MSSQLSERVER
22 events across 1 channel
| Event | Title | Channel |
|---|---|---|
| 8128 | Event ID 8128 | Application |
| 15457 | Event ID 15457 | Application |
| 17103 | Event ID 17103 | Application |
| 17110 | Event ID 17110 | Application |
| 17111 | Event ID 17111 | Application |
| 17125 | Event ID 17125 | Application |
| 17126 | Event ID 17126 | Application |
| 17137 | Event ID 17137 | Application |
| 17152 | Event ID 17152 | Application |
| 17162 | Event ID 17162 | Application |
| 17164 | Event ID 17164 | Application |
| 17199 | Event ID 17199 | Application |
| 17200 | Event ID 17200 | Application |
| 17201 | Event ID 17201 | Application |
| 17202 | Event ID 17202 | Application |
| 17810 | Event ID 17810 | Application |
| 18454 | Event ID 18454 | Application |
| 18456 | Event ID 18456 | Application |
| 18470 | Event ID 18470 | Application |
| 26067 | Event ID 26067 | Application |
| 26076 | Event ID 26076 | Application |
| 33205 | Event ID 33205 | Application |
Event ID 8128:
#Fields #
| Name | Description |
|---|---|
Data_0 | |
Binary |
Example Event #
{
"system": {
"provider": "MSSQLSERVER",
"guid": "",
"event_source_name": "",
"event_id": 8128,
"version": 0,
"level": 4,
"task": 1,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2026-05-09 01:29:40.457960+00:00",
"event_record_id": 4547,
"correlation": {
"ActivityID": "",
"RelatedActivityID": ""
},
"execution": {
"process_id": 0,
"thread_id": 0
},
"channel": "Application",
"computer": "tel2-DC01-2022.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"Data_0": "<string>gen_evtx synthetic — do not treat as a real SQL Server event | Using 'dbghelp.dll' version '4.0.5'</string>\n",
"Binary": ""
},
"message": ""
}
Detection Rules #
View all rules referencing this event →
Sigma # view in coverage
- MSSQL Extended Stored Procedure Backdoor Maggie source high: This rule detects the execution of the extended storage procedure backdoor named Maggie in the context of Microsoft SQL server
Splunk # view in coverage
- Windows SQL Server Extended Procedure DLL Loading Hunt source: This analytic detects when SQL Server loads DLLs to execute extended stored procedures. This is particularly important for security monitoring as it indicates the first-time use or version changes of potentially dangerous procedures like…
Event ID 15457:
#Fields #
| Name | Description |
|---|---|
Data | |
Binary |
Example Event #
{
"system": {
"provider": "MSSQLSERVER",
"guid": "",
"event_source_name": "",
"event_id": 15457,
"version": 0,
"level": 4,
"task": 2,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2019-11-04T09:27:26.315067+00:00",
"event_record_id": 9696,
"correlation": {},
"execution": {
"process_id": 0,
"thread_id": 0
},
"channel": "Application",
"computer": "MSEDGEWIN10",
"security": {
"user_id": ""
}
},
"event_data": {
"Data": [
"xp_cmdshell",
"1",
"0"
],
"Binary": "YTwAAAoAAAAMAAAATQBTAEUARABHAEUAVwBJAE4AMQAwAAAABwAAAG0AYQBzAHQAZQByAAAA"
},
"message": ""
}
Community Notes #
MS SQL Server xp_cmdshell execution. See this DFIR Report write-up: SELECT XMRig FROM SQLServer
Detection Rules #
View all rules referencing this event →
Splunk # view in coverage
- Windows SQL Server Configuration Option Hunt source: This detection helps hunt for changes to SQL Server configuration options that could indicate malicious activity. It monitors for modifications to any SQL Server configuration settings, allowing analysts to identify potentially suspicious…
- Windows SQL Server Critical Procedures Enabled source: This detection identifies when critical SQL Server configuration options are modified, including "Ad Hoc Distributed Queries", "external scripts enabled", "Ole Automation Procedures", "clr enabled", and "clr strict security". These…
- Windows SQL Server xp_cmdshell Config Change source: This detection identifies when the xp_cmdshell configuration is modified in SQL Server. The xp_cmdshell extended stored procedure allows execution of operating system commands and programs from SQL Server, making it a high-risk feature…
References #
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 17103:
#Fields #
| Name | Description |
|---|---|
Data_0 | |
Binary |
Example Event #
{
"system": {
"provider": "MSSQLSERVER",
"guid": "",
"event_source_name": "",
"event_id": 17103,
"version": 0,
"level": 4,
"task": 1,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2026-05-09 01:29:40.457960+00:00",
"event_record_id": 4550,
"correlation": {
"ActivityID": "",
"RelatedActivityID": ""
},
"execution": {
"process_id": 0,
"thread_id": 0
},
"channel": "Application",
"computer": "tel2-DC01-2022.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"Data_0": "<string>gen_evtx synthetic — do not treat as a real SQL Server event | Microsoft SQL Server is starting up: launched. Process ID is 0.</string>\n",
"Binary": ""
},
"message": ""
}
Event ID 17110:
#Fields #
| Name | Description |
|---|---|
Data_0 | |
Binary |
Example Event #
{
"system": {
"provider": "MSSQLSERVER",
"guid": "",
"event_source_name": "",
"event_id": 17110,
"version": 0,
"level": 4,
"task": 1,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2026-05-09 01:29:40.457960+00:00",
"event_record_id": 4551,
"correlation": {
"ActivityID": "",
"RelatedActivityID": ""
},
"execution": {
"process_id": 0,
"thread_id": 0
},
"channel": "Application",
"computer": "tel2-DC01-2022.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"Data_0": "<string>gen_evtx synthetic — do not treat as a real SQL Server event | This instance of SQL Server has been using a process ID of 0 since startup.</string>\n",
"Binary": ""
},
"message": ""
}
Event ID 17111:
#Fields #
| Name | Description |
|---|---|
Data_0 | |
Binary |
Example Event #
{
"system": {
"provider": "MSSQLSERVER",
"guid": "",
"event_source_name": "",
"event_id": 17111,
"version": 0,
"level": 4,
"task": 1,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2026-05-09 01:29:40.457960+00:00",
"event_record_id": 4552,
"correlation": {
"ActivityID": "",
"RelatedActivityID": ""
},
"execution": {
"process_id": 0,
"thread_id": 0
},
"channel": "Application",
"computer": "tel2-DC01-2022.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"Data_0": "<string>gen_evtx synthetic — do not treat as a real SQL Server event | Logging SQL Server messages in file 'C:\\\\synthetic\\\\errorlog'.</string>\n",
"Binary": ""
},
"message": ""
}
Event ID 17125:
#Fields #
| Name | Description |
|---|---|
Data_0 | |
Binary |
Example Event #
{
"system": {
"provider": "MSSQLSERVER",
"guid": "",
"event_source_name": "",
"event_id": 17125,
"version": 0,
"level": 4,
"task": 1,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2026-05-09 01:29:40.472630+00:00",
"event_record_id": 4553,
"correlation": {
"ActivityID": "",
"RelatedActivityID": ""
},
"execution": {
"process_id": 0,
"thread_id": 0
},
"channel": "Application",
"computer": "tel2-DC01-2022.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"Data_0": "<string>gen_evtx synthetic — do not treat as a real SQL Server event | Using conventional memory in the memory manager.</string>\n",
"Binary": ""
},
"message": ""
}
Event ID 17126:
#Fields #
| Name | Description |
|---|---|
Data_0 | |
Binary |
Example Event #
{
"system": {
"provider": "MSSQLSERVER",
"guid": "",
"event_source_name": "",
"event_id": 17126,
"version": 0,
"level": 4,
"task": 1,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2026-05-09 01:29:40.442303+00:00",
"event_record_id": 4540,
"correlation": {
"ActivityID": "",
"RelatedActivityID": ""
},
"execution": {
"process_id": 0,
"thread_id": 0
},
"channel": "Application",
"computer": "tel2-DC01-2022.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"Data_0": "<string>gen_evtx synthetic — do not treat as a real SQL Server event | SQL Server is starting at normal priority base (=7).</string>\n",
"Binary": ""
},
"message": ""
}
Event ID 17137:
#Fields #
| Name | Description |
|---|---|
Data_0 | |
Binary |
Example Event #
{
"system": {
"provider": "MSSQLSERVER",
"guid": "",
"event_source_name": "",
"event_id": 17137,
"version": 0,
"level": 4,
"task": 1,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2026-05-09 01:29:40.442303+00:00",
"event_record_id": 4541,
"correlation": {
"ActivityID": "",
"RelatedActivityID": ""
},
"execution": {
"process_id": 0,
"thread_id": 0
},
"channel": "Application",
"computer": "tel2-DC01-2022.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"Data_0": "<string>gen_evtx synthetic — do not treat as a real SQL Server event | Starting up database 'master'.</string>\n",
"Binary": ""
},
"message": ""
}
Event ID 17152:
#Fields #
| Name | Description |
|---|---|
Data_0 | |
Binary |
Example Event #
{
"system": {
"provider": "MSSQLSERVER",
"guid": "",
"event_source_name": "",
"event_id": 17152,
"version": 0,
"level": 4,
"task": 1,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2026-05-09 01:29:40.473648+00:00",
"event_record_id": 4554,
"correlation": {
"ActivityID": "",
"RelatedActivityID": ""
},
"execution": {
"process_id": 0,
"thread_id": 0
},
"channel": "Application",
"computer": "tel2-DC01-2022.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"Data_0": "<string>gen_evtx synthetic — do not treat as a real SQL Server event | The service account is 'NT Service\\\\MSSQLSERVER'.</string>\n",
"Binary": ""
},
"message": ""
}
Event ID 17162:
#Fields #
| Name | Description |
|---|---|
Data_0 | |
Binary |
Example Event #
{
"system": {
"provider": "MSSQLSERVER",
"guid": "",
"event_source_name": "",
"event_id": 17162,
"version": 0,
"level": 4,
"task": 1,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2026-05-09 01:29:40.457960+00:00",
"event_record_id": 4545,
"correlation": {
"ActivityID": "",
"RelatedActivityID": ""
},
"execution": {
"process_id": 0,
"thread_id": 0
},
"channel": "Application",
"computer": "tel2-DC01-2022.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"Data_0": "<string>gen_evtx synthetic — do not treat as a real SQL Server event | SQL Server is now ready for client connections.</string>\n",
"Binary": ""
},
"message": ""
}
Event ID 17164:
#Fields #
| Name | Description |
|---|---|
Data_0 | |
Binary |
Example Event #
{
"system": {
"provider": "MSSQLSERVER",
"guid": "",
"event_source_name": "",
"event_id": 17164,
"version": 0,
"level": 4,
"task": 1,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2026-05-09 01:29:40.473648+00:00",
"event_record_id": 4555,
"correlation": {
"ActivityID": "",
"RelatedActivityID": ""
},
"execution": {
"process_id": 0,
"thread_id": 0
},
"channel": "Application",
"computer": "tel2-DC01-2022.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"Data_0": "<string>gen_evtx synthetic — do not treat as a real SQL Server event | The licensing PID was successfully processed (synthetic).</string>\n",
"Binary": ""
},
"message": ""
}
Event ID 17199:
#Fields #
| Name | Description |
|---|---|
Data_0 | |
Binary |
Example Event #
{
"system": {
"provider": "MSSQLSERVER",
"guid": "",
"event_source_name": "",
"event_id": 17199,
"version": 0,
"level": 4,
"task": 1,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2026-05-09 01:29:40.457960+00:00",
"event_record_id": 4546,
"correlation": {
"ActivityID": "",
"RelatedActivityID": ""
},
"execution": {
"process_id": 0,
"thread_id": 0
},
"channel": "Application",
"computer": "tel2-DC01-2022.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"Data_0": "<string>gen_evtx synthetic — do not treat as a real SQL Server event | Dedicated administrator connection support was not started because it is disabled on this edition.</string>\n",
"Binary": ""
},
"message": ""
}
Event ID 17200:
#Event ID 17201:
#Event ID 17202:
#Event ID 17810:
#Event ID 18454:
#Fields #
| Name | Description |
|---|---|
Data | |
Binary |
Example Event #
{
"system": {
"provider": "MSSQLSERVER",
"guid": "",
"event_source_name": "",
"event_id": 18454,
"version": 0,
"level": 0,
"task": 4,
"opcode": 0,
"keywords": 45035996273704960,
"time_created": "2019-11-04T09:27:26.127038+00:00",
"event_record_id": 9690,
"correlation": {},
"execution": {
"process_id": 0,
"thread_id": 0
},
"channel": "Application",
"computer": "MSEDGEWIN10",
"security": {
"user_id": ""
}
},
"event_data": {
"Data": [
"root",
" [CLIENT: 10.0.2.17]"
],
"Binary": "FkgAAAoAAAAMAAAATQBTAEUARABHAEUAVwBJAE4AMQAwAAAABwAAAG0AYQBzAHQAZQByAAAA"
},
"message": ""
}
References #
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 18456:
#Fields #
| Name | Description |
|---|---|
Data | |
Binary |
Example Event #
{
"system": {
"provider": "MSSQLSERVER",
"guid": "",
"event_source_name": "",
"event_id": 18456,
"version": 0,
"level": 0,
"task": 4,
"opcode": 0,
"keywords": 40532396646334464,
"time_created": "2019-11-04T13:46:01.279826+00:00",
"event_record_id": 13035,
"correlation": {},
"execution": {
"process_id": 0,
"thread_id": 0
},
"channel": "Application",
"computer": "MSEDGEWIN10",
"security": {
"user_id": ""
}
},
"event_data": {
"Data": [
"root",
" Reason: Password did not match that for the login provided.",
" [CLIENT: 10.0.2.17]"
],
"Binary": "GEgAAA4AAAAMAAAATQBTAEUARABHAEUAVwBJAE4AMQAwAAAABwAAAG0AYQBzAHQAZQByAAAA"
},
"message": ""
}
References #
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 18470:
#Event ID 26067:
#Fields #
| Name | Description |
|---|---|
Data_0 | |
Binary |
Example Event #
{
"system": {
"provider": "MSSQLSERVER",
"guid": "",
"event_source_name": "",
"event_id": 26067,
"version": 0,
"level": 3,
"task": 1,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2026-05-09 01:29:40.457960+00:00",
"event_record_id": 4549,
"correlation": {
"ActivityID": "",
"RelatedActivityID": ""
},
"execution": {
"process_id": 0,
"thread_id": 0
},
"channel": "Application",
"computer": "tel2-DC01-2022.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"Data_0": "<string>gen_evtx synthetic — do not treat as a real SQL Server event | SQL Server Network Interface library could not register SPN (synthetic warning).</string>\n",
"Binary": ""
},
"message": ""
}
Event ID 26076:
#Fields #
| Name | Description |
|---|---|
Data_0 | |
Binary |
Example Event #
{
"system": {
"provider": "MSSQLSERVER",
"guid": "",
"event_source_name": "",
"event_id": 26076,
"version": 0,
"level": 4,
"task": 1,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2026-05-09 01:29:40.457960+00:00",
"event_record_id": 4548,
"correlation": {
"ActivityID": "",
"RelatedActivityID": ""
},
"execution": {
"process_id": 0,
"thread_id": 0
},
"channel": "Application",
"computer": "tel2-DC01-2022.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"Data_0": "<string>gen_evtx synthetic — do not treat as a real SQL Server event | SQL Server is attempting to register a Service Principal Name (SPN).</string>\n",
"Binary": ""
},
"message": ""
}
Event ID 33205:
#Fields #
| Name | Description |
|---|---|
Data |
Example Event #
{
"system": {
"provider": "MSSQLSERVER",
"guid": "",
"event_source_name": "",
"event_id": 33205,
"version": 0,
"level": 0,
"task": 4,
"opcode": 0,
"keywords": 45035996273704960,
"time_created": "2019-11-04T09:27:27.315013+00:00",
"event_record_id": 9707,
"correlation": {},
"execution": {
"process_id": 0,
"thread_id": 0
},
"channel": "Application",
"computer": "MSEDGEWIN10",
"security": {
"user_id": ""
}
},
"event_data": {
"Data": [
"audit_schema_version:1\nevent_time:2019-11-04 09:27:26.3150666\nsequence_number:1\naction_id:LGIS\nsucceeded:true\nis_column_permission:false\nsession_id:58\nserver_principal_id:266\ndatabase_principal_id:0\ntarget_server_principal_id:0\ntarget_database_principal_id:0\nobject_id:0\nuser_defined_event_id:0\ntransaction_id:0\nclass_type:LX\nduration_milliseconds:0\nresponse_rows:0\naffected_rows:0\nclient_ip:10.0.2.17\npermission_bitmask:00000000000000000000000000000000\nsequence_group_id:2D5419DB-389F-4478-946C-23870BA1D2C4\nsession_server_principal_name:root\nserver_principal_name:root\nserver_principal_sid:8867c003d7407345abb6e4ed81382626\ndatabase_principal_name:\ntarget_server_principal_name:\ntarget_server_principal_sid:\ntarget_database_principal_name:\nserver_instance_name:MSEDGEWIN10\ndatabase_name:\nschema_name:\nobject_name:\nstatement:-- network protocol: TCP/IP\r\nset quoted_identifier on\r\nset arithabort off\r\nset numeric_roundabort off\r\nset ansi_warnings on\r\nset ansi_padding on\r\nset ansi_nulls on\r\nset concat_null_yields_null on\r\nset cursor_close_on_commit off\r\nset implicit_transactions off\r\nset language us_english\r\nset dateformat mdy\r\nset datefirst 7\r\nset transaction isolation level read committed\r\n\nadditional_information:<action_info xmlns=\"http://schemas.microsoft.com/sqlserver/2008/sqlaudit_data\"><pooled_connection>1</pooled_connection><client_options>0x28000020</client_options><client_options1>0x0001f438</client_options1><connect_options>0x00000000</connect_options><packet_data_size>8000</packet_data_size><address>10.0.2.17</address><is_dac>0</is_dac></action_info>\nuser_defined_information:\napplication_name:.Net SqlClient Data Provider\n"
]
},
"message": ""
}
References #
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx