LoFP / legitimate enable/disable of the setting

Techniques

Sample rules

MSSQL XPCmdshell Option Change

• source: sigma
• technicques:

Description

Detects when the MSSQL “xp_cmdshell” stored procedure setting is changed.

Detection logic

condition: selection
selection:
  Data|contains: xp_cmdshell
  EventID: 15457
  Provider_Name|contains: MSSQL