{
	"id": "f416af33-ed78-4a39-af4d-5e81802bde9d",
	"created_at": "2026-04-06T00:21:49.068715Z",
	"updated_at": "2026-04-10T03:19:58.464238Z",
	"deleted_at": null,
	"sha1_hash": "4e0b32ced7306a6fc61dff31bb831cb953775d2f",
	"title": "Agent 1433: remote attack on Microsoft SQL Server",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 202641,
	"plain_text": "Agent 1433: remote attack on Microsoft SQL Server\r\nBy Alexander Plakhov\r\nPublished: 2019-08-22 · Archived: 2026-04-05 13:48:11 UTC\r\nAll over the world companies large and small use Microsoft SQL Server for database management. Highly\r\npopular yet insufficiently protected, this DBMS is a target of choice for hacking. One of the most common attack\r\non Microsoft SQL Server — the remote attack based on malicious jobs — has been around for a long time, but it\r\nis still used to get access to workstations through less-than-strong administrator password.\r\nAttempted attacks geography from January through July 2019\r\nAccording to our statistics, the majority of such attacks fall on Vietnam (\u003e16%), Russia (~12%), India (~7%),\r\nChina (~6%), Turkey and Brazil (5% each).\r\nAttack description\r\nhttps://securelist.com/malicious-tasks-in-ms-sql-server/92167/\r\nPage 1 of 4\n\nMicrosoft SQL Server attacks are normally massive in nature and have no particular target: the attackers scan sub-networks in search of a server with a weak password. The attack begins with a remote check of whether the\r\nsystem has MS SQL Server installed; next the intruders proceed to brute-force the account password to access the\r\nsystem. In addition to password brute-forcing, they may also resort to authorization via a user account token,\r\nauthorized on a previously infected machine.\r\nSQL Server authorization\r\nAs soon as penetration is accomplished, the attackers modify server configuration in order to access the command\r\nline. That done, they can covertly make the malware secure in the target system using jobs they had created for the\r\nSQL Server.\r\nExamples of jobs\r\nJob is a sequence of commands executed by SQL Server agent. It may comprise a broad range of actions,\r\nincluding launching SQL transactions, command line applications, Microsoft ActiveX scripts, Integration Services\r\npackages, Analysis Services commands and queries, as well as PowerShell scripts.\r\nA job consists of steps, the code featured in each one being executed at certain intervals, allowing intruders to\r\ndeliver malicious files to the target computer again and again, should they be deleted.\r\nBelow are a few examples of malicious queries:\r\nInstalling a malware download job using the standard ftp.exe utility:\r\nDownloading malware from a remote resource using JavaScript:\r\nhttps://securelist.com/malicious-tasks-in-ms-sql-server/92167/\r\nPage 2 of 4\n\nWriting a malware file into the system followed by its execution:\r\nWe have analyzed the payloads delivered to the compromised machines via malicious jobs to learn that most of\r\nthem were cryptocurrency miners and remote access backdoors. The less common ones included passwords\r\ncapture and privilege escalation utilities. It should be mentioned, however, that the choice of payload depends on\r\nthe attackers’ goals and capabilities and is by no means limited to the mentioned options.\r\nTo protect your machines from malicious job attacks, we recommend using robust, brute-force-proof passwords\r\nfor your SQL Server accounts. It will also pay to check Agent SQL Server for third-party jobs.\r\nKaspersky Lab products return the following verdicts when detecting malware that installs malicious SQL Server\r\njobs:\r\nTrojan.Multi.GenAutorunSQL.a\r\nHEUR:Backdoor.Win32.RedDust.gen\r\nHEUR:Backdoor.MSIL.RedDust.gen\r\nAnd use proactive detection using the System Watcher component:\r\nPDM:Trojan.Win32.GenAutorunSqlAgentJobRun.*\r\nPDM:Trojan.Win32.Generic\r\nPDM:Exploit.Win32.Generic\r\nMD5\r\n6754FA8C783A947414CE6591D6FA8540\r\n91A12A4CF437589BA70B1687F5ACAD19\r\n98DFA71C361283C4A1509C42F212FB0D\r\nA3F0B689C7CCFDFAEADD7CBBF1CD92B6\r\nE2A34F1D48CE4BE330F194E8AEFE9A55\r\nhttps://securelist.com/malicious-tasks-in-ms-sql-server/92167/\r\nPage 3 of 4\n\nSource: https://securelist.com/malicious-tasks-in-ms-sql-server/92167/\r\nhttps://securelist.com/malicious-tasks-in-ms-sql-server/92167/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://securelist.com/malicious-tasks-in-ms-sql-server/92167/"
	],
	"report_names": [
		"92167"
	],
	"threat_actors": [],
	"ts_created_at": 1775434909,
	"ts_updated_at": 1775791198,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4e0b32ced7306a6fc61dff31bb831cb953775d2f.pdf",
		"text": "https://archive.orkl.eu/4e0b32ced7306a6fc61dff31bb831cb953775d2f.txt",
		"img": "https://archive.orkl.eu/4e0b32ced7306a6fc61dff31bb831cb953775d2f.jpg"
	}
}