MSSQLSERVER

4 events across 1 channel

Event ID	Title	Channel
15457		Application
18454		Application
18456		Application
33205		Application

Event ID 15457 —

Provider: MSSQLSERVER
Channel: Application
Level: Informational

Fields #

Name	Description
`Data`	—
`Binary`	—

Example Event #

{
  "system": {
    "provider": "MSSQLSERVER",
    "guid": "",
    "event_source_name": "",
    "event_id": 15457,
    "version": 0,
    "level": 4,
    "task": 2,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2019-11-04T09:27:26.315067+00:00",
    "event_record_id": 9696,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Application",
    "computer": "MSEDGEWIN10",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data": [
      "xp_cmdshell",
      "1",
      "0"
    ],
    "Binary": "YTwAAAoAAAAMAAAATQBTAEUARABHAEUAVwBJAE4AMQAwAAAABwAAAG0AYQBzAHQAZQByAAAA"
  },
  "message": ""
}

Community Notes #

MS SQL Server xp_cmdshell execution. See this DFIR Report write-up: SELECT XMRig FROM SQLServer

Detection Rules #

View all rules referencing this event →

Splunk # view in reference

Windows SQL Server Configuration Option Hunt source: This detection helps hunt for changes to SQL Server configuration options that could indicate malicious activity. It monitors for modifications to any SQL Server configuration settings, allowing analysts to identify potentially suspicious changes that may be part of an attack, such as enabling dangerous features or modifying security-relevant settings.
Windows SQL Server Critical Procedures Enabled source: This detection identifies when critical SQL Server configuration options are modified, including "Ad Hoc Distributed Queries", "external scripts enabled", "Ole Automation Procedures", "clr enabled", and "clr strict security". These features can be abused by attackers for various malicious purposes - Ad Hoc Distributed Queries enables Active Directory reconnaissance through ADSI provider, external scripts and Ole Automation allow execution of arbitrary code, and CLR features can be used to run custom assemblies. Enabling these features could indicate attempts to gain code execution or perform reconnaissance through SQL Server.
Windows SQL Server xp_cmdshell Config Change source: This detection identifies when the xp_cmdshell configuration is modified in SQL Server. The xp_cmdshell extended stored procedure allows execution of operating system commands and programs from SQL Server, making it a high-risk feature commonly abused by attackers for privilege escalation and lateral movement.

References #

Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx

Event ID 18454 —

Provider: MSSQLSERVER
Channel: Application

Fields #

Name	Description
`Data`	—
`Binary`	—

Example Event #

{
  "system": {
    "provider": "MSSQLSERVER",
    "guid": "",
    "event_source_name": "",
    "event_id": 18454,
    "version": 0,
    "level": 0,
    "task": 4,
    "opcode": 0,
    "keywords": 45035996273704960,
    "time_created": "2019-11-04T09:27:26.127038+00:00",
    "event_record_id": 9690,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Application",
    "computer": "MSEDGEWIN10",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data": [
      "root",
      " [CLIENT: 10.0.2.17]"
    ],
    "Binary": "FkgAAAoAAAAMAAAATQBTAEUARABHAEUAVwBJAE4AMQAwAAAABwAAAG0AYQBzAHQAZQByAAAA"
  },
  "message": ""
}

References #

Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx

Event ID 18456 —

Provider: MSSQLSERVER
Channel: Application

Fields #

Name	Description
`Data`	—
`Binary`	—

Example Event #

{
  "system": {
    "provider": "MSSQLSERVER",
    "guid": "",
    "event_source_name": "",
    "event_id": 18456,
    "version": 0,
    "level": 0,
    "task": 4,
    "opcode": 0,
    "keywords": 40532396646334464,
    "time_created": "2019-11-04T13:46:01.279826+00:00",
    "event_record_id": 13035,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Application",
    "computer": "MSEDGEWIN10",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data": [
      "root",
      " Reason: Password did not match that for the login provided.",
      " [CLIENT: 10.0.2.17]"
    ],
    "Binary": "GEgAAA4AAAAMAAAATQBTAEUARABHAEUAVwBJAE4AMQAwAAAABwAAAG0AYQBzAHQAZQByAAAA"
  },
  "message": ""
}

References #

Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx

Event ID 33205 —

Provider: MSSQLSERVER
Channel: Application

Fields #

Name	Description
`Data`	—

Example Event #

{
  "system": {
    "provider": "MSSQLSERVER",
    "guid": "",
    "event_source_name": "",
    "event_id": 33205,
    "version": 0,
    "level": 0,
    "task": 4,
    "opcode": 0,
    "keywords": 45035996273704960,
    "time_created": "2019-11-04T09:27:27.315013+00:00",
    "event_record_id": 9707,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Application",
    "computer": "MSEDGEWIN10",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data": [
      "audit_schema_version:1\nevent_time:2019-11-04 09:27:26.3150666\nsequence_number:1\naction_id:LGIS\nsucceeded:true\nis_column_permission:false\nsession_id:58\nserver_principal_id:266\ndatabase_principal_id:0\ntarget_server_principal_id:0\ntarget_database_principal_id:0\nobject_id:0\nuser_defined_event_id:0\ntransaction_id:0\nclass_type:LX\nduration_milliseconds:0\nresponse_rows:0\naffected_rows:0\nclient_ip:10.0.2.17\npermission_bitmask:00000000000000000000000000000000\nsequence_group_id:2D5419DB-389F-4478-946C-23870BA1D2C4\nsession_server_principal_name:root\nserver_principal_name:root\nserver_principal_sid:8867c003d7407345abb6e4ed81382626\ndatabase_principal_name:\ntarget_server_principal_name:\ntarget_server_principal_sid:\ntarget_database_principal_name:\nserver_instance_name:MSEDGEWIN10\ndatabase_name:\nschema_name:\nobject_name:\nstatement:-- network protocol: TCP/IP\r\nset quoted_identifier on\r\nset arithabort off\r\nset numeric_roundabort off\r\nset ansi_warnings on\r\nset ansi_padding on\r\nset ansi_nulls on\r\nset concat_null_yields_null on\r\nset cursor_close_on_commit off\r\nset implicit_transactions off\r\nset language us_english\r\nset dateformat mdy\r\nset datefirst 7\r\nset transaction isolation level read committed\r\n\nadditional_information:<action_info xmlns=\"http://schemas.microsoft.com/sqlserver/2008/sqlaudit_data\"><pooled_connection>1</pooled_connection><client_options>0x28000020</client_options><client_options1>0x0001f438</client_options1><connect_options>0x00000000</connect_options><packet_data_size>8000</packet_data_size><address>10.0.2.17</address><is_dac>0</is_dac></action_info>\nuser_defined_information:\napplication_name:.Net SqlClient Data Provider\n"
    ]
  },
  "message": ""
}

References #

Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx