SQLRat
ID: S0390
ⓘ
Type: MALWARE
Version: 1.2
Created: 18 June 2019
Last Modified: 22 March 2023
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1140 | 反混淆/解码文件或信息 |
SQLRat has scripts that are responsible for deobfuscating additional scripts.[1] |
|
| Enterprise | T1059 | .001 | 命令与脚本解释器: PowerShell |
SQLRat has used PowerShell to create a Meterpreter session.[1] |
| .003 | 命令与脚本解释器: Windows Command Shell |
SQLRat has used SQL to execute JavaScript and VB scripts on the host system.[1] |
||
| Enterprise | T1027 | .010 | 混淆文件或信息: Command Obfuscation |
SQLRat has used a character insertion obfuscation technique, making the script appear to contain Chinese characters.[1] |
| Enterprise | T1204 | .002 | 用户执行: Malicious File |
SQLRat relies on users clicking on an embedded image to execute the scripts.[1] |
| Enterprise | T1070 | .004 | 移除指标: File Deletion |
SQLRat has used been observed deleting scripts once used.[1] |
| Enterprise | T1105 | 输入工具传输 |
SQLRat can make a direct SQL connection to a Microsoft database controlled by the attackers, retrieve an item from the bindata table, then write and execute the file on disk.[1] |
|
| Enterprise | T1053 | .005 | 预定任务/作业: Scheduled Task |
SQLRat has created scheduled tasks in |