-
Notifications
You must be signed in to change notification settings - Fork 463
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
FeatureRequest: Add xp_cmdshell and other RCE procedures to audit #71
Comments
I have it covered it in the wiki, but it would be a good thing to cover in the functions as well. I’ll take a look when I have some time and hit you back. https://github.com/NetSPI/PowerUpSQL/wiki/SQL-Server-Detective-Control-Cheat-Sheet |
Sorry I misunderstood this request initially. The following functions will show all SQL Server audits configured to monitor for common command execution techniques.
However, I do not have stand alone function to check if the current user has the required privilege to run the command execution methods. In the absence of such a function, the cheat sheet below provides instructions for running OS commands through SQL Server. https://github.com/NetSPI/PowerUpSQL/wiki/PowerUpSQL-Cheat-Sheet Each function will check to see if the necessary privileges are available before attempting to run the command.
|
Thanks for the reply and the information. At least for my use case (Pentests) it would be quite cool, to audit everything in one run, without further manual interaction. And Command Execution on the server is for a classic Pentest a bigger impact then XP_Dirtree, etc. By the way, thanks for this great tool, brought up some nice ways for Lateral Movement. |
Thanks, I’m glad it’s been useful. Your idea is still a good one for all the reasons you mentioned. So I’ll keep this request open until I can find some time to write up a new function and test it in the lab. |
Maybe I am missing something, but the audit seems to look for xp_dirtree and xp_fileexists but not for xp_cmdshell.
It is a critical part of the audit, if command execeution is directly possible for an user or it is allowed to enable the xp_cmdshell.
Also some other known procedures like "sp_execute_external_script" would be nice to get audited, to not miss them.
Is this possible to add?
The text was updated successfully, but these errors were encountered: