MSSQLSERVER

4 events across 1 channel

Event ID	Title	Channel
15457		Application
18454		Application
18456		Application
33205		Application

Event ID 15457 —

Provider: MSSQLSERVER
Channel: Application
Level: 4
Samples: 1

Fields

Name	Description
`Data`	—
`Binary`	—

Example Event

system:
  provider: MSSQLSERVER
  guid: ''
  event_source_name: ''
  event_id: 15457
  version: 0
  level: 4
  task: 2
  opcode: 0
  keywords: 36028797018963968
  time_created: '2019-11-04T09:27:26.315067+00:00'
  event_record_id: 9696
  correlation: {}
  execution:
    process_id: 0
    thread_id: 0
  channel: Application
  computer: MSEDGEWIN10
  security:
    user_id: ''
event_data:
  Data:
  - xp_cmdshell
  - '1'
  - '0'
  Binary: YTwAAAoAAAAMAAAATQBTAEUARABHAEUAVwBJAE4AMQAwAAAABwAAAG0AYQBzAHQAZQByAAAA
message: ''

Community Notes

MS SQL Server xp_cmdshell execution. See this DFIR Report write-up: SELECT XMRig FROM SQLServer

References

Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx

Event ID 18454 —

Provider: MSSQLSERVER
Channel: Application
Samples: 1

Fields

Name	Description
`Data`	—
`Binary`	—

Example Event

system:
  provider: MSSQLSERVER
  guid: ''
  event_source_name: ''
  event_id: 18454
  version: 0
  level: 0
  task: 4
  opcode: 0
  keywords: 45035996273704960
  time_created: '2019-11-04T09:27:26.127038+00:00'
  event_record_id: 9690
  correlation: {}
  execution:
    process_id: 0
    thread_id: 0
  channel: Application
  computer: MSEDGEWIN10
  security:
    user_id: ''
event_data:
  Data:
  - root
  - ' [CLIENT: 10.0.2.17]'
  Binary: FkgAAAoAAAAMAAAATQBTAEUARABHAEUAVwBJAE4AMQAwAAAABwAAAG0AYQBzAHQAZQByAAAA
message: ''

References

Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx

Event ID 18456 —

Provider: MSSQLSERVER
Channel: Application
Samples: 1

Fields

Name	Description
`Data`	—
`Binary`	—

Example Event

system:
  provider: MSSQLSERVER
  guid: ''
  event_source_name: ''
  event_id: 18456
  version: 0
  level: 0
  task: 4
  opcode: 0
  keywords: 40532396646334464
  time_created: '2019-11-04T13:46:01.279826+00:00'
  event_record_id: 13035
  correlation: {}
  execution:
    process_id: 0
    thread_id: 0
  channel: Application
  computer: MSEDGEWIN10
  security:
    user_id: ''
event_data:
  Data:
  - root
  - ' Reason: Password did not match that for the login provided.'
  - ' [CLIENT: 10.0.2.17]'
  Binary: GEgAAA4AAAAMAAAATQBTAEUARABHAEUAVwBJAE4AMQAwAAAABwAAAG0AYQBzAHQAZQByAAAA
message: ''

References

Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx

Event ID 33205 —

Provider: MSSQLSERVER
Channel: Application
Samples: 1

Fields

Name	Description
`Data`	—

Example Event

system:
  provider: MSSQLSERVER
  guid: ''
  event_source_name: ''
  event_id: 33205
  version: 0
  level: 0
  task: 4
  opcode: 0
  keywords: 45035996273704960
  time_created: '2019-11-04T09:27:27.315013+00:00'
  event_record_id: 9707
  correlation: {}
  execution:
    process_id: 0
    thread_id: 0
  channel: Application
  computer: MSEDGEWIN10
  security:
    user_id: ''
event_data:
  Data:
  - "audit_schema_version:1\nevent_time:2019-11-04 09:27:26.3150666\nsequence_number:1\naction_id:LGIS\nsucceeded:true\nis_column_permission:false\nsession_id:58\nserver_principal_id:266\ndatabase_principal_id:0\ntarget_server_principal_id:0\ntarget_database_principal_id:0\nobject_id:0\nuser_defined_event_id:0\ntransaction_id:0\nclass_type:LX\nduration_milliseconds:0\nresponse_rows:0\naffected_rows:0\nclient_ip:10.0.2.17\npermission_bitmask:00000000000000000000000000000000\nsequence_group_id:2D5419DB-389F-4478-946C-23870BA1D2C4\nsession_server_principal_name:root\nserver_principal_name:root\nserver_principal_sid:8867c003d7407345abb6e4ed81382626\ndatabase_principal_name:\ntarget_server_principal_name:\ntarget_server_principal_sid:\ntarget_database_principal_name:\nserver_instance_name:MSEDGEWIN10\ndatabase_name:\nschema_name:\nobject_name:\nstatement:--
    network protocol: TCP/IP\r\nset quoted_identifier on\r\nset arithabort off\r\nset
    numeric_roundabort off\r\nset ansi_warnings on\r\nset ansi_padding on\r\nset ansi_nulls
    on\r\nset concat_null_yields_null on\r\nset cursor_close_on_commit off\r\nset
    implicit_transactions off\r\nset language us_english\r\nset dateformat mdy\r\nset
    datefirst 7\r\nset transaction isolation level read committed\r\n\nadditional_information:<action_info
    xmlns=\"http://schemas.microsoft.com/sqlserver/2008/sqlaudit_data\"><pooled_connection>1</pooled_connection><client_options>0x28000020</client_options><client_options1>0x0001f438</client_options1><connect_options>0x00000000</connect_options><packet_data_size>8000</packet_data_size><address>10.0.2.17</address><is_dac>0</is_dac></action_info>\nuser_defined_information:\napplication_name:.Net
    SqlClient Data Provider\n"
message: ''

References

Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx