Windows SQL Server xp_cmdshell Config Change

Author: Michael Haag, Splunk, sidoyle from Splunk Community
Source: upstream

This detection identifies when the xp_cmdshell configuration is modified in SQL Server. The xp_cmdshell extended stored procedure allows execution of operating system commands and programs from SQL Server, making it a high-risk feature commonly abused by attackers for privilege escalation and lateral movement.

MITRE ATT&CK coverage

Tactic	Techniques
Persistence	`T1505.001` Server Software Component: SQL Stored Procedures

Event coverage

Provider	Event ID	Title
MSSQLSERVER	15457

Stages and Predicates

Stage 1: `search`

search EventCode=15457

Stage 2: `rex`

rex field=EventData_Xml ...

Stage 3: `rename`

rename

Stage 4: `where`

where config_name="xp_cmdshell"

Stage 5: `eval`

eval ... using (new_value, old_value)

Stage 6: `eval`

eval ... using (change_type)

Stage 7: `eval`

eval ... using (change_type, dest)

Stage 8: `stats`

stats BY dest, EventCode, config_name, change_type, risk_message, risk_score

Stage 9: `search`

search

Stage 10: `search`

search

Stage 11: `search`

search `macro`

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`EventCode`	eq	`15457` corpus 3 (splunk 3)
`config_name`	eq	`"xp_cmdshell"`

Windows SQL Server xp_cmdshell Config Change

MITRE ATT&CK coverage

Event coverage

Stages and Predicates

Stage 1: search

Stage 2: rex

Stage 3: rename

Stage 4: where

Stage 5: eval

Stage 6: eval

Stage 7: eval

Stage 8: stats

Stage 9: search

Stage 10: search

Stage 11: search