Skip to content

Hide Navigation Hide TOC

SQL Client Tools PowerShell Session Detection (a746c9b8-a2fb-4ee5-a428-92bee9e99060)

This rule detects execution of a PowerShell code through the sqltoolsps.exe utility, which is included in the standard set of utilities supplied with the Microsoft SQL Server Management studio. Script blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs.

Cluster A Galaxy A Cluster B Galaxy B Level
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern SQL Client Tools PowerShell Session Detection (a746c9b8-a2fb-4ee5-a428-92bee9e99060) Sigma-Rules 1
Trusted Developer Utilities Proxy Execution - T1127 (ff25900d-76d5-449b-a351-8824e62fc81b) Attack Pattern SQL Client Tools PowerShell Session Detection (a746c9b8-a2fb-4ee5-a428-92bee9e99060) Sigma-Rules 1
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 2