FalconFriday — Code execution through Microsoft SQL Server and Oracle Database — 0xFF19

Post-Image

FalconFriday — Code execution through Microsoft SQL Server and Oracle Database — 0xFF19

During red teaming engagements we often encounter database credentials in, for example, database scripts. These can be used to authenticate to databases and gain access to the data in these databases.

Moreover, if the associated users are sufficiently privileged, this may yield you a nice code execution on a server. Plenty has been written on how to abuse such credentials, and well-known tools include the ‘Impacket’ toolkit published by SecureAuth and various exploits published by Raptor.

In this blog we will discuss how you can detect abuse of these code execution features of Microsoft and Oracle databases, using Microsoft Defender for Endpoint log sources on the Microsoft 365 Defender platform.

Cross post from medium.com, please read the full article here:

https://medium.com/falconforce/falcon-friday-detecting-code-execution-through-microsoft-sql-server-and-oracle-database-b8fbef83fa4e

Direct link to our Github page:

https://github.com/FalconForceTeam/FalconFriday