Detection rules › Sigma
SQL Client Tools PowerShell Session Detection
This rule detects execution of a PowerShell code through the sqltoolsps.exe utility, which is included in the standard set of utilities supplied with the Microsoft SQL Server Management studio. Script blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Execution | T1059.001 Command and Scripting Interpreter: PowerShell |
| Defense Evasion | T1127 Trusted Developer Utilities Proxy Execution |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 1 | Process creation |
Stages and Predicates
Stage 1: selection
or:
Image|endswith: '\sqltoolsps.exe'
OriginalFileName: '\sqltoolsps.exe'
ParentImage|endswith: '\sqltoolsps.exe'
Stage 2: not filter
ParentImage|endswith: '\smss.exe'
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
Image | ends_with |
|
OriginalFileName | eq |
|
ParentImage | ends_with |
|