MSSQL$RADAR
4 events across 1 channel
Event ID 15457 —
Fields
| Name | Description |
|---|---|
Data | — |
Binary | — |
Example Event
system:
provider: MSSQL$RADAR
guid: ''
event_source_name: ''
event_id: 15457
version: 0
level: 4
task: 2
opcode: 0
keywords: 36028797018963968
time_created: '2021-04-13T21:56:47.264690+00:00'
event_record_id: 151004
correlation: {}
execution:
process_id: 0
thread_id: 0
channel: Application
computer: mssql01.offsec.lan
security:
user_id: S-1-5-21-4230534742-2542757381-3142984815-1111
event_data:
Data:
- clr enabled
- '0'
- '1'
Binary: YTwAAAoAAAAOAAAATQBTAFMAUQBMADAAMQBcAFIAQQBEAEEAUgAAAAcAAABtAGEAcwB0AGUAcgAAAA==
message: ''
References
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 17115 —
Fields
| Name | Description |
|---|---|
Data | — |
Binary | — |
Example Event
system:
provider: MSSQL$RADAR
guid: ''
event_source_name: ''
event_id: 17115
version: 0
level: 4
task: 2
opcode: 0
keywords: 36028797018963968
time_created: '2021-02-03T15:18:22.260286+00:00'
event_record_id: 125735
correlation: {}
execution:
process_id: 0
thread_id: 0
channel: Application
computer: mssql01.offsec.lan
security:
user_id: ''
event_data:
Data:
- "\r\n\t -s \"RADAR\"\r\n\t -m"
Binary: 20IAAAoAAAAOAAAATQBTAFMAUQBMADAAMQBcAFIAQQBEAEEAUgAAAAAAAAA=
message: ''
References
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 18456 —
Fields
| Name | Description |
|---|---|
Data | — |
Binary | — |
Example Event
system:
provider: MSSQL$RADAR
guid: ''
event_source_name: ''
event_id: 18456
version: 0
level: 0
task: 4
opcode: 0
keywords: 40532396646334464
time_created: '2020-07-15T11:31:21.474283+00:00'
event_record_id: 58857
correlation: {}
execution:
process_id: 0
thread_id: 0
channel: Application
computer: mssql01.offsec.lan
security:
user_id: ''
event_data:
Data:
- unexisting-user
- ' Reason: An attempt to login using SQL authentication failed. Server is configured
for Windows authentication only.'
- ' [CLIENT: 10.23.23.9]'
Binary: GEgAAA4AAAAOAAAATQBTAFMAUQBMADAAMQBcAFIAQQBEAEEAUgAAAAcAAABtAGEAcwB0AGUAcgAAAA==
message: ''
References
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 33205 —
Fields
| Name | Description |
|---|---|
Data | — |
Example Event
system:
provider: MSSQL$RADAR
guid: ''
event_source_name: ''
event_id: 33205
version: 0
level: 0
task: 5
opcode: 0
keywords: 45035996273704960
time_created: '2020-11-24T09:14:16.167790+00:00'
event_record_id: 113202
correlation: {}
execution:
process_id: 0
thread_id: 0
channel: Application
computer: mssql01.offsec.lan
security:
user_id: ''
event_data:
Data:
- "audit_schema_version:1\nevent_time:2020-11-24 09:14:11.6833666\nsequence_number:1\naction_id:AL
\ \nsucceeded:true\nis_column_permission:false\nsession_id:53\nserver_principal_id:2\ndatabase_principal_id:1\ntarget_server_principal_id:0\ntarget_database_principal_id:0\nobject_id:0\nuser_defined_event_id:0\nclass_type:DA\npermission_bitmask:00000000000000000000000000000000\nsequence_group_id:07DE5F90-9DA4-4653-AE58-F113BEAFD795\nsession_server_principal_name:OFFSEC\\admin-hacker\nserver_principal_name:OFFSEC\\admin-hacker\nserver_principal_sid:01050000000000051500000056d628fc05668f976f2456bb7b040000\ndatabase_principal_name:dbo\ntarget_server_principal_name:\ntarget_server_principal_sid:\ntarget_database_principal_name:\nserver_instance_name:MSSQL01\\RADAR\ndatabase_name:RCS-TEST-db\nschema_name:\nobject_name:db-audit-spec\nstatement:ALTER
DATABASE AUDIT SPECIFICATION [db-audit-spec]\r\nWITH (STATE = OFF)\nadditional_information:\nuser_defined_information:\n"
message: ''
References
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx