PowerUpSQL icon indicating copy to clipboard operation
PowerUpSQL copied to clipboard

Published 20 hours ago verified publisher icon NetSPI

FeatureRequest: Add xp_cmdshell and other RCE procedures to audit

Open PfiatDe opened this issue 3 years ago • 4 comments

Maybe I am missing something, but the audit seems to look for xp_dirtree and xp_fileexists but not for xp_cmdshell. It is a critical part of the audit, if command execeution is directly possible for an user or it is allowed to enable the xp_cmdshell.

Also some other known procedures like "sp_execute_external_script" would be nice to get audited, to not miss them. Is this possible to add?

PfiatDe avatar Aug 20 '21 06:08 PfiatDe

I have it covered it in the wiki, but it would be a good thing to cover in the functions as well. I’ll take a look when I have some time and hit you back.

https://github.com/NetSPI/PowerUpSQL/wiki/SQL-Server-Detective-Control-Cheat-Sheet

nullbind avatar Aug 21 '21 01:08 nullbind

Sorry I misunderstood this request initially.

The following functions will show all SQL Server audits configured to monitor for common command execution techniques.

  • Get-SQLAuditDatabaseSpec
  • Get-SQLAuditServerSpec

However, I do not have stand alone function to check if the current user has the required privilege to run the command execution methods.

In the absence of such a function, the cheat sheet below provides instructions for running OS commands through SQL Server.

https://github.com/NetSPI/PowerUpSQL/wiki/PowerUpSQL-Cheat-Sheet

Each function will check to see if the necessary privileges are available before attempting to run the command.

  • XP_CMDSHELL: Invoke-SQLOSCmd
  • Custom XP: Create-SQLFileXpDll
  • Custom CLR: Invoke-SQLOSCLR
  • OLE: Invoke-SQLOSOle
  • R - sp_execute_external_scrip: Invoke-SQLOSR
  • Python - sp_execute_external_scrip: Invoke-SQLOSPython
  • Agent-cmdexec: Invoke-SQLOSCmdAgentJob -SubSystem CmdExec
  • Agent-vbscript: Invoke-SQLOSCmdAgentJob -SubSystem VBScript
  • Agent-jscript: Invoke-SQLOSCmdAgentJob -SubSystem JScript
  • Agent-powershell: Invoke-SQLOSCmdAgentJob -SubSystem PowerShell

nullbind avatar Aug 21 '21 14:08 nullbind

Thanks for the reply and the information. It is of course possible to first go with Invoke-SQLAuditWeakLoginPw and then try all the possible logins with the Invoke-SQLOSCmd and all the other one you mentioned, however I find this quite time consuming.

At least for my use case (Pentests) it would be quite cool, to audit everything in one run, without further manual interaction. And Command Execution on the server is for a classic Pentest a bigger impact then XP_Dirtree, etc. But if there is no plan to integrate this directly, no worry, I can stil write a wrapper script around this to get this automated.

By the way, thanks for this great tool, brought up some nice ways for Lateral Movement.

PfiatDe avatar Aug 22 '21 12:08 PfiatDe

Thanks, I’m glad it’s been useful. Your idea is still a good one for all the reasons you mentioned. So I’ll keep this request open until I can find some time to write up a new function and test it in the lab.

nullbind avatar Aug 22 '21 19:08 nullbind