Oracle Database Scheduler Exploited for Command Execution and Ransomware Deployment
October 3rd, 2025
High
%20Threatens%20Network%20Access%20Contro.png)
Our Cyber Threat Intelligence Unit has observed multiple incidents where threat actors abused Oracle Database Scheduler’s External Jobs feature to gain initial access and establish persistence inside enterprise environments. By authenticating as privileged database users (e.g., SYSDBA) and invoking the scheduler’s extjobo.exe utility, adversaries executed arbitrary OS commands directly on Windows database hosts. Observed activity included executing Base64-encoded PowerShell, creating rogue local administrator accounts (e.g., “Admine”), deploying Ngrok tunnels for encrypted remote access, staging reverse shells, and in some cases deploying ransomware. This technique minimizes disk artifacts by piping encoded payloads into memory and exploits the trusted position of database servers to gain deeper access to corporate networks.
Technical Details
Attack Type: Abuse of legitimate Oracle Database Scheduler functionality for remote command execution.
Severity: High
Delivery Method:
Credential harvesting, brute-force, or credential stuffing against exposed Oracle listener ports (TCP/1521).
Successful privileged DB logins (SYSDBA or scheduler-enabled accounts).
Abuse of Oracle Scheduler External Jobs (extjobo.exe) to run arbitrary OS commands.
Technique:
extjobo.exe accepts commands over a named pipe, executing them under the OracleJobScheduler service account.
Adversaries invoke it with parameters such as: extjobo.exe -noservice -exec C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -EncodedCommand <Base64Payload>
Activity observed:
Reconnaissance and host profiling.
Downloading second-stage payloads (test3.bat, tfod.cmd).
Creation of new local administrator accounts (e.g., Admine).
Configuration of Ngrok tunnels (ngrok.yml with auth tokens).
Scheduled task creation (SCHTASKS.exe) to maintain persistence.
Execution of reverse shells and, in some cases, deployment of ransomware families (e.g., ProximaBlackshadow).
Temporary batch files were deleted post-execution to hinder forensic recovery.
Requirements:
Privileged DB authentication (SYSDBA or equivalent).
Scheduler privileges enabling External Job execution.
Network reachability to exposed Oracle listener ports if brute-forced externally.
Impact
Full OS-level command execution on the database host as the OracleJobScheduler service account.
Privilege escalation via local admin creation, enabling lateral movement.
Long-term access established through Ngrok tunnels and scheduled tasks without obvious inbound connections.
Use of the database host as a trusted pivot for data exfiltration or ransomware deployment, leading to potential data loss, disruption, and reputational damage.
Detection Method
Authentication monitoring:
Audit unusual privileged logins (SYSDBA, DBA accounts) from unfamiliar IPs.
Detect login storms (multiple failed attempts followed by a success).
Process & commandline monitoring
Alert on extjobo.exe executions with -exec and -EncodedCommand arguments.
Monitor PowerShell processes spawned under the OracleJobScheduler service context.
File & account indicators
Unexpected creation of local admin accounts (e.g., Admine).
Detection of transient files such as test3.bat, tfod.cmd.
Presence of ngrok.yml or Ngrok tokens on database hosts.
Network indicators
Outbound connections to known Ngrok infrastructure (*.ngrok.io).
Unusual tunnels or encrypted traffic originating from database servers.
Scheduler telemetry
Review Oracle Scheduler job history for unexpected external job executions.
Audit named-pipe activity associated with extjobo.exe.
Indicators of Compromise
Type | Value |
Filename | test3.bat |
Filename | tfod.cmd |
Local account | Admine (unexpected admin user) |
Domain / Network | *.ngrok.io (Ngrok endpoints) |
Process commandline | extjobo.exe -noservice -exec powershell.exe -EncodedCommand <Base64> |
Config file | ngrok.yml containing auth tokens |
Scheduler abuse | Invocation of Oracle Database Scheduler External Jobs (extjobo.exe) |
Persistence | Creation of scheduled tasks via SCHTASKS.exe |
Anti-forensics | Deletion of temporary batch files after execution |
Credential access pattern | Multiple failed SYSDBA login attempts followed by success (brute force / stuffing) |
Recommendations
Network controls
Restrict Oracle listener ports (TCP/1521) to trusted subnets.
Block external exposure of Oracle listener services by default.
Account hardening
Audit privileged DB accounts; rotate SYSDBA and service credentials.
Apply least-privilege to Scheduler roles; restrict who can run External Jobs.
Host & service hardening
Limit access to extjobo.exe and harden named-pipe permissions.
Alert on encoded PowerShell execution and suspicious scheduler job creation.
Restrict installation and execution of tunneling tools (Ngrok, FRP, etc.).
Incident response readiness
If compromise is suspected, isolate affected database hosts immediately.
Collect memory images, Scheduler job history, named-pipe traces, and forensic artifacts before remediation.
Rotate affected credentials and verify host integrity before reconnecting to production networks.
Conclusion
Abuse of Oracle Database Scheduler External Jobs represents a stealthy and increasingly prevalent attacker technique. By chaining privileged DB access with extjobo.exe invocation, adversaries achieve in-memory execution of malicious payloads, evading disk-based detection and leveraging database hosts as high-trust pivot points. We urge organizations to treat Scheduler privileges as highly sensitive, restrict listener access, and continuously monitor for anomalous Scheduler, PowerShell, and tunneling activity. Rapid isolation and forensic investigation are essential upon detecting suspicious extjobo.exe usage.