Microsoft warns of attacks targeting MSSQL servers using the tool sqlps

Pierluigi Paganini May 18, 2022

Microsoft warns of brute-forcing attacks targeting Microsoft SQL Server (MSSQL) database servers exposed online.

Microsoft warns of a new hacking campaign aimed at MSSQL servers, threat actors are launching brute-forcing attacks against poorly protected instances. The attacks are using the legitimate tool sqlps.exe, a sort of SQL Server PowerShell file, as a LOLBin (short for living-off-the-land binary).

Microsoft warned of the attacks in a series of tweets, it doesn’t attribute them to a specific threat actor.

The sqlps.exe utility is described by Microsoft as a PowerShell wrapper for running SQL-built cmdlets.

The attackers achieve fileless persistence by spawning the sqlps.exe utility, a PowerShell wrapper for running SQL-built cmdlets, to run recon commands and change the start mode of the SQL service to LocalSystem. pic.twitter.com/Tro0NfMD0j
— Microsoft Threat Intelligence (@MsftSecIntel) May 17, 2022

The attackers also use sqlps.exe to create a new account that they add to the sysadmin role, enabling them to take full control of the SQL server. They then gain the ability to perform other actions, including deploying payloads like coin miners. pic.twitter.com/stXJMDMevc
— Microsoft Threat Intelligence (@MsftSecIntel) May 17, 2022

Threat actors also use sqlps.exe to create a new account that they add to the sysadmin role, allowing them to take full control of the SQL server instance. Then the attackers are able to perform other malicious actions, such as deploying malware.

The attack is fileless and do not leave traces on the targeted systems bypassing antimalware solutions.

Defenders typically monitor the use of PowerShell in their environment. The sqlps.exe utility, which comes with all versions of SQL by default, has similar functionality and is equally worthy of increased scrutiny.
— Microsoft Threat Intelligence (@MsftSecIntel) May 17, 2022

Experts pointed out that the use of the sqlps tool allows to bypass Script Blocmdletck Logging, used to record the content of all script blocks that it processes.

The use of this uncommon living-off-the-land binary (LOLBin) highlights the importance of gaining full visibility into the runtime behavior of scripts in order to expose malicious code.
— Microsoft Threat Intelligence (@MsftSecIntel) May 17, 2022

Experts recommend to not expose MSSQL servers online, secure them with string admin credentials, apply the latest security updates, enable logging to monitor for potentially attack patters.

Security Affairs is one of the finalists for the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS. I ask you to vote for me again (even if you have already done it), because this vote is for the final.
Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”)
To nominate, please visit: 
https://docs.google.com/forms/d/e/1FAIpQLSdNDzjvToMSq36YkIHQWwhma90SR0E9rLndflZ3Cu_gVI2Axw/viewform

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, MSSQL servers)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini June 28, 2025

The FBI warns that Scattered Spider is now targeting the airline sector

Pierluigi Paganini June 28, 2025