FalconFriday — Code execution through Microsoft SQL Server and Oracle Database — 0xFF19
FalconFriday — Code execution through Microsoft SQL Server and Oracle Database — 0xFF19
During red teaming engagements we often encounter database credentials in, for example, database scripts. These can be used to authenticate to databases and gain access to the data in these databases.
Moreover, if the associated users are sufficiently privileged, this may yield you a nice code execution on a server. Plenty has been written on how to abuse such credentials, and well-known tools include the ‘Impacket’ toolkit published by SecureAuth and various exploits published by Raptor.
In this blog we will discuss how you can detect abuse of these code execution features of Microsoft and Oracle databases, using Microsoft Defender for Endpoint log sources on the Microsoft 365 Defender platform.
Cross post from medium.com, please read the full article here:
Direct link to our Github page: