JUST RELEASED: ATT&CK for Industrial Control Systems


SQLRat is malware that executes SQL scripts to avoid leaving traditional host artifacts. FIN7 has been observed using it.[1]

ID: S0390
Version: 1.0
Created: 18 June 2019
Last Modified: 30 June 2019

Techniques Used

Domain ID Name Use
Enterprise T1140 Deobfuscate/Decode Files or Information

SQLRat has scripts that are responsible for deobfuscating additional scripts.[1]

Enterprise T1107 File Deletion

SQLRat has used been observed deleting scripts once used. [1]

Enterprise T1027 Obfuscated Files or Information

SQLRat has used a character insertion obfuscation technique, making the script appear to contain Chinese characters.[1]

Enterprise T1086 PowerShell

SQLRat has used PowerShell to create a Meterpreter session.[1]

Enterprise T1105 Remote File Copy

SQLRat can make a direct SQL connection to a Microsoft database controlled by the attackers, retrieve an item from the bindata table, then write and execute the file on disk. [1]

Enterprise T1053 Scheduled Task

SQLRat has created scheduled tasks in %appdata%\Roaming\Microsoft\Templates\.[1]

Enterprise T1064 Scripting

SQLRat has used SQL to execute JavaScript and VB scripts on the host system.[1]

Enterprise T1204 User Execution

SQLRat relies on users clicking on an embedded image to execute the scripts.[1]

Groups That Use This Software

ID Name References
G0046 FIN7 [1]