PowerUpSQL icon indicating copy to clipboard operation
PowerUpSQL copied to clipboard

Published 20 hours ago verified publisher icon NetSPI

Requested Feature: Nested Impersonation

Open nullbind opened this issue 6 years ago • 3 comments

Would it be possible to implement nested impersonation capabilities in the scenario in which you cannot go straight to sysadmin? If not, am I missing an understanding as to why it is not possible?

nullbind avatar Sep 06 '18 14:09 nullbind

You are correct, nested impersonation is possible in SQL Server. Both at the SQL Server login and database user levels. We have done it manually a few times, but haven't taken the time to automate it yet. I'll put it in our follow up list, and see if we can get it addressed before EOY. I think we'd like to add the feature as a "-Recursive" or "-Nested" flag in the existing "Invoke-SQLAuditPrivImpersonateLogin" and "Invoke-SQLAuditPrivImpersonateLogin" functions.

nullbind avatar Sep 06 '18 15:09 nullbind

Thanks for adding the feature request for me. I'll keep working on it and submit a pull request once I get a functioning version.

D00MFist avatar Sep 06 '18 17:09 D00MFist

No worries, thanks for reaching out. It should be a fun feature. I’m curious to see what trends it may uncover once we find an opportunity to run it on scale. Cool stuff!

nullbind avatar Sep 07 '18 16:09 nullbind