MSSQLSERVER

22 events across 1 channel

EventTitleChannel
8128Event ID 8128Application
15457Event ID 15457Application
17103Event ID 17103Application
17110Event ID 17110Application
17111Event ID 17111Application
17125Event ID 17125Application
17126Event ID 17126Application
17137Event ID 17137Application
17152Event ID 17152Application
17162Event ID 17162Application
17164Event ID 17164Application
17199Event ID 17199Application
17200Event ID 17200Application
17201Event ID 17201Application
17202Event ID 17202Application
17810Event ID 17810Application
18454Event ID 18454Application
18456Event ID 18456Application
18470Event ID 18470Application
26067Event ID 26067Application
26076Event ID 26076Application
33205Event ID 33205Application

Event ID 8128:

#
Provider
MSSQLSERVER
Channel
Application
Level
4

Fields #

NameDescription
Data_0
Binary

Example Event #

{
  "system": {
    "provider": "MSSQLSERVER",
    "guid": "",
    "event_source_name": "",
    "event_id": 8128,
    "version": 0,
    "level": 4,
    "task": 1,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2026-05-09 01:29:40.457960+00:00",
    "event_record_id": 4547,
    "correlation": {
      "ActivityID": "",
      "RelatedActivityID": ""
    },
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Application",
    "computer": "tel2-DC01-2022.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data_0": "<string>gen_evtx synthetic — do not treat as a real SQL Server event | Using 'dbghelp.dll' version '4.0.5'</string>\n",
    "Binary": ""
  },
  "message": ""
}

Detection Rules #

View all rules referencing this event →

Sigma # view in coverage

Splunk # view in coverage

  • Windows SQL Server Extended Procedure DLL Loading Hunt source: This analytic detects when SQL Server loads DLLs to execute extended stored procedures. This is particularly important for security monitoring as it indicates the first-time use or version changes of potentially dangerous procedures like…

Event ID 15457:

#
Provider
MSSQLSERVER
Channel
Application
Level
Informational

Fields #

NameDescription
Data
Binary

Example Event #

{
  "system": {
    "provider": "MSSQLSERVER",
    "guid": "",
    "event_source_name": "",
    "event_id": 15457,
    "version": 0,
    "level": 4,
    "task": 2,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2019-11-04T09:27:26.315067+00:00",
    "event_record_id": 9696,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Application",
    "computer": "MSEDGEWIN10",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data": [
      "xp_cmdshell",
      "1",
      "0"
    ],
    "Binary": "YTwAAAoAAAAMAAAATQBTAEUARABHAEUAVwBJAE4AMQAwAAAABwAAAG0AYQBzAHQAZQByAAAA"
  },
  "message": ""
}

Community Notes #

MS SQL Server xp_cmdshell execution. See this DFIR Report write-up: SELECT XMRig FROM SQLServer

Detection Rules #

View all rules referencing this event →

Splunk # view in coverage

  • Windows SQL Server Configuration Option Hunt source: This detection helps hunt for changes to SQL Server configuration options that could indicate malicious activity. It monitors for modifications to any SQL Server configuration settings, allowing analysts to identify potentially suspicious…
  • Windows SQL Server Critical Procedures Enabled source: This detection identifies when critical SQL Server configuration options are modified, including "Ad Hoc Distributed Queries", "external scripts enabled", "Ole Automation Procedures", "clr enabled", and "clr strict security". These…
  • Windows SQL Server xp_cmdshell Config Change source: This detection identifies when the xp_cmdshell configuration is modified in SQL Server. The xp_cmdshell extended stored procedure allows execution of operating system commands and programs from SQL Server, making it a high-risk feature…

References #

Event ID 17103:

#
Provider
MSSQLSERVER
Channel
Application
Level
4

Fields #

NameDescription
Data_0
Binary

Example Event #

{
  "system": {
    "provider": "MSSQLSERVER",
    "guid": "",
    "event_source_name": "",
    "event_id": 17103,
    "version": 0,
    "level": 4,
    "task": 1,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2026-05-09 01:29:40.457960+00:00",
    "event_record_id": 4550,
    "correlation": {
      "ActivityID": "",
      "RelatedActivityID": ""
    },
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Application",
    "computer": "tel2-DC01-2022.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data_0": "<string>gen_evtx synthetic — do not treat as a real SQL Server event | Microsoft SQL Server is starting up: launched. Process ID is 0.</string>\n",
    "Binary": ""
  },
  "message": ""
}

Event ID 17110:

#
Provider
MSSQLSERVER
Channel
Application
Level
4

Fields #

NameDescription
Data_0
Binary

Example Event #

{
  "system": {
    "provider": "MSSQLSERVER",
    "guid": "",
    "event_source_name": "",
    "event_id": 17110,
    "version": 0,
    "level": 4,
    "task": 1,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2026-05-09 01:29:40.457960+00:00",
    "event_record_id": 4551,
    "correlation": {
      "ActivityID": "",
      "RelatedActivityID": ""
    },
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Application",
    "computer": "tel2-DC01-2022.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data_0": "<string>gen_evtx synthetic — do not treat as a real SQL Server event | This instance of SQL Server has been using a process ID of 0 since startup.</string>\n",
    "Binary": ""
  },
  "message": ""
}

Event ID 17111:

#
Provider
MSSQLSERVER
Channel
Application
Level
4

Fields #

NameDescription
Data_0
Binary

Example Event #

{
  "system": {
    "provider": "MSSQLSERVER",
    "guid": "",
    "event_source_name": "",
    "event_id": 17111,
    "version": 0,
    "level": 4,
    "task": 1,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2026-05-09 01:29:40.457960+00:00",
    "event_record_id": 4552,
    "correlation": {
      "ActivityID": "",
      "RelatedActivityID": ""
    },
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Application",
    "computer": "tel2-DC01-2022.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data_0": "<string>gen_evtx synthetic — do not treat as a real SQL Server event | Logging SQL Server messages in file 'C:\\\\synthetic\\\\errorlog'.</string>\n",
    "Binary": ""
  },
  "message": ""
}

Event ID 17125:

#
Provider
MSSQLSERVER
Channel
Application
Level
4

Fields #

NameDescription
Data_0
Binary

Example Event #

{
  "system": {
    "provider": "MSSQLSERVER",
    "guid": "",
    "event_source_name": "",
    "event_id": 17125,
    "version": 0,
    "level": 4,
    "task": 1,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2026-05-09 01:29:40.472630+00:00",
    "event_record_id": 4553,
    "correlation": {
      "ActivityID": "",
      "RelatedActivityID": ""
    },
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Application",
    "computer": "tel2-DC01-2022.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data_0": "<string>gen_evtx synthetic — do not treat as a real SQL Server event | Using conventional memory in the memory manager.</string>\n",
    "Binary": ""
  },
  "message": ""
}

Event ID 17126:

#
Provider
MSSQLSERVER
Channel
Application
Level
4

Fields #

NameDescription
Data_0
Binary

Example Event #

{
  "system": {
    "provider": "MSSQLSERVER",
    "guid": "",
    "event_source_name": "",
    "event_id": 17126,
    "version": 0,
    "level": 4,
    "task": 1,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2026-05-09 01:29:40.442303+00:00",
    "event_record_id": 4540,
    "correlation": {
      "ActivityID": "",
      "RelatedActivityID": ""
    },
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Application",
    "computer": "tel2-DC01-2022.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data_0": "<string>gen_evtx synthetic — do not treat as a real SQL Server event | SQL Server is starting at normal priority base (=7).</string>\n",
    "Binary": ""
  },
  "message": ""
}

Event ID 17137:

#
Provider
MSSQLSERVER
Channel
Application
Level
4

Fields #

NameDescription
Data_0
Binary

Example Event #

{
  "system": {
    "provider": "MSSQLSERVER",
    "guid": "",
    "event_source_name": "",
    "event_id": 17137,
    "version": 0,
    "level": 4,
    "task": 1,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2026-05-09 01:29:40.442303+00:00",
    "event_record_id": 4541,
    "correlation": {
      "ActivityID": "",
      "RelatedActivityID": ""
    },
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Application",
    "computer": "tel2-DC01-2022.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data_0": "<string>gen_evtx synthetic — do not treat as a real SQL Server event | Starting up database 'master'.</string>\n",
    "Binary": ""
  },
  "message": ""
}

Event ID 17152:

#
Provider
MSSQLSERVER
Channel
Application
Level
4

Fields #

NameDescription
Data_0
Binary

Example Event #

{
  "system": {
    "provider": "MSSQLSERVER",
    "guid": "",
    "event_source_name": "",
    "event_id": 17152,
    "version": 0,
    "level": 4,
    "task": 1,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2026-05-09 01:29:40.473648+00:00",
    "event_record_id": 4554,
    "correlation": {
      "ActivityID": "",
      "RelatedActivityID": ""
    },
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Application",
    "computer": "tel2-DC01-2022.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data_0": "<string>gen_evtx synthetic — do not treat as a real SQL Server event | The service account is 'NT Service\\\\MSSQLSERVER'.</string>\n",
    "Binary": ""
  },
  "message": ""
}

Event ID 17162:

#
Provider
MSSQLSERVER
Channel
Application
Level
4

Fields #

NameDescription
Data_0
Binary

Example Event #

{
  "system": {
    "provider": "MSSQLSERVER",
    "guid": "",
    "event_source_name": "",
    "event_id": 17162,
    "version": 0,
    "level": 4,
    "task": 1,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2026-05-09 01:29:40.457960+00:00",
    "event_record_id": 4545,
    "correlation": {
      "ActivityID": "",
      "RelatedActivityID": ""
    },
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Application",
    "computer": "tel2-DC01-2022.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data_0": "<string>gen_evtx synthetic — do not treat as a real SQL Server event | SQL Server is now ready for client connections.</string>\n",
    "Binary": ""
  },
  "message": ""
}

Event ID 17164:

#
Provider
MSSQLSERVER
Channel
Application
Level
4

Fields #

NameDescription
Data_0
Binary

Example Event #

{
  "system": {
    "provider": "MSSQLSERVER",
    "guid": "",
    "event_source_name": "",
    "event_id": 17164,
    "version": 0,
    "level": 4,
    "task": 1,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2026-05-09 01:29:40.473648+00:00",
    "event_record_id": 4555,
    "correlation": {
      "ActivityID": "",
      "RelatedActivityID": ""
    },
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Application",
    "computer": "tel2-DC01-2022.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data_0": "<string>gen_evtx synthetic — do not treat as a real SQL Server event | The licensing PID was successfully processed (synthetic).</string>\n",
    "Binary": ""
  },
  "message": ""
}

Event ID 17199:

#
Provider
MSSQLSERVER
Channel
Application
Level
4

Fields #

NameDescription
Data_0
Binary

Example Event #

{
  "system": {
    "provider": "MSSQLSERVER",
    "guid": "",
    "event_source_name": "",
    "event_id": 17199,
    "version": 0,
    "level": 4,
    "task": 1,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2026-05-09 01:29:40.457960+00:00",
    "event_record_id": 4546,
    "correlation": {
      "ActivityID": "",
      "RelatedActivityID": ""
    },
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Application",
    "computer": "tel2-DC01-2022.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data_0": "<string>gen_evtx synthetic — do not treat as a real SQL Server event | Dedicated administrator connection support was not started because it is disabled on this edition.</string>\n",
    "Binary": ""
  },
  "message": ""
}

Event ID 17200:

#
Provider
MSSQLSERVER
Channel
Application

Event ID 17201:

#
Provider
MSSQLSERVER
Channel
Application

Event ID 17202:

#
Provider
MSSQLSERVER
Channel
Application

Event ID 17810:

#
Provider
MSSQLSERVER
Channel
Application

Event ID 18454:

#
Provider
MSSQLSERVER
Channel
Application

Fields #

NameDescription
Data
Binary

Example Event #

{
  "system": {
    "provider": "MSSQLSERVER",
    "guid": "",
    "event_source_name": "",
    "event_id": 18454,
    "version": 0,
    "level": 0,
    "task": 4,
    "opcode": 0,
    "keywords": 45035996273704960,
    "time_created": "2019-11-04T09:27:26.127038+00:00",
    "event_record_id": 9690,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Application",
    "computer": "MSEDGEWIN10",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data": [
      "root",
      " [CLIENT: 10.0.2.17]"
    ],
    "Binary": "FkgAAAoAAAAMAAAATQBTAEUARABHAEUAVwBJAE4AMQAwAAAABwAAAG0AYQBzAHQAZQByAAAA"
  },
  "message": ""
}

References #

Event ID 18456:

#
Provider
MSSQLSERVER
Channel
Application

Fields #

NameDescription
Data
Binary

Example Event #

{
  "system": {
    "provider": "MSSQLSERVER",
    "guid": "",
    "event_source_name": "",
    "event_id": 18456,
    "version": 0,
    "level": 0,
    "task": 4,
    "opcode": 0,
    "keywords": 40532396646334464,
    "time_created": "2019-11-04T13:46:01.279826+00:00",
    "event_record_id": 13035,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Application",
    "computer": "MSEDGEWIN10",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data": [
      "root",
      " Reason: Password did not match that for the login provided.",
      " [CLIENT: 10.0.2.17]"
    ],
    "Binary": "GEgAAA4AAAAMAAAATQBTAEUARABHAEUAVwBJAE4AMQAwAAAABwAAAG0AYQBzAHQAZQByAAAA"
  },
  "message": ""
}

References #

Event ID 18470:

#
Provider
MSSQLSERVER
Channel
Application

Event ID 26067:

#
Provider
MSSQLSERVER
Channel
Application
Level
3

Fields #

NameDescription
Data_0
Binary

Example Event #

{
  "system": {
    "provider": "MSSQLSERVER",
    "guid": "",
    "event_source_name": "",
    "event_id": 26067,
    "version": 0,
    "level": 3,
    "task": 1,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2026-05-09 01:29:40.457960+00:00",
    "event_record_id": 4549,
    "correlation": {
      "ActivityID": "",
      "RelatedActivityID": ""
    },
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Application",
    "computer": "tel2-DC01-2022.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data_0": "<string>gen_evtx synthetic — do not treat as a real SQL Server event | SQL Server Network Interface library could not register SPN (synthetic warning).</string>\n",
    "Binary": ""
  },
  "message": ""
}

Event ID 26076:

#
Provider
MSSQLSERVER
Channel
Application
Level
4

Fields #

NameDescription
Data_0
Binary

Example Event #

{
  "system": {
    "provider": "MSSQLSERVER",
    "guid": "",
    "event_source_name": "",
    "event_id": 26076,
    "version": 0,
    "level": 4,
    "task": 1,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2026-05-09 01:29:40.457960+00:00",
    "event_record_id": 4548,
    "correlation": {
      "ActivityID": "",
      "RelatedActivityID": ""
    },
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Application",
    "computer": "tel2-DC01-2022.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data_0": "<string>gen_evtx synthetic — do not treat as a real SQL Server event | SQL Server is attempting to register a Service Principal Name (SPN).</string>\n",
    "Binary": ""
  },
  "message": ""
}

Event ID 33205:

#
Provider
MSSQLSERVER
Channel
Application

Fields #

NameDescription
Data

Example Event #

{
  "system": {
    "provider": "MSSQLSERVER",
    "guid": "",
    "event_source_name": "",
    "event_id": 33205,
    "version": 0,
    "level": 0,
    "task": 4,
    "opcode": 0,
    "keywords": 45035996273704960,
    "time_created": "2019-11-04T09:27:27.315013+00:00",
    "event_record_id": 9707,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Application",
    "computer": "MSEDGEWIN10",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data": [
      "audit_schema_version:1\nevent_time:2019-11-04 09:27:26.3150666\nsequence_number:1\naction_id:LGIS\nsucceeded:true\nis_column_permission:false\nsession_id:58\nserver_principal_id:266\ndatabase_principal_id:0\ntarget_server_principal_id:0\ntarget_database_principal_id:0\nobject_id:0\nuser_defined_event_id:0\ntransaction_id:0\nclass_type:LX\nduration_milliseconds:0\nresponse_rows:0\naffected_rows:0\nclient_ip:10.0.2.17\npermission_bitmask:00000000000000000000000000000000\nsequence_group_id:2D5419DB-389F-4478-946C-23870BA1D2C4\nsession_server_principal_name:root\nserver_principal_name:root\nserver_principal_sid:8867c003d7407345abb6e4ed81382626\ndatabase_principal_name:\ntarget_server_principal_name:\ntarget_server_principal_sid:\ntarget_database_principal_name:\nserver_instance_name:MSEDGEWIN10\ndatabase_name:\nschema_name:\nobject_name:\nstatement:-- network protocol: TCP/IP\r\nset quoted_identifier on\r\nset arithabort off\r\nset numeric_roundabort off\r\nset ansi_warnings on\r\nset ansi_padding on\r\nset ansi_nulls on\r\nset concat_null_yields_null on\r\nset cursor_close_on_commit off\r\nset implicit_transactions off\r\nset language us_english\r\nset dateformat mdy\r\nset datefirst 7\r\nset transaction isolation level read committed\r\n\nadditional_information:<action_info xmlns=\"http://schemas.microsoft.com/sqlserver/2008/sqlaudit_data\"><pooled_connection>1</pooled_connection><client_options>0x28000020</client_options><client_options1>0x0001f438</client_options1><connect_options>0x00000000</connect_options><packet_data_size>8000</packet_data_size><address>10.0.2.17</address><is_dac>0</is_dac></action_info>\nuser_defined_information:\napplication_name:.Net SqlClient Data Provider\n"
    ]
  },
  "message": ""
}

References #