detection.wiki

MSSQLSERVER › Event 15457

Event ID 15457 —

Provider
MSSQLSERVER
Channel
Application
Level
Informational

Fields #

NameDescription
Data
Binary

Example Event #

{
  "system": {
    "provider": "MSSQLSERVER",
    "guid": "",
    "event_source_name": "",
    "event_id": 15457,
    "version": 0,
    "level": 4,
    "task": 2,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2019-11-04T09:27:26.315067+00:00",
    "event_record_id": 9696,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Application",
    "computer": "MSEDGEWIN10",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data": [
      "xp_cmdshell",
      "1",
      "0"
    ],
    "Binary": "YTwAAAoAAAAMAAAATQBTAEUARABHAEUAVwBJAE4AMQAwAAAABwAAAG0AYQBzAHQAZQByAAAA"
  },
  "message": ""
}

Community Notes #

MS SQL Server xp_cmdshell execution. See this DFIR Report write-up: SELECT XMRig FROM SQLServer

Detection Rules #

View all rules referencing this event →

Splunk # view in reference

  • Windows SQL Server Configuration Option Hunt source: This detection helps hunt for changes to SQL Server configuration options that could indicate malicious activity. It monitors for modifications to any SQL Server configuration settings, allowing analysts to identify potentially suspicious changes that may be part of an attack, such as enabling dangerous features or modifying security-relevant settings.
  • Windows SQL Server Critical Procedures Enabled source: This detection identifies when critical SQL Server configuration options are modified, including "Ad Hoc Distributed Queries", "external scripts enabled", "Ole Automation Procedures", "clr enabled", and "clr strict security". These features can be abused by attackers for various malicious purposes - Ad Hoc Distributed Queries enables Active Directory reconnaissance through ADSI provider, external scripts and Ole Automation allow execution of arbitrary code, and CLR features can be used to run custom assemblies. Enabling these features could indicate attempts to gain code execution or perform reconnaissance through SQL Server.
  • Windows SQL Server xp_cmdshell Config Change source: This detection identifies when the xp_cmdshell configuration is modified in SQL Server. The xp_cmdshell extended stored procedure allows execution of operating system commands and programs from SQL Server, making it a high-risk feature commonly abused by attackers for privilege escalation and lateral movement.

References #