S0390: SQLRat
Analyst context for executives and security teams
SQLRat matters because its described purpose is to execute SQL scripts while avoiding traditional host artifacts. For leaders, the key risk is not just “malware on an endpoint,” but activity that may be harder to reconstruct if monitoring is concentrated only on files and standard endpoint indicators. MITRE notes FIN7 has been observed using it, so organizations in sectors described in the FIN7 relationship should treat this as a prompt to validate logging depth across endpoints, scheduled execution, command interpreters, file activity, tool transfer, and SQL/script execution paths.
Executive priority
Prioritize this as a coverage-validation issue: can the organization prove what happened if malware uses scripts, command obfuscation, scheduled tasks, file deletion, and tool transfer while minimizing host artifacts? Security leaders should ask whether SOC and IR teams have sufficient endpoint, script, task scheduler, network transfer, and database/application logging to support investigation and compliance evidence. Because ATT&CK provides no official detection text and no malware-specific platform list, budget decisions should focus on closing telemetry gaps rather than assuming existing EDR signatures are enough.
Technical view
ATT&CK describes SQLRat as malware that executes SQL scripts to avoid leaving traditional host artifacts and relates it to Command Obfuscation, Scheduled Task, PowerShell, Windows Command Shell, File Deletion, Ingress Tool Transfer, Deobfuscate/Decode Files or Information, and Malicious File. Detection engineering should therefore validate behavior chains rather than a single indicator: suspicious PowerShell or cmd execution, scheduled task creation or modification, encoded or obfuscated command content, file deletion after execution, inbound tool/file transfer, and SQL/script execution where such logging exists. Windows-specific validation is supported by the related Scheduled Task, PowerShell, and Windows Command Shell techniques, while the malware object itself does not specify platforms.
Likely telemetry
- Endpoint process creation and command-line telemetry for PowerShell, cmd, and task scheduling utilities
- Windows Task Scheduler creation, modification, and execution events where Windows systems are in scope
- PowerShell logging, including script block or module-level evidence where enabled
- File creation, modification, and deletion telemetry, especially near suspicious script or tool execution
- Network and proxy evidence of inbound tool or file transfer from external systems
Detection direction
- Do not rely only on malware file artifacts; the official description emphasizes avoiding traditional host artifacts.
- Correlate scheduled task activity with PowerShell/cmd execution, obfuscated command strings, file deletion, and recent file transfer events.
- Tune for administrative false positives: scheduled tasks, PowerShell, command shells, and file cleanup are common in legitimate operations, so detections should use context such as unusual parent processes, rare commands, abnormal timing, or untrusted sources.
- Validate whether SQL/script execution is logged sufficiently for IR reconstruction; absence of database or application logging may be a material blind spot for this malware description.
- Use the FIN7 relationship as threat-intelligence context for prioritization, not as proof of current activity in the environment.
Mitigation priorities
- Inventory and enable the telemetry needed to investigate script-based execution paths before relying on alert content.
- Harden and monitor scheduled task creation and command interpreter usage on systems where those related techniques apply.
- Improve PowerShell and command-line visibility, including retention sufficient for incident response and audit evidence.
- Apply least privilege and administrative control review around systems that can execute scripts or create scheduled tasks.
- Ensure file-transfer monitoring and egress/ingress controls can identify unusual tool movement into the environment.
Analyst notes and limits
The most decision-useful point is the mismatch between the malware behavior and common monitoring assumptions: SQLRat is described as using SQL scripts to reduce traditional host artifacts, while its ATT&CK relationships point to execution, persistence, stealth, and transfer behaviors that require broad telemetry correlation. The FIN7 relationship raises prioritization value, especially for industries listed in the supplied FIN7 description, but it should not be interpreted as evidence of present compromise.
ATT&CK provides no official detection guidance, no malware-specific tactics, and no malware-specific platforms for SQLRat in the supplied fields. Telemetry and mitigation recommendations are therefore derived conservatively from the official description and related ATT&CK techniques. Local architecture, database logging, endpoint coverage, and administrative baselines are required to determine actual exposure or detection coverage.
SQLRat
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1070.004 | File Deletion Sub-technique | SQLRat has used been observed deleting scripts once used.CitationFlashpoint FIN 7 March 2019 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | SQLRat has used SQL to execute JavaScript and VB scripts on the host system.CitationFlashpoint FIN 7 March 2019 |
| Enterprise | T1105 | Ingress Tool Transfer | SQLRat can make a direct SQL connection to a Microsoft database controlled by the attackers, retrieve an item from the bindata table, then write and execute the file on disk.CitationFlashpoint FIN 7 March 2019 |
| Enterprise | T1204.002 | Malicious File Sub-technique | SQLRat relies on users clicking on an embedded image to execute the scripts.CitationFlashpoint FIN 7 March 2019 |
| Enterprise | T1027.010 | Command Obfuscation Sub-technique | SQLRat has used a character insertion obfuscation technique, making the script appear to contain Chinese characters.CitationFlashpoint FIN 7 March 2019 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | SQLRat has scripts that are responsible for deobfuscating additional scripts.CitationFlashpoint FIN 7 March 2019 |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | SQLRat has created scheduled tasks in |
| Enterprise | T1059.001 | PowerShell Sub-technique | SQLRat has used PowerShell to create a Meterpreter session.CitationFlashpoint FIN 7 March 2019 |
Groups, software, and campaigns
G0046: FIN7
FIN7 is a financially-motivated threat group that has been active since 2013. FIN7 has targeted the retail, restaurant, hospitality, software, consulting, financial services, medical equipment, cloud services, media, food and beverage, transportation, pharmaceutical, and utilities industries in the United States. A portion of FIN7 was operated out of a front company called Combi Security and often used point-of-sale malware for targeting efforts. Since 2020, FIN7 shifted operations to big game hunting (BGH), including use of REvil ransomware and their own Ransomware-as-a-Service (RaaS), Darkside. FIN7 may be linked to the Carbanak Group, but multiple threat groups have been observed using Carbanak, leading these groups to be tracked separately.[1][2][3][4][5][6][7]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.2 | Current bundle | 39d68fb07d18… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Flashpoint FIN 7 March 2019
Platt, J. and Reeves, J.. (2019, March). FIN7 Revisited: Inside Astra Panel and SQLRat Malware. Retrieved June 18, 2019.
Open source URL -
[2]
SQLRat
(Citation: Flashpoint FIN 7 March 2019)
-
[3]
mitre-attack S0390Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.