LoFP / note that since the event contain the change for both values. this means that this will trigger on both enable and disable

Techniques

Sample rules

MSSQL XPCmdshell Option Change

• source: sigma
• technicques:

Description

Detects when the MSSQL “xp_cmdshell” stored procedure setting is changed

Detection logic

condition: selection
selection:
  Data|contains: xp_cmdshell
  EventID: 15457
  Provider_Name: MSSQLSERVER