Spectra Assure
Community
failIncident: Malware
Scanned: 6 days ago

PowerUpSQL

latest
malicious
Top 10k
PowerUpSQL is an offensive toolkit designed for attacking SQL Server. The PowerUpSQL module includes functions that support SQL Server discovery, auditing for common weak configurations, and privilege escalation on scale. It is intended to be used during penetration tests and red team engagements. However, PowerUpSQL also includes many functions that could be used by administrators to inventory the SQL Servers on their ADS domain very quickly. More information can be found at https://github.com/NetSPI/PowerUpSQL.
License: unknown
Published: over 7 years ago
See on PowerShell Gallery

SAFE Assessment

Compliance

Licenses
No license compliance issues
Secrets
No sensitive information found

Security

Vulnerabilities
No known vulnerabilities detected
Hardening
No application hardening issues

Threats

Tampering
4 malware-like behaviors found
Malware
3 malicious components found

INCIDENTS FOR THIS VERSION:

malware
4 months agoReported By: ReversingLabs (Automated)
Learn more about malware detection

Popularity

15.38k
Total Downloads
2
Contributors
0
Declared Dependencies
1
Dependents

Top issues

See all issues

Problem

Proprietary ReversingLabs malware detection algorithms have determined that the software package contains one or more malicious files. The detection was made by a heuristic signature. This malware detection method is considered proactive, and can typically identify the malware family or at least the threat type.

Prevalence in PowerShell Gallery community

0 packages
found in
Top 100
1 packages
found in
Top 1k
49 packages
found in
Top 10k
71 packages
in community

Next steps

Inspect behaviors exhibited by the detected software components.
If the software behaviors differ from expected, investigate the build and release environment for software supply chain compromise.
Avoid using this software package until it is vetted as safe.
Consider rewriting code that may have triggered the detection due to its malware similarity.

Problem

Third-party malware detection algorithms have determined that the software package contains one or more malicious files. The detection was made by a hash-based file reputation lookup. This malware detection method is considered accurate, and can typically identify the malware family by name.

Prevalence in PowerShell Gallery community

0 packages
found in
Top 100
1 packages
found in
Top 1k
32 packages
found in
Top 10k
55 packages
in community

Next steps

If the software intent does not relate to malicious behavior, investigate the build and release environment for software supply chain compromise.
Avoid using this software package.

Problem

Software components contain executable code that performs actions implemented during its development. These actions are called behaviors. In the analysis report, behaviors are presented as human-readable descriptions that best match the underlying code intent. While most behaviors are benign, some are exclusively used by malicious software with the intent to cause harm. When a software package matches behavior traits of malicious software, it becomes flagged by security solutions. It is highly likely that the software package was tampered with by a malicious actor or a rogue insider.

Prevalence in PowerShell Gallery community

0 packages
found in
Top 100
6 packages
found in
Top 1k
30 packages
found in
Top 10k
45 packages
in community

Next steps

Investigate reported detections.
Investigate your build and release environment for software supply chain compromise.
You should delay the software release until the investigation is completed.
In the case this behavior is intended, rewrite the flagged code without using the malware-like behaviors.

Problem

Software components contain executable code that performs actions implemented during its development. These actions are called behaviors. In the analysis report, behaviors are presented as human-readable descriptions that best match the underlying code intent. While most behaviors are benign, some are exclusively used by malicious software with the intent to cause harm. When a software package matches behavior traits of malicious software, it becomes flagged by security solutions. It is highly likely that the software package was tampered with by a malicious actor or a rogue insider. Detected threat type matches the behaviors typically exhibited by the hacktool malware profile. Hacking tools are commonly used by malicious actors to bypass security solutions, exploit system weaknesses, collect personal information, and exfiltrate data. However, due to high-privilege access requirements, some security solutions may also trigger this detection when analyzed.

Prevalence in PowerShell Gallery community

0 packages
found in
Top 100
2 packages
found in
Top 1k
52 packages
found in
Top 10k
75 packages
in community

Next steps

Investigate reported detections.
If the software intent does not relate to the reported behavior, investigate your build and release environment for software supply chain compromise.
You should delay the software release until the investigation is completed.
In the case this behavior is intended, rewrite the flagged code without using the malware-like behaviors.

Problem

Attackers commonly hide their malicious payloads in layers of packing and code obfuscation. Base-encoding is a common data transformation technique used to convert Windows executable files into textual payloads. Detected software behaviors indicate that the code has the ability to decode and execute Base-encoded executables. While presence of dynamic code execution does not imply malicious intent, all of its uses in a software package should be documented and approved. When a software package has behavior traits similar to malicious software, it may become flagged by security solutions. One example of acceptable use for embedding Base-encoded Windows executables is the intent to transfer the software components over the network.

Prevalence in PowerShell Gallery community

0 packages
found in
Top 100
3 packages
found in
Top 1k
5 packages
found in
Top 10k
14 packages
in community

Next steps

Investigate reported detections as indicators of software tampering.
Consult Mitre ATT&CK documentation: T1027 - Obfuscated Files or Information.
Consider an alternative delivery mechanism for software packages.

Top behaviors

See all behaviors

Prevalence in PowerShell Gallery community

Behavior uncommon for this community (Uncommon)
1 packages
found in
Top 100
31 packages
found in
Top 1k
283 packages
found in
Top 10k
435 packages
in community

Prevalence in PowerShell Gallery community

Behavior uncommon for this community (Uncommon)
0 packages
found in
Top 100
24 packages
found in
Top 1k
185 packages
found in
Top 10k
319 packages
in community

Prevalence in PowerShell Gallery community

Behavior often found in this community (Common)
1 packages
found in
Top 100
42 packages
found in
Top 1k
298 packages
found in
Top 10k
471 packages
in community

Prevalence in PowerShell Gallery community

Behavior commonly used by malicious software (Important)
Behavior uncommon for this community (Uncommon)
0 packages
found in
Top 100
1 packages
found in
Top 1k
1 packages
found in
Top 10k
2 packages
in community

Prevalence in PowerShell Gallery community

Behavior exclusively used by malicious software (Malicious)
Behavior uncommon for this community (Uncommon)
0 packages
found in
Top 100
0 packages
found in
Top 1k
1 packages
found in
Top 10k
1 packages
in community

Top vulnerabilities

No vulnerabilities found.

FAQ for PowerUpSQL

What is PowerUpSQL?

PowerUpSQL is an offensive toolkit designed for attacking SQL Server. The PowerUpSQL module includes functions that support SQL Server discovery, auditing for common weak configurations, and privilege escalation on scale. It is intended to be used during penetration tests and red team engagements. However, PowerUpSQL also includes many functions that could be used by administrators to inventory the SQL Servers on their ADS domain very quickly. More information can be found at https://github.com/NetSPI/PowerUpSQL. For more information about this package, visit its homepage.

Is PowerUpSQL malicious or is it safe to use?

The PS Gallery package PowerUpSQL was scanned for malware, software tampering, risky behaviors, exposed secrets and known vulnerabilities. Malware or tampering has been detected, making it unsafe to download and use. 4 other issues and risky behaviors were found. The package contains risks, and the analysis results should be reviewed before it is downloaded and used. Visit the Issues and Behaviors sections of the analysis for more details. All versions of the PowerUpSQL package were malicious.

Is PowerUpSQL popular?

The PS Gallery package PowerUpSQL ranks among the top 10000 projects in this community. It has 15K recorded downloads. A package's popularity is not a good indicator of its safety, visit the SAFE Assessment section to see the full analysis of package deployment risk categories.

How do I secure PowerUpSQL once it is in my app?

Since we can't know when or where malicious attacks will happen, we recommend tracking how PowerUpSQL behaviors change over multiple software releases. By adopting differential analysis in your release process, you can detect unexpected changes to a PowerUpSQL version, which can prevent advanced software supply chain attacks. Read how our technology can help prevent future attacks similar to SolarWinds and 3CX.

Did you know...

... that you can use ReversingLabs’ Spectra Assure platform to perform regular risk assessments of packages you develop in-house?

We recommend continuous software safeness monitoring through CI/CD integrations and pre-release/deployment checks. In addition to basic package information found on this page our platform offers rich reports for developers and DevSecOps that help them remediate all reported issues.