Back to Intelligence

AVideo Unauthenticated SQL Injection & Metasploit Persistence Modules: Detection & Response

SA
Security Arsenal Team
April 17, 2026
6 min read

The Metasploit Framework update for April 17, 2026, significantly expands the arsenal available to adversaries—and by extension, the toolkit for red teams and penetration testers. This release introduces seven new modules, headlined by a critical unauthenticated SQL Injection (SQLi) flaw in AVideo (formerly VideoWhisper) that allows for credential dumping. Additionally, the release includes modules establishing persistence on Windows endpoints via Microsoft BITS, PowerShell profiles, and Telemetry scheduled tasks. For defenders, this is not just a feature update; it is a signal that these specific attack vectors are now trivial to execute. Immediate validation of defenses against AVideo exploitation and Windows persistence mechanisms is required.

Technical Analysis

1. AVideo Unauthenticated SQL Injection (Credential Dump)

  • Affected Product: AVideo (Platform version not specified in advisory; assume all versions prior to latest patch).
  • Module Path: gat (Pull Request #21075).
  • Attack Vector: Unauthenticated SQL Injection.
  • Mechanism: The module targets a vulnerability in the AVideo web application that allows attackers to inject malicious SQL queries via unauthenticated HTTP requests. The specific module functionality focuses on dumping credentials from the database, likely targeting the users table to harvest administrative hashes or plaintext passwords depending on the storage configuration.
  • Impact: Successful exploitation grants the attacker full access to the application database, leading to credential theft, potential administrative takeover of the AVideo platform, and a likely pivot into the internal network.
  • Exploitation Status: The release of a Metasploit module lowers the barrier to entry significantly. While the news summary does not explicitly state active exploitation in the wild (ITW), the availability of an automated auxiliary module typically precedes widespread scanning and exploitation by automated botnets.

2. Windows Persistence Modules

The update also codifies three persistence techniques targeting Windows environments:

  • Microsoft BITS: Abuse of the Background Intelligent Transfer Service to maintain persistence by scheduling jobs that download and execute payloads.
  • PowerShell Profiles: Modifying PowerShell profile scripts ($PROFILE) to execute malicious code upon shell initialization.
  • Telemetry Scheduled Tasks: Creating or modifying scheduled tasks related to Windows telemetry to execute unauthorized code.

These techniques are stealthy, leveraging legitimate system utilities to blend in with normal administrative traffic and system operations.

Detection & Response

The following detection rules and hunts are designed to identify the exploitation of the AVideo SQLi vulnerability and the implementation of the highlighted Windows persistence mechanisms.

SIGMA Rules

YAML
---
title: AVideo Potential SQL Injection Attempt
id: 9a8b7c6d-5e4f-3a2b-1c0d-9e8f7a6b5c4d
status: experimental
description: Detects potential SQL injection attempts against AVideo web interfaces based on common SQLi patterns found in Metasploit modules.
references:
  - https://www.rapid7.com/blog/post/pt-metasploit-wrap-up-04-17-2026
author: Security Arsenal
date: 2026/04/17
tags:
  - attack.initial_access
  - attack.t1190
  - attack.web_shell
logsource:
  category: web
detection:
  selection_uri:
  - cs-uri-query|contains:
    - 'UNION SELECT'
    - 'OR 1=1'
    - 'AND 1=1'
    - 'order by'
    - 'concat('
  selection_target:
    cs-uri-stem|contains:
    - '/video'
    - '/avideo'
    - '/view'
  condition: selection_uri and selection_target
falsepositives:
  - Valid application testing (rare for these patterns)
level: high
---
title: Suspicious PowerShell Profile Modification
id: b1c2d3e4-f5a6-7890-1234-567890abcdef
status: experimental
description: Detects modification of PowerShell profile files which can be used for persistence.
references:
  - https://attack.mitre.org/techniques/T1546/013/
author: Security Arsenal
date: 2026/04/17
tags:
  - attack.persistence
  - attack.t1546.013
logsource:
  category: file_change
  product: windows
detection:
  selection:
    TargetFilename|contains:
      - '\\Microsoft.Windows.PowerShell_profile.ps1'
      - '\\Profile.ps1'
  filter:
    Image|endswith:
      - '\\powershell.exe'
      - '\\code.exe'
      - '\
otepad.exe'
  condition: selection
falsepositives:
  - Administrators legitimately customizing their profiles
level: medium

KQL (Microsoft Sentinel / Defender)

KQL — Microsoft Sentinel / Defender
// Hunt for AVideo SQLi patterns in Web Logs (CommonSecurityLog or W3CIISLog)
// Look for typical injection strings targeting the application
let sqli_keywords = dynamic([\"UNION SELECT\", \"ORDER BY 1--\", \"concat(0x\", \"information_schema\", \"waitfor delay\"]);
CommonSecurityLog
| where RequestURL contains \"video\" or RequestURL contains \"avideo\"
| where RequestURL has_any (sqli_keywords) or RequestPayload has_any (sqli_keywords)
| project TimeGenerated, DeviceName, SourceIP, RequestURL, RequestPayload, DestinationPort
| summarize count() by bin(TimeGenerated, 1h), SourceIP, RequestURL
| where count_ > 5


// Hunt for BITS Admin usage for persistence
// Malicious actors use bitsadmin to create jobs that execute payloads
DeviceProcessEvents
| where FileName =~ \"bitsadmin.exe\"
| where ProcessCommandLine has \"addfile\" or ProcessCommandLine has \"SetNotifyCmdLine\" or ProcessCommandLine has \"SetNotifyFlags\"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName
| order by Timestamp desc

Velociraptor VQL

VQL — Velociraptor
-- Hunt for AVideo configuration disclosure or Webshells
-- AVideo often installs in /var/www/html/avideo or similar
-- This hunt looks for common webshells or suspicious PHP files in the webroot
SELECT FullPath, Size, Mtime, Mode
FROM glob(globs='/var/www/html/**/*.php')
WHERE Mode.IsExecutable
  AND (
    -- Look for recently modified PHP files (last 7 days)
    Mtime > now(epoch=true) - 604800
    -- Or common obfuscation patterns in filenames (heuristic)
    OR Name =~ 'shell'
    OR Name =~ 'upload'
    OR Name =~ 'cmd'
  )
LIMIT 50

Remediation Script (Bash)

Bash / Shell
#!/bin/bash
# AVideo Hardening and Log Check Script
# This script checks for evidence of SQLi attempts in logs and verifies permissions.

# Check if AVideo is installed and get path
AVIDEO_PATH=$(find /var/www/html -type d -name \"avideo\" 2>/dev/null | head -n 1)

if [ -n \"$AVIDEO_PATH\" ]; then
    echo \"[+] AVideo installation found at: $AVIDEO_PATH\"

    # Check for common SQLi signatures in Apache/Nginx logs (last 24 hours)
    LOG_DIR=\"/var/log\"
    echo \"[*] Scanning for SQL injection attempts in logs...\"

    # Grep for SQLi patterns (heuristic)
    grep -E \"UNION.*SELECT|ORDER BY.*[0-9]--|information_schema\" $(find $LOG_DIR -name \"access.log\" -o -name \"access.log.*\" -mtime -1) 2>/dev/null | tail -n 20

    if [ $? -eq 0 ]; then
        echo \"[!] WARNING: Potential SQLi patterns found in logs. Review above output.\"
    else
        echo \"[+] No obvious SQLi patterns found in recent logs.\"
    fi

    # Ensure config files are not world-readable (if sensitive info resides there)
    echo \"[*] Checking configuration permissions...\"
    find \"$AVIDEO_PATH\" -name \"config.php\" -o -name \"*.ini\" | while read file; do
        perms=$(stat -c %a \"$file\")\        if [ \"$perms\" != \"600\" ] && [ \"$perms\" != \"640\" ]; then
            echo \"[!] Insecure permissions on $file: $perms\"
        fi
    done
else
    echo \"[-] AVideo installation not found in /var/www/html.\"
fi

echo \"[*] Remind: Apply the latest vendor patches for AVideo immediately.\"

Remediation

  1. Patch AVideo Immediately:

    • Identify all instances of AVideo (formerly VideoWhisper) within your environment.
    • Apply the latest security patches provided by the vendor. If a specific CVE is not yet assigned, monitor the AVideo GitHub repository or vendor advisories for the release corresponding to the fix for the gat module exploit.
    • Workaround: If patching is delayed, restrict access to the AVideo interface to trusted IP addresses via WAF or network ACLs.

  2. Harden Windows Persistence Vectors:

    • Microsoft BITS: Use AppLocker or similar application whitelisting to restrict the execution of bitsadmin.exe to only specific service accounts or administrators.
    • PowerShell Profiles: Implement PowerShell Constrained Language Mode or audit all scripts that modify $PROFILE paths. Monitor the creation of files in C:\\Users\\*\\Documents\\WindowsPowerShell\\.
    • Telemetry Tasks: Review and audit Scheduled Tasks in Task Scheduler Library\\Microsoft\\Windows\\Application Experience or similar telemetry paths. Disable tasks that are not required for business operations.

  3. Network Monitoring:

    • Deploy Web Application Firewall (WAF) rules to block common SQL injection patterns, specifically targeting the URIs associated with AVideo.

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub

cvezero-daypatch-tuesdayexploitvulnerability-disclosureavideometasploitsql-injection

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action