Composite behavior indicating remote lateral movement over SMB followed by service-based execution of a staged payload delivered through mshta invoking msiexec from remote infrastructure. The sequence combines IPC$ share access, SAMR and SVCCTL RPC binding, service control pipe interaction, and remote command execution consistent with administrative service creation or modification to execute a downloaded installer. This pattern is strongly associated with hands-on-keyboard intrusion activity and automated lateral propagation frameworks leveraging Windows service execution for payload deployment.

MSSQL session sequence performing automated server reconnaissance through multiple sp_server_info calls, case-sensitivity probing, charset and configuration enumeration from master.dbo tables, and session environment adjustments (set textsize, set arithabort on). The observed queries indicate scripted capability discovery and environment profiling based strictly on database command activity.

Identifies a coordinated Microsoft SQL Server reconnaissance sequence where the client sets session options (SET ARITHABORT ON, SET TEXTSIZE), invokes sp_server_info, performs a case-sensitivity probe, and enumerates syscharsets. This tightly grouped activity pattern reflects automated environment fingerprinting and configuration discovery typically executed immediately after successful connection to an exposed MSSQL service. The behavior is indicative of tooling-driven reconnaissance to assess server configuration, collation behavior, and encoding characteristics prior to follow-on exploitation or credential abuse.