egru
commented
7 years ago Thanks for the request. I'll have @nullbind take a look, but it looks good from my view.
Closed leoloobeek closed 7 years ago
egru
commented
7 years ago Thanks for the request. I'll have @nullbind take a look, but it looks good from my view.
nullbind
commented
7 years ago I took quick look at this and I love the idea. It's inline with some other agent related things I was doing. I'll most likely merge it once the holiday starts so I can have time to play with it a little more.
However, I may rework it a little bit once it's merged. I was thinking about the following updates:
Long term I would like the "Invoke-SQLOSCmd" function to check for all common os execution options instead of just xp_cmdshell. Below is the general road map for the OS command execution functions I have in mind at the moment.
Those will also feed into the basic audit/exploit scripts to determine if a non sysadmin can leverage jobs to escalate privs.
leoloobeek
commented
7 years ago Looks to be addressed in commit 6e30f5d. Going to close this, thanks!
Start MSSQL Agent Jobs on servers where the SQL Agent service is running. These jobs can run operating system commands in the context of the service account, opening up an alternative to xp_cmdshell.
The base SQL query and idea came from Nicholas Popovich (@pipefish_). The blog post can be found at https://www.optiv.com/blog/mssql-agent-jobs-for-command-execution.
I went with creating one common function to do this for us, if you think moving it one of the Audit functions I can refactor the code to fit. As always, let me know if my code sucks or if there are more optimal SQL queries.
Tested against:
Does obviously require the SQL Agent service to be running, which is not default. Although, I have seen this in production environments.
More infos: https://technet.microsoft.com/en-us/library/ms189237(v=sql.105).aspx https://msdn.microsoft.com/en-us/library/ms188283.aspx