splunk · patel-bhavin · Sep 3, 2025 · Aug 28, 2025 · Aug 28, 2025 · Aug 29, 2025
@@ -1,15 +1,15 @@
 name: Windows SQL Server Configuration Option Hunt
 id: 8dc9efd5-805a-460e-889e-bc79e5477af9
-version: 2
-date: '2025-05-02'
-author: Michael Haag, Splunk
+version: 3
+date: '2025-08-27'
+author: Michael Haag, Splunk, sidoyle from Splunk Community
 status: production
 type: Hunting
 description: This detection helps hunt for changes to SQL Server configuration options that could indicate malicious activity. It monitors for modifications to any SQL Server configuration settings, allowing analysts to identify potentially suspicious changes that may be part of an attack, such as enabling dangerous features or modifying security-relevant settings.
 data_source:
 - Windows Event Log Application 15457
 search: '`wineventlog_application` EventCode=15457 
-    | rex field=EventData_Xml "<Data>(?<config_name>[^<]+)</Data><Data>(?<new_value>[^<]+)</Data><Data>(?<old_value>[^<]+)</Data>"
+    | rex field=EventData_Xml "<Data>(?<config_name>[^<]+)</Data><Data>(?<old_value>[^<]+)</Data><Data>(?<new_value>[^<]+)</Data>"
     | rename host as dest
     | eval change_type=case(
         old_value="0" AND new_value="1", "enabled",

@@ -1,15 +1,15 @@
 name: Windows SQL Server Critical Procedures Enabled
 id: d0434864-b043-41e3-8c08-30e53605e9cb
-version: 2
-date: '2025-05-02'
-author: Michael Haag, Splunk
+version: 3
+date: '2025-08-27'
+author: Michael Haag, Splunk, sidoyle from Splunk Community
 status: production
 type: TTP
 description: This detection identifies when critical SQL Server configuration options are modified, including "Ad Hoc Distributed Queries", "external scripts enabled", "Ole Automation Procedures", "clr enabled", and "clr strict security". These features can be abused by attackers for various malicious purposes - Ad Hoc Distributed Queries enables Active Directory reconnaissance through ADSI provider, external scripts and Ole Automation allow execution of arbitrary code, and CLR features can be used to run custom assemblies. Enabling these features could indicate attempts to gain code execution or perform reconnaissance through SQL Server.
 data_source:
 - Windows Event Log Application 15457
 search: '`wineventlog_application` EventCode=15457 
-  | rex field=EventData_Xml "<Data>(?<config_name>[^<]+)</Data><Data>(?<new_value>[^<]+)</Data><Data>(?<old_value>[^<]+)</Data>"
+  | rex field=EventData_Xml "<Data>(?<config_name>[^<]+)</Data><Data>(?<old_value>[^<]+)</Data><Data>(?<new_value>[^<]+)</Data>"
   | where config_name IN ("Ad Hoc Distributed Queries", "external scripts enabled", "Ole Automation Procedures", "clr enabled", "clr strict security")
   | rename host as dest
   | eval change_type=case(

@@ -1,15 +1,15 @@
 name: Windows SQL Server xp_cmdshell Config Change
 id: 5eb76fe2-a869-4865-8c4c-8cff424b18b1
-version: 4
-date: '2025-05-02'
-author: Michael Haag, Splunk
+version: 5
+date: '2025-08-27'
+author: Michael Haag, Splunk, sidoyle from Splunk Community
 status: production
 type: TTP
 description: This detection identifies when the xp_cmdshell configuration is modified in SQL Server. The xp_cmdshell extended stored procedure allows execution of operating system commands and programs from SQL Server, making it a high-risk feature commonly abused by attackers for privilege escalation and lateral movement.
 data_source:
 - Windows Event Log Application 15457
 search: '`wineventlog_application` EventCode=15457 
-    | rex field=EventData_Xml "<Data>(?<config_name>[^<]+)</Data><Data>(?<new_value>[^<]+)</Data><Data>(?<old_value>[^<]+)</Data>"
+    | rex field=EventData_Xml "<Data>(?<config_name>[^<]+)</Data><Data>(?<old_value>[^<]+)</Data><Data>(?<new_value>[^<]+)</Data>"
     | rename host as dest
     | where config_name="xp_cmdshell"
     | eval change_type=case(
@@ -48,7 +48,7 @@ drilldown_searches:
   earliest_offset: $info_min_time$
   latest_offset: $info_max_time$
 - name: View all SQL Server configuration changes on this host in the last 7 days
-  search: '`wineventlog_application` EventCode=15457 host="$dest$" | rex field=EventData_Xml "<Data>(?<config_name>[^<]+)</Data><Data>(?<new_value>[^<]+)</Data><Data>(?<old_value>[^<]+)</Data>" | stats count values(config_name) as "Changed Settings" values(new_value) as "New Values" by _time dest'
+  search: '`wineventlog_application` EventCode=15457 host="$dest$" | rex field=EventData_Xml "<Data>(?<config_name>[^<]+)</Data><Data>(?<old_value>[^<]+)</Data><Data>(?<new_value>[^<]+)</Data>" | stats count values(config_name) as "Changed Settings" values(new_value) as "New Values" by _time dest'
   earliest_offset: -7d
   latest_offset: now
 rba:
@@ -79,4 +79,4 @@ tests:
     attack_data:
     - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.001/simulation/windows-application.log
       source: XmlWinEventLog:Application
-      sourcetype: XmlWinEventLog
+      sourcetype: XmlWinEventLog