datasource

Author: MHaggis

data_sources/windows_event_log_application_15457.yml

@@ -0,0 +1,99 @@
+name: Windows Event Log Application 15457
+id: 4491537e-520c-46f7-9209-f56f852aa237
+version: 1
+date: '2025-03-04'
+author: Michael Haag, Splunk
+description: Data source object for Windows Event Log Application 15457
+source: XmlWinEventLog:Application
+sourcetype: XmlWinEventLog
+separator: EventCode
+supported_TA:
+- name: Splunk Add-on for Microsoft Windows
+  url: https://splunkbase.splunk.com/app/742
+  version: 9.0.1
+fields:
+- CategoryString
+- Channel
+- Computer
+- Error_Code
+- EventCode
+- EventData_Xml
+- EventID
+- EventRecordID
+- Guid
+- Image_File_Name
+- Keywords
+- Level
+- Name
+- Opcode
+- ProcessID
+- Qualifiers
+- RecordNumber
+- RenderingInfo_Xml
+- SourceName
+- SubStatus
+- SystemTime
+- System_Props_Xml
+- Task
+- TaskCategory
+- ThreadID
+- UserData_Xml
+- UserID
+- Version
+- _bkt
+- _cd
+- _eventtype_color
+- _indextime
+- _raw
+- _serial
+- _si
+- _sourcetype
+- _subsecond
+- _time
+- action
+- category
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dvc
+- dvc_nt_host
+- event_id
+- eventtype
+- host
+- id
+- index
+- linecount
+- name
+- parent_process
+- process_name
+- punct
+- result
+- service
+- service_id
+- service_name
+- severity
+- severity_id
+- signature
+- signature_id
+- source
+- sourcetype
+- splunk_server
+- splunk_server_group
+- status
+- subject
+- tag
+- tag::action
+- tag::eventtype
+- timeendpos
+- timestartpos
+- user_group_id
+- user_id
+- vendor_product
+example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='MSSQLSERVER'/><EventID Qualifiers='16384'>15457</EventID><Version>0</Version><Level>4</Level><Task>2</Task><Opcode>0</Opcode><Keywords>0x80000000000000</Keywords><TimeCreated SystemTime='2025-02-04T19:46:19.5339693Z'/><EventRecordID>15827</EventRecordID><Correlation/><Execution ProcessID='0' ThreadID='0'/><Channel>Application</Channel><Computer>ar-win-2.attackrange.local</Computer><Security/></System><EventData><Data>show advanced options</Data><Data>1</Data><Data>0</Data><Binary>613C00000A00000009000000610072002D00770069006E002D0032000000070000006D00610073007400650072000000</Binary></EventData></Event>
+

data_sources/windows_event_log_application_17135.yml

@@ -1,5 +1,5 @@
 name: Windows Event Log Application 17135
-id: 4491537e-520c-46f7-9209-f56f852aa237
+id: 4491537e-520c-46f7-9209-f56f852aa231
 version: 1
 date: '2025-02-26'
 author: Michael Haag, Splunk

detections/endpoint/windows_sql_server_configuration_option_hunt.yml

@@ -7,7 +7,7 @@ status: production
 type: Hunting
 description: This detection helps hunt for changes to SQL Server configuration options that could indicate malicious activity. It monitors for modifications to any SQL Server configuration settings, allowing analysts to identify potentially suspicious changes that may be part of an attack, such as enabling dangerous features or modifying security-relevant settings.
 data_source:
-- Windows Event Log Application
+- Windows Event Log Application 15457
 search: '`wineventlog_application` EventCode=15457 
     | rex field=EventData_Xml "<Data>(?<config_name>[^<]+)</Data><Data>(?<new_value>[^<]+)</Data><Data>(?<old_value>[^<]+)</Data>"
     | rename host as dest

detections/endpoint/windows_sql_server_critical_procedures_enabled.yml

@@ -7,7 +7,7 @@ status: production
 type: TTP
 description: This detection identifies when critical SQL Server configuration options are modified, including "Ad Hoc Distributed Queries", "external scripts enabled", "Ole Automation Procedures", "clr enabled", and "clr strict security". These features can be abused by attackers for various malicious purposes - Ad Hoc Distributed Queries enables Active Directory reconnaissance through ADSI provider, external scripts and Ole Automation allow execution of arbitrary code, and CLR features can be used to run custom assemblies. Enabling these features could indicate attempts to gain code execution or perform reconnaissance through SQL Server.
 data_source:
-- Windows Event Log Application
+- Windows Event Log Application 15457
 search: '`wineventlog_application` EventCode=15457 
   | rex field=EventData_Xml "<Data>(?<config_name>[^<]+)</Data><Data>(?<new_value>[^<]+)</Data><Data>(?<old_value>[^<]+)</Data>"
   | where config_name IN ("Ad Hoc Distributed Queries", "external scripts enabled", "Ole Automation Procedures", "clr enabled", "clr strict security")

detections/endpoint/windows_sql_server_xp_cmdshell_config_change.yml

@@ -6,7 +6,8 @@ author: Michael Haag, Splunk
 status: production
 type: TTP
 description: This detection identifies when the xp_cmdshell configuration is modified in SQL Server. The xp_cmdshell extended stored procedure allows execution of operating system commands and programs from SQL Server, making it a high-risk feature commonly abused by attackers for privilege escalation and lateral movement.
-
+data_source:
+- Windows Event Log Application 15457
 search: '`wineventlog_application` EventCode=15457 
     | rex field=EventData_Xml "<Data>(?<config_name>[^<]+)</Data><Data>(?<new_value>[^<]+)</Data><Data>(?<old_value>[^<]+)</Data>"
     | rename host as dest
@@ -59,9 +60,7 @@ rba:
   - field: config_name
     type: other
     score: 90
-  threat_objects:
-  - field: change_type
-    type: file_name
+  threat_objects: []
 tags:
     analytic_story:
     - SQL Server Abuse