Threat Research

“Exploiting SQL Server Agent Jobs for Domain Privilege Escalation”

Netspi

SQL Server credential objects can store usernames and passwords used for authenticating to external resources, and threat actors can abuse these credentials to run code as different user accounts. The article also outlines how penetration testers and red teams can hijack existing credential objects via SQL Server Agent jobs to escalate privileges, with a detailed walkthrough and detection guidance. #SQLServer #CredentialObjects

Keypoints

  • SQL Server credential objects store usernames and passwords for authenticating to external resources.
  • Threat actors can abuse these credentials to execute code as different user accounts.
  • Obtaining cleartext passwords from credential objects requires local administrative privileges, which may not always be available.
  • SQL Server Agent jobs can hijack credential objects to execute commands without needing passwords.
  • The technique can execute OS commands via proxy accounts configured for Agent jobs.
  • Detection opportunities include monitoring for creation/use of proxy accounts and related SQL Server procedures (sp_add_proxy, sp_grant_proxy_to_subsystem) and event ID 33205 in Windows Application logs.

MITRE Techniques

  • [T1003] Credential Dumping – “Threat actors may attempt to recover usernames and passwords stored in SQL Server credential objects.”
  • [T1068] Privilege Escalation – “Using SQL Server Agent jobs to execute commands in the context of a higher-privileged user through credential hijacking.”
  • [T1203] Execution through API – “Executing commands on the operating system using SQL Server Agent jobs configured with proxy accounts.”

Indicators of Compromise

  • [File] c:WindowsTempwhoami.txt – created by the proof-of-concept Agent job demonstrating execution in the proxy user’s context.
  • [File] c:windowstempwhoami.txt – alternate path variant shown in the workflow.
  • [Registry] SOFTWAREMicrosoftMicrosoft SQL Server[instancename]SecurityEntropy – used to describe where encryption material could be read (context of credential decryption).
  • [Event] Event ID 33205 in Windows Application Log – used to monitor sp_add_proxy and sp_grant_proxy_to_subsystem activity.
  • [URL] https://learn.microsoft.com/en-us/sql/relational-databases/security/encryption/sql-server-encryption?view=sql-server-ver16
  • [URL] https://learn.microsoft.com/en-us/sql/database-engine/configure-windows/diagnostic-connection-for-database-administrators?view=sql-server-ver16
  • [URL] https://github.com/NetSPI/PowerUpSQL/blob/master/templates/tsql/Get-DACQuery.sql
  • [Credential] MyCredential – credential name used in the hijacking workflow.
  • [Credential] MyCredentialProxy – proxy name linked to the credential object.
  • [Process] cmd.exe – used by the Agent proxy to execute OS commands.

Read more: https://www.netspi.com/blog/technical-blog/network-pentesting/hijacking-sql-server-credentials-with-agent-jobs-for-domain-privilege-escalation/