MSSQLSERVER

22 events across 1 channel

Event	Title	Channel	Sample
8128	Event ID 8128	Application	Y
15457	Event ID 15457	Application	Y
17103	Event ID 17103	Application	Y
17110	Event ID 17110	Application	Y
17111	Event ID 17111	Application	Y
17125	Event ID 17125	Application	Y
17126	Event ID 17126	Application	Y
17137	Event ID 17137	Application	Y
17152	Event ID 17152	Application	Y
17162	Event ID 17162	Application	Y
17164	Event ID 17164	Application	Y
17199	Event ID 17199	Application	Y
17200	Event ID 17200	Application	N
17201	Event ID 17201	Application	N
17202	Event ID 17202	Application	N
17810	Event ID 17810	Application	N
18454	Event ID 18454	Application	Y
18456	Event ID 18456	Application	Y
18470	Event ID 18470	Application	N
26067	Event ID 26067	Application	Y
26076	Event ID 26076	Application	Y
33205	Event ID 33205	Application	Y

Event ID 8128

Provider: MSSQLSERVER
Channel: Application
Level: 4

Fields #

Name	Description
`Data_0`
`Binary`

Example Event #

{
  "system": {
    "provider": "MSSQLSERVER",
    "guid": "",
    "event_source_name": "",
    "event_id": 8128,
    "version": 0,
    "level": 4,
    "task": 1,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2026-05-09 01:29:40.457960+00:00",
    "event_record_id": 4547,
    "correlation": {
      "ActivityID": "",
      "RelatedActivityID": ""
    },
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Application",
    "computer": "tel2-DC01-2022.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data_0": "<string>gen_evtx synthetic — do not treat as a real SQL Server event | Using 'dbghelp.dll' version '4.0.5'</string>\n",
    "Binary": ""
  },
  "message": ""
}

Detection Rules #

View all rules referencing this event →

Sigma # view in coverage

MSSQL Extended Stored Procedure Backdoor Maggie source high: This rule detects the execution of the extended storage procedure backdoor named Maggie in the context of Microsoft SQL server

Splunk # view in coverage

Windows SQL Server Extended Procedure DLL Loading Hunt source: This analytic detects when SQL Server loads DLLs to execute extended stored procedures. This is particularly important for security monitoring as it indicates the first-time use or version changes of potentially dangerous procedures like…

Event ID 15457

Provider: MSSQLSERVER
Channel: Application
Level: Informational

Fields #

Name	Description	Rules
`Data`		1 detection rule
`Binary`

Example Event #

{
  "system": {
    "provider": "MSSQLSERVER",
    "guid": "",
    "event_source_name": "",
    "event_id": 15457,
    "version": 0,
    "level": 4,
    "task": 2,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2019-11-04T09:27:26.315067+00:00",
    "event_record_id": 9696,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Application",
    "computer": "MSEDGEWIN10",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data": [
      "xp_cmdshell",
      "1",
      "0"
    ],
    "Binary": "YTwAAAoAAAAMAAAATQBTAEUARABHAEUAVwBJAE4AMQAwAAAABwAAAG0AYQBzAHQAZQByAAAA"
  },
  "message": ""
}

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`Provider_Name`	contains	`mssql`	1 rule	sigma

Community Notes #

MS SQL Server xp_cmdshell execution. See this DFIR Report write-up: SELECT XMRig FROM SQLServer

Detection Rules #

View all rules referencing this event →

Sigma # view in coverage

MSSQL XPCmdshell Option Change source high: Detects when the MSSQL "xp_cmdshell" stored procedure setting is changed.
SQL Server Dedicated Admin Connection (DAC) mode activated (native) source high: Detects scenarios where an attacker enabled the DAC mode in order to bypass access controls, logon triggers, perform brute force attacks or run unauthorized queries.
SQL Server lateral movement with CLR activation source high: Detects scenarios where an attacker enables CLR (Common Language Runtime with .NET) to abuse store procedures in order to move lateraly.

Show 1 more (4 total)

SQL Server xp_cmdshell activation (native event) source high: Detects scenarios where an attacker enable the xp_cmdshell in order to execute non SQL content and escalate privileges

Splunk # view in coverage

Windows SQL Server Configuration Option Hunt source: This detection helps hunt for changes to SQL Server configuration options that could indicate malicious activity. It monitors for modifications to any SQL Server configuration settings, allowing analysts to identify potentially suspicious…
Windows SQL Server Critical Procedures Enabled source: This detection identifies when critical SQL Server configuration options are modified, including "Ad Hoc Distributed Queries", "external scripts enabled", "Ole Automation Procedures", "clr enabled", and "clr strict security". These…
Windows SQL Server xp_cmdshell Config Change source: This detection identifies when the xp_cmdshell configuration is modified in SQL Server. The xp_cmdshell extended stored procedure allows execution of operating system commands and programs from SQL Server, making it a high-risk feature…

References #

Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx

Event ID 17103

Provider: MSSQLSERVER
Channel: Application
Level: 4

Fields #

Name	Description
`Data_0`
`Binary`

Example Event #

{
  "system": {
    "provider": "MSSQLSERVER",
    "guid": "",
    "event_source_name": "",
    "event_id": 17103,
    "version": 0,
    "level": 4,
    "task": 1,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2026-05-09 01:29:40.457960+00:00",
    "event_record_id": 4550,
    "correlation": {
      "ActivityID": "",
      "RelatedActivityID": ""
    },
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Application",
    "computer": "tel2-DC01-2022.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data_0": "<string>gen_evtx synthetic — do not treat as a real SQL Server event | Microsoft SQL Server is starting up: launched. Process ID is 0.</string>\n",
    "Binary": ""
  },
  "message": ""
}

Event ID 17110

Provider: MSSQLSERVER
Channel: Application
Level: 4

Fields #

Name	Description
`Data_0`
`Binary`

Example Event #

{
  "system": {
    "provider": "MSSQLSERVER",
    "guid": "",
    "event_source_name": "",
    "event_id": 17110,
    "version": 0,
    "level": 4,
    "task": 1,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2026-05-09 01:29:40.457960+00:00",
    "event_record_id": 4551,
    "correlation": {
      "ActivityID": "",
      "RelatedActivityID": ""
    },
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Application",
    "computer": "tel2-DC01-2022.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data_0": "<string>gen_evtx synthetic — do not treat as a real SQL Server event | This instance of SQL Server has been using a process ID of 0 since startup.</string>\n",
    "Binary": ""
  },
  "message": ""
}

Event ID 17111

Provider: MSSQLSERVER
Channel: Application
Level: 4

Fields #

Name	Description
`Data_0`
`Binary`

Example Event #

{
  "system": {
    "provider": "MSSQLSERVER",
    "guid": "",
    "event_source_name": "",
    "event_id": 17111,
    "version": 0,
    "level": 4,
    "task": 1,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2026-05-09 01:29:40.457960+00:00",
    "event_record_id": 4552,
    "correlation": {
      "ActivityID": "",
      "RelatedActivityID": ""
    },
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Application",
    "computer": "tel2-DC01-2022.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data_0": "<string>gen_evtx synthetic — do not treat as a real SQL Server event | Logging SQL Server messages in file 'C:\\\\synthetic\\\\errorlog'.</string>\n",
    "Binary": ""
  },
  "message": ""
}

Event ID 17125

Provider: MSSQLSERVER
Channel: Application
Level: 4

Fields #

Name	Description
`Data_0`
`Binary`

Example Event #

{
  "system": {
    "provider": "MSSQLSERVER",
    "guid": "",
    "event_source_name": "",
    "event_id": 17125,
    "version": 0,
    "level": 4,
    "task": 1,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2026-05-09 01:29:40.472630+00:00",
    "event_record_id": 4553,
    "correlation": {
      "ActivityID": "",
      "RelatedActivityID": ""
    },
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Application",
    "computer": "tel2-DC01-2022.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data_0": "<string>gen_evtx synthetic — do not treat as a real SQL Server event | Using conventional memory in the memory manager.</string>\n",
    "Binary": ""
  },
  "message": ""
}

Event ID 17126

Provider: MSSQLSERVER
Channel: Application
Level: 4

Fields #

Name	Description
`Data_0`
`Binary`

Example Event #

{
  "system": {
    "provider": "MSSQLSERVER",
    "guid": "",
    "event_source_name": "",
    "event_id": 17126,
    "version": 0,
    "level": 4,
    "task": 1,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2026-05-09 01:29:40.442303+00:00",
    "event_record_id": 4540,
    "correlation": {
      "ActivityID": "",
      "RelatedActivityID": ""
    },
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Application",
    "computer": "tel2-DC01-2022.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data_0": "<string>gen_evtx synthetic — do not treat as a real SQL Server event | SQL Server is starting at normal priority base (=7).</string>\n",
    "Binary": ""
  },
  "message": ""
}

Event ID 17137

Provider: MSSQLSERVER
Channel: Application
Level: 4

Fields #

Name	Description
`Data_0`
`Binary`

Example Event #

{
  "system": {
    "provider": "MSSQLSERVER",
    "guid": "",
    "event_source_name": "",
    "event_id": 17137,
    "version": 0,
    "level": 4,
    "task": 1,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2026-05-09 01:29:40.442303+00:00",
    "event_record_id": 4541,
    "correlation": {
      "ActivityID": "",
      "RelatedActivityID": ""
    },
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Application",
    "computer": "tel2-DC01-2022.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data_0": "<string>gen_evtx synthetic — do not treat as a real SQL Server event | Starting up database 'master'.</string>\n",
    "Binary": ""
  },
  "message": ""
}

Event ID 17152

Provider: MSSQLSERVER
Channel: Application
Level: 4

Fields #

Name	Description
`Data_0`
`Binary`

Example Event #

{
  "system": {
    "provider": "MSSQLSERVER",
    "guid": "",
    "event_source_name": "",
    "event_id": 17152,
    "version": 0,
    "level": 4,
    "task": 1,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2026-05-09 01:29:40.473648+00:00",
    "event_record_id": 4554,
    "correlation": {
      "ActivityID": "",
      "RelatedActivityID": ""
    },
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Application",
    "computer": "tel2-DC01-2022.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data_0": "<string>gen_evtx synthetic — do not treat as a real SQL Server event | The service account is 'NT Service\\\\MSSQLSERVER'.</string>\n",
    "Binary": ""
  },
  "message": ""
}

Event ID 17162

Provider: MSSQLSERVER
Channel: Application
Level: 4

Fields #

Name	Description
`Data_0`
`Binary`

Example Event #

{
  "system": {
    "provider": "MSSQLSERVER",
    "guid": "",
    "event_source_name": "",
    "event_id": 17162,
    "version": 0,
    "level": 4,
    "task": 1,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2026-05-09 01:29:40.457960+00:00",
    "event_record_id": 4545,
    "correlation": {
      "ActivityID": "",
      "RelatedActivityID": ""
    },
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Application",
    "computer": "tel2-DC01-2022.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data_0": "<string>gen_evtx synthetic — do not treat as a real SQL Server event | SQL Server is now ready for client connections.</string>\n",
    "Binary": ""
  },
  "message": ""
}

Event ID 17164

Provider: MSSQLSERVER
Channel: Application
Level: 4

Fields #

Name	Description
`Data_0`
`Binary`

Example Event #

{
  "system": {
    "provider": "MSSQLSERVER",
    "guid": "",
    "event_source_name": "",
    "event_id": 17164,
    "version": 0,
    "level": 4,
    "task": 1,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2026-05-09 01:29:40.473648+00:00",
    "event_record_id": 4555,
    "correlation": {
      "ActivityID": "",
      "RelatedActivityID": ""
    },
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Application",
    "computer": "tel2-DC01-2022.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data_0": "<string>gen_evtx synthetic — do not treat as a real SQL Server event | The licensing PID was successfully processed (synthetic).</string>\n",
    "Binary": ""
  },
  "message": ""
}

Event ID 17199

Provider: MSSQLSERVER
Channel: Application
Level: 4

Fields #

Name	Description
`Data_0`
`Binary`

Example Event #

{
  "system": {
    "provider": "MSSQLSERVER",
    "guid": "",
    "event_source_name": "",
    "event_id": 17199,
    "version": 0,
    "level": 4,
    "task": 1,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2026-05-09 01:29:40.457960+00:00",
    "event_record_id": 4546,
    "correlation": {
      "ActivityID": "",
      "RelatedActivityID": ""
    },
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Application",
    "computer": "tel2-DC01-2022.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data_0": "<string>gen_evtx synthetic — do not treat as a real SQL Server event | Dedicated administrator connection support was not started because it is disabled on this edition.</string>\n",
    "Binary": ""
  },
  "message": ""
}

Detection Patterns #

Persistence: SQL Stored Procedures

MSSQLSERVER Event ID 17199OREvent ID 17200OREvent ID 17201OREvent ID 17202OREvent ID 17810

1 rule

Sigma

SQL Server Dedicated Admin Connection (DAC) suspicious activity (source)

mdecrevoisier

Event ID 17200

Provider: MSSQLSERVER
Channel: Application

Detection Patterns #

Persistence: SQL Stored Procedures

MSSQLSERVER Event ID 17199OREvent ID 17200OREvent ID 17201OREvent ID 17202OREvent ID 17810

1 rule

Sigma

SQL Server Dedicated Admin Connection (DAC) suspicious activity (source)

mdecrevoisier

Event ID 17201

Provider: MSSQLSERVER
Channel: Application

Detection Patterns #

Persistence: SQL Stored Procedures

MSSQLSERVER Event ID 17199OREvent ID 17200OREvent ID 17201OREvent ID 17202OREvent ID 17810

1 rule

Sigma

SQL Server Dedicated Admin Connection (DAC) suspicious activity (source)

mdecrevoisier

Event ID 17202

Provider: MSSQLSERVER
Channel: Application

Detection Patterns #

Persistence: SQL Stored Procedures

MSSQLSERVER Event ID 17199OREvent ID 17200OREvent ID 17201OREvent ID 17202OREvent ID 17810

1 rule

Sigma

SQL Server Dedicated Admin Connection (DAC) suspicious activity (source)

mdecrevoisier

Event ID 17810

Provider: MSSQLSERVER
Channel: Application

Detection Patterns #

Persistence: SQL Stored Procedures

MSSQLSERVER Event ID 17199OREvent ID 17200OREvent ID 17201OREvent ID 17202OREvent ID 17810

1 rule

Sigma

SQL Server Dedicated Admin Connection (DAC) suspicious activity (source)

mdecrevoisier

Event ID 18454

Provider: MSSQLSERVER
Channel: Application

Fields #

Name	Description
`Data`
`Binary`

Example Event #

{
  "system": {
    "provider": "MSSQLSERVER",
    "guid": "",
    "event_source_name": "",
    "event_id": 18454,
    "version": 0,
    "level": 0,
    "task": 4,
    "opcode": 0,
    "keywords": 45035996273704960,
    "time_created": "2019-11-04T09:27:26.127038+00:00",
    "event_record_id": 9690,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Application",
    "computer": "MSEDGEWIN10",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data": [
      "root",
      " [CLIENT: 10.0.2.17]"
    ],
    "Binary": "FkgAAAoAAAAMAAAATQBTAEUARABHAEUAVwBJAE4AMQAwAAAABwAAAG0AYQBzAHQAZQByAAAA"
  },
  "message": ""
}

References #

Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx

Event ID 18456

Provider: MSSQLSERVER
Channel: Application

Fields #

Name	Description	Rules
`Data`		21 detection rules
`Binary`

Example Event #

{
  "system": {
    "provider": "MSSQLSERVER",
    "guid": "",
    "event_source_name": "",
    "event_id": 18456,
    "version": 0,
    "level": 0,
    "task": 4,
    "opcode": 0,
    "keywords": 40532396646334464,
    "time_created": "2019-11-04T13:46:01.279826+00:00",
    "event_record_id": 13035,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Application",
    "computer": "MSEDGEWIN10",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data": [
      "root",
      " Reason: Password did not match that for the login provided.",
      " [CLIENT: 10.0.2.17]"
    ],
    "Binary": "GEgAAA4AAAAMAAAATQBTAEUARABHAEUAVwBJAE4AMQAwAAAABwAAAG0AYQBzAHQAZQByAAAA"
  },
  "message": ""
}

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`Provider_Name`	contains	`mssql`	2 rules	sigma

Detection Rules #

View all rules referencing this event →

Sigma # view in coverage

MSSQL Server Failed Logon source low: Detects failed logon attempts from clients to MSSQL server.
MSSQL Server Failed Logon From External Network source medium: Detects failed logon attempts from clients with external network IP to an MSSQL server. This can be a sign of a bruteforce attack.

References #

Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx

Event ID 18470

Provider: MSSQLSERVER
Channel: Application

Detection Patterns #

Stealth: Valid Accounts

MSSQLSERVER Event ID 18470OREvent ID 33205

1 rule

Sigma

SQL Server - Connection attempt using a disabled account (source)

mdecrevoisier

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`action_id`	eq	`LGFL`	1 rule	sigma
`action_id`	eq	`LGIF`	1 rule	sigma
`class_type`	eq	`LX`	1 rule	sigma

Event ID 26067

Provider: MSSQLSERVER
Channel: Application
Level: 3

Fields #

Name	Description
`Data_0`
`Binary`

Example Event #

{
  "system": {
    "provider": "MSSQLSERVER",
    "guid": "",
    "event_source_name": "",
    "event_id": 26067,
    "version": 0,
    "level": 3,
    "task": 1,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2026-05-09 01:29:40.457960+00:00",
    "event_record_id": 4549,
    "correlation": {
      "ActivityID": "",
      "RelatedActivityID": ""
    },
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Application",
    "computer": "tel2-DC01-2022.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data_0": "<string>gen_evtx synthetic — do not treat as a real SQL Server event | SQL Server Network Interface library could not register SPN (synthetic warning).</string>\n",
    "Binary": ""
  },
  "message": ""
}

Event ID 26076

Provider: MSSQLSERVER
Channel: Application
Level: 4

Fields #

Name	Description
`Data_0`
`Binary`

Example Event #

{
  "system": {
    "provider": "MSSQLSERVER",
    "guid": "",
    "event_source_name": "",
    "event_id": 26076,
    "version": 0,
    "level": 4,
    "task": 1,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2026-05-09 01:29:40.457960+00:00",
    "event_record_id": 4548,
    "correlation": {
      "ActivityID": "",
      "RelatedActivityID": ""
    },
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Application",
    "computer": "tel2-DC01-2022.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data_0": "<string>gen_evtx synthetic — do not treat as a real SQL Server event | SQL Server is attempting to register a Service Principal Name (SPN).</string>\n",
    "Binary": ""
  },
  "message": ""
}

Event ID 33205

Provider: MSSQLSERVER
Channel: Application

Fields #

Name	Description	Rules
`Data`		8 detection rules

Example Event #

{
  "system": {
    "provider": "MSSQLSERVER",
    "guid": "",
    "event_source_name": "",
    "event_id": 33205,
    "version": 0,
    "level": 0,
    "task": 4,
    "opcode": 0,
    "keywords": 45035996273704960,
    "time_created": "2019-11-04T09:27:27.315013+00:00",
    "event_record_id": 9707,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Application",
    "computer": "MSEDGEWIN10",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data": [
      "audit_schema_version:1\nevent_time:2019-11-04 09:27:26.3150666\nsequence_number:1\naction_id:LGIS\nsucceeded:true\nis_column_permission:false\nsession_id:58\nserver_principal_id:266\ndatabase_principal_id:0\ntarget_server_principal_id:0\ntarget_database_principal_id:0\nobject_id:0\nuser_defined_event_id:0\ntransaction_id:0\nclass_type:LX\nduration_milliseconds:0\nresponse_rows:0\naffected_rows:0\nclient_ip:10.0.2.17\npermission_bitmask:00000000000000000000000000000000\nsequence_group_id:2D5419DB-389F-4478-946C-23870BA1D2C4\nsession_server_principal_name:root\nserver_principal_name:root\nserver_principal_sid:8867c003d7407345abb6e4ed81382626\ndatabase_principal_name:\ntarget_server_principal_name:\ntarget_server_principal_sid:\ntarget_database_principal_name:\nserver_instance_name:MSEDGEWIN10\ndatabase_name:\nschema_name:\nobject_name:\nstatement:-- network protocol: TCP/IP\r\nset quoted_identifier on\r\nset arithabort off\r\nset numeric_roundabort off\r\nset ansi_warnings on\r\nset ansi_padding on\r\nset ansi_nulls on\r\nset concat_null_yields_null on\r\nset cursor_close_on_commit off\r\nset implicit_transactions off\r\nset language us_english\r\nset dateformat mdy\r\nset datefirst 7\r\nset transaction isolation level read committed\r\n\nadditional_information:<action_info xmlns=\"http://schemas.microsoft.com/sqlserver/2008/sqlaudit_data\"><pooled_connection>1</pooled_connection><client_options>0x28000020</client_options><client_options1>0x0001f438</client_options1><connect_options>0x00000000</connect_options><packet_data_size>8000</packet_data_size><address>10.0.2.17</address><is_dac>0</is_dac></action_info>\nuser_defined_information:\napplication_name:.Net SqlClient Data Provider\n"
    ]
  },
  "message": ""
}

Detection Patterns #

Stealth: Valid Accounts

MSSQLSERVER Event ID 18470OREvent ID 33205

1 rule

Sigma

SQL Server - Connection attempt using a disabled account (source)

mdecrevoisier

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`Provider_Name`	contains	`mssql`	4 rules	sigma
`Data`	contains	`statement:exec`	2 rules	sigma
`action_id`	eq	`AL`	2 rules	sigma
`action_id`	eq	`APRL`	2 rules	sigma
`action_id`	eq	`DR`	2 rules	sigma
`action_id`	eq	`G`	2 rules	sigma
`action_id`	eq	`GWG`	2 rules	sigma
`action_id`	eq	`LGFL`	2 rules	sigma
`action_id`	eq	`LGIF`	2 rules	sigma
`class_type`	eq	`LX`	2 rules	sigma
`statement`	contains	`state = off`	2 rules	sigma

Detection Rules #

View all rules referencing this event →

Sigma # view in coverage

MSSQL Add Account To Sysadmin Role source high: Detects when an attacker tries to backdoor the MSSQL server by adding a backdoor account to the sysadmin fixed server role
MSSQL Disable Audit Settings source high: Detects when an attacker calls the "ALTER SERVER AUDIT" or "DROP SERVER AUDIT" transaction in order to delete or disable audit logs on the server
MSSQL SPProcoption Set source high: Detects when the a stored procedure is set or cleared for automatic execution in MSSQL. A stored procedure that is set to automatic execution runs every time an instance of SQL Server is started

Show 9 more (12 total)

MSSQL XPCmdshell Suspicious Execution source high: Detects when the MSSQL "xp_cmdshell" stored procedure is used to execute commands
SQL Server auditing deactivated source high: Detects scenarios where an attacker deactivates SQL Server auditing capacities. SQL auditing requires previous configuration on each SQL instance.
SQL Server - Brutforce enumeration with non existing users (login) source high: Detects scenarios where an attacker attempts to enumerate potential existing SQL users, resulting in failed logins with unexisting or invalid accounts.
SQL Server database auditing deactivated source high: Detects scenarios where an attacker deactivates SQL Server database auditing capacities. SQL auditing requires previous configuration on each SQL instance.
SQL SA admin user enabled source high: Detects scenarios where an attacker enables the disabled (recommended) SA admin account on the SQL Server instance.
SQL Server - Member got new privileges added on a SQL instance level source medium: Detects scenarios where an attacker grants new privileges on a SQL instance level
SQL Server - Member got new privileges added on a database source medium: Detects scenarios where an attacker grants new privileges on a database level
SQL Server - new member added to a database role source medium: Detects scenarios where an attacker adds his account to a database role (db_securityadmin, db_datawriter, db_securityadmin, ...)
SQL Server - new member added to a server role source medium: Detects scenarios where an attacker adds his account to a server role (sysadmin, securityadmin, serveradmin, ...)

References #

Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)