Operator On The Wire
Join
← Back to Knowledge Base
RED TEAM / SQL / MSSQL

MSSQL Matrix

FeatureRequirementCapabilityPriv NeededRiskNotes
RID BruteSQL AuthUser enumerationLowUseful for username discovery
AD EnumerationAny loginDomain/user/group discoveryLowMap environment quickly
xp_cmdshellxp_cmdshell=1Direct OS RCEHighDangerous; check config first
Ad Hoc Distributed QueriesAdHoc=1File read & pivotHighOPENROWSET/OPENQUERY abuse
Ole AutomationOle=1COM-based RCEHighWrite files, spawn processes
CLR RCEclr enabled=1.NET assembly executionHighLoad custom DLLs
Cross-DB OwnershipCBOC=1Lateral DB accessMediumMove horizontally
External Scriptsexternal scripts=1Python/R RCEHighExecute OS commands via runtimes
Registry Accessxp_reg*Read sensitive registry keysHighFingerprint host, secrets
Linked ServersRPC OUTRemote SQL executionHighPivot across SQL servers
SQL AgentOperator roleJob-based RCEHighRun OS commands via Agent

Enumeration Checklist

  • Domain context
  • User Context
  • Server Context
  • Data dumping
  • Coercion