Intricate MSSQL Attack Sequence Revealed

Malicious actors targeted MSSQL servers in a coordinated series of operations, that was initiated with the MSSQL xp_cmdshell stored procedure. Huntress researchers detailed an intrusion on February 23, 2024, where commands were rapidly executed, leveraging the bcp command-line utility to transfer data from a SQL Server table to the system's files. These files, camouflaged as batch files and executables within the public music directory, indicated the attackers' stealthy approach.

Within a span of 12 minutes, the execution of these files led to the creation of a new user account named "admins124." This account was subsequently added to various local groups, including administrators and Remote Desktop Users, expanding the attacker's control over the system. Furthermore, registry modifications were made to enable WDigest plaintext password logging, a technique often used to harvest credentials. Ending with the installation of AnyDesk, a remote desktop software, allowing for persistent remote access. Notably, the kur.bat file's execution facilitated the silent installation of AnyDesk, which Huntress confirms in Windows Event Logs.

This meticulously planned attack, from gaining initial access with xp_cmdshell to securing persistence via account creation and remote management software installation, delineates clear squence of threat behaviors. Monitoring of this sequence of actions, including script execution, user account setup, registry alterations, and the deployment of remote access tools, will be essential in early detection of similar intrusions.