The attack commences with threat actors exploiting an SQL injection vulnerability within an application on the target’s endpoint. Once they gain access, along with elevated privileges, to the instance hosted on an Azure VM, they wield SQL commands to extract vital information. This includes databases, table names, schemas, database versions, and more. Depending on the targeted application’s vulnerability, the threat actors can even execute operating system (OS) commands via SQL. This grants them access to read directories, download PowerShell scripts, establish backdoors via scheduled tasks, acquire user credentials, and more.