GraphLattice
← All field notes
mssqllinked server trustworthyfor administrators

MSSQL linked-server chain: from a query hop to Domain Admin

An attacker hops SQL linked servers, abuses TRUSTWORTHY and EXECUTE AS to reach sysadmin, runs OS commands, and escalates. Resetting one login fixes none of the chained primitives.

· GraphLattice · 2 min read

SQL Server linked servers let one instance query another using a stored login. An attacker can chain that to hop from a low-value instance into a privileged one, then ride a database setting all the way to Domain Admin.

How the attack works

A query traverses a linked-server definition using a stored login with more privilege than the original caller, reaching a privileged instance. There, a database marked TRUSTWORTHY with a sysadmin-owned module is used with EXECUTE AS to run in sysadmin context. The attacker enables the command shell extended procedure through the server configuration and executes operating-system commands as the SQL Server service account. If that account is a high-privilege domain account, the OS-command foothold becomes a path to Domain Admin, with privileged directory object changes following. In ATT&CK terms this is T1059, Command and Scripting Interpreter, with T1078, valid accounts. The tell is the full chain: a privilege-gaining hop, EXECUTE AS into sysadmin on a TRUSTWORTHY database, command-shell enablement, and OS process creation under the service account.

Why it works

Several primitives chain together: linked-server trust, the TRUSTWORTHY setting that lets EXECUTE AS reach sysadmin, the command shell extended procedure, and an over-privileged service account.

How to fix it

Resetting the connecting login leaves every primitive in place. Disable the command shell extended procedure, remove the TRUSTWORTHY setting so EXECUTE AS no longer elevates, scope the linked-server login to least privilege, and contain the SQL Server service account. The non-obvious durable fix is to run SQL Server under a low-privilege group managed service account so an OS-command foothold is not a domain foothold, and to use signed modules instead of TRUSTWORTHY for legitimate cross-database trust. Because the chain can reach Domain Admin, treat the service account and reached directory objects as compromised.

Practice it

We built this as a GraphLattice Range scenario so administrators can rehearse the linked-server chain detection and the multi-primitive containment.

More field notes

Browse all →

ADCS ESC14: a writable mapping that turns any cert into admin

An attacker writes an explicit certificate mapping onto a privileged account and, u…

ADCS ESC2: the certificate template that hands out admin access

A template with the Any Purpose EKU lets any low-privileged user enroll a certifica…

AdminSDHolder abuse: when your cleanup is reverted every hour

A rogue ACE on AdminSDHolder is re-stamped onto every privileged object hourly by S…