Invoke-SQLAuditPrivImpersonateLogin is showing a false positive.
WingsOfDoom opened this issue · 4 comments
Sorry for the delayed response, but hopefully the information will still help in the future.
Below is how I interpret the screenshot.
-
You logged into the SQL Server instance as "USFUN\pastudent56", a sysadmin.
-
It was possible to read the impersonation entries, because "USFUN\pastudent56" is a sysadmin. Below are the entries.
USFun\RDPUsers -> dbuser
dbuser -> sa (sysadmin) -
When the function is run, no escalation is executed, because "USFUN\pastudent56" is a sysadmin. This is by design, because sysadmins can impersonate anyone at any time. Here is a link to a blog that provides an overview.
https://blog.netspi.com/hacking-sql-server-stored-procedures-part-2-user-impersonation/
At first glance, the impersonation entries appear to be valid. I believe that if you log into the sql server instance as a member of the usfun\rdpusers group you'll see actual privilege escalation take place when you rerun the function. However, if the usfun\rdpusers has been assigned the sysadmin role then the same scenario will play out.
Up!! Same error hahahahaha #CRTE