Skip to content
Detecteam
  • CompanyExpand
    • Founders Story
    • The Team
  • ProductExpand
    • About Us
  • SolutionsExpand
    • Use Cases
  • ResourcesExpand
    • Detecteam Blogs
    • Contact Us
Twitter Linkedin
Detecteam
Blog · Scenario

SELECT XMRig FROM SQLServer

Avatar photoByDetecteam 2023-06-092023-06-09

TLP

TLP CLEAR

Author

David Deflache

Summary

The attack on the Microsoft SQL Server involved a series of sophisticated techniques employed by the adversaries. It began with the initial stage of reconnaissance, where the attackers sought to identify vulnerabilities and potential entry points. They then proceeded to exploit a known vulnerability in the server software, gaining unauthorized access. Once inside, they executed a privilege escalation technique to obtain higher privileges and control over the system. With elevated access, they deployed a backdoor, allowing them to maintain persistence and remotely control the compromised server. This attack showcased the attackers’ proficiency in reconnaissance, exploitation, privilege escalation, and persistence, underscoring the importance of robust security measures.

DATA

windows_sqlserver.xml_Download

TIMELINE

CATEGORY

Miner

references

https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/

MITRE ATT&CK

Post Tags: #T1027.004 - Obfuscated Files or Information: Compile After Delivery#T1053.005 - Scheduled Task/Job: Scheduled Task#T1070.004 - Indicator Removal on Host: File Deletion#T1078 - Valid Accounts#T1110.001 - Brute Force: Password Guessing#T1112 - Modify Registry#T1134.001 - Token Impersonation/Theft#T1136.001 - Create Account: Local Account#T1140 - Deobfuscate/Decode Files or Information#T1546.003 - Event Triggered Execution: Windows Management Instrumentation Event Subscription#T1546.012 - Event Triggered Execution: Image File Execution Options Injection#T1562.001 – Impair Defenses: Disable or Modify Tools#T1564.002 - Hide Artifacts: Hidden Users
Avatar photo
Detecteam
X

Detecteam is transforming cybersecurity detection from static rule-writing to autonomous, continuous validation. Our REFLEX platform automates the detection lifecycle—building, testing, validating and deploying detections in minutes, not months. We help enterprises maximize ROI on existing tools, close high-risk detection gaps faster, and scale security outcomes without scaling headcount. This is the future of detection-as-code, and we’re leading it.

CONTACT US

Detecteam Inc.
300 Lenora Street PMB 659
Seattle, WA 98121 USA
+1 (650) 542-0831
sales@detecteam.com

  • Privacy Policy

SOCIAL MEDIA

Twitter Linkedin
OUR NEWSLETTER

Check your inbox or spam to confirm your subscription.

© 2025 Detecteam Inc. All Rights Reserved.

  • Company
    • Founders Story
    • The Team
  • Product
    • About Us
  • Solutions
    • Use Cases
  • Resources
    • Detecteam Blogs
    • Contact Us
Search