Microsoft warns of brute force attacks targeting Internet-exposed and poorly secured Microsoft SQL Server (MSSQL) database servers using weak passwords.

The attackers are using legitimate sqlps[.]exe tools as a Living-Off-the-Land Binary (LOLBin). They’re executing recon commands and changing the SQL service’s start mode to LocalSystem using the sqlps[.]exe utility (a PowerShell wrapper for running SQL-built cmdlets). To get full control of the SQL server, the attackers utilize sqlps[.]exe to create a new account with the sysadmin role.

The SQLPS tool is included with Microsoft SQL Server and allows you to load SQL Server cmdlets (as a LOLBin), which allows you to run PowerShell commands without being detected, leading to file less persistence. Furthermore, SQLPS can avoid detection by bypassing Script Block Logging, a PowerShell feature that logs cmdlet operations to the Windows event log.


  • Use a strong admin password that can’t be guessed or brute-forced easily and place the server behind a firewall
  • Enable logging to monitor for the suspicious or unexpected activity or recurring login attempts
  • apply the latest security updates to decrease the attack surface and block attacks leveraging exploits that target known vulnerabilities
  • To prevent data exfiltration by malware or TAs, keep an eye on the beacon at the network level.

Administrators must not expose their MSSQL servers to the Internet, use a strong admin password that cannot be guessed or brute-forced, and place the server behind a firewall to protect against such attacks.



Leave a Reply

Your email address will not be published. Required fields are marked *

Sign In


Reset Password

Please enter your username or email address, you will receive a link to create a new password via email.