Trusted Developer Utilities Proxy Execution |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 1 | Process creation |
Stages and Predicates
Stage 1: selection_parent
ParentImage|endswith: '\sqlps.exe'
Stage 2: selection_image
or:
Image|endswith: '\sqlps.exe'
OriginalFileName: sqlps.exe
Stage 3: not filter_image
ParentImage|endswith: '\sqlagent.exe'
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
Image | ends_with |
|
OriginalFileName | eq |
|
ParentImage | ends_with |
|