Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhightest

MSSQL XPCmdshell Option Change

Detects when the MSSQL "xp_cmdshell" stored procedure setting is changed.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Nasreddine Bencherchali (Nextron Systems)Created Tue Jul 12Updated Wed Jun 26d08dd86f-681e-4a00-a92c-1db218754417windows
Log Source
Windowsapplication
ProductWindows← raw: windows
Serviceapplication← raw: application
Detection Logic
Detection Logic1 selector
detection:
    selection:
        Provider_Name|contains: 'MSSQL' # Note: We use contains to account for other third party providers - See https://github.com/SigmaHQ/sigma/issues/4876
        EventID: 15457
        Data|contains: 'xp_cmdshell'
    condition: selection
False Positives

Legitimate enable/disable of the setting

Note that since the event contain the change for both values. This means that this will trigger on both enable and disable

References
1
Resolving title…
netspi.com
2
Resolving title…
thedfirreport.com
MITRE ATT&CK
Rule Metadata
Rule ID
d08dd86f-681e-4a00-a92c-1db218754417
Status
test
Level
high
Type
Detection
Created
Tue Jul 12
Modified
Wed Jun 26
Author
Nasreddine Bencherchali (Nextron Systems)
Path
rules/windows/builtin/application/mssqlserver/win_mssql_xp_cmdshell_change.yml
Raw Tags
attack.execution
View on GitHub