Nasreddine Bencherchali
27 lines
1.1 KiB
YAML
27 lines
1.1 KiB
YAML
title: MSSQL Add Account To Sysadmin Role
|
|
id: 08200f85-2678-463e-9c32-88dce2f073d1
|
|
status: experimental
|
|
description: Detects when an attacker tries to backdoor the MSSQL server by adding a backdoor account to the sysadmin fixed server role
|
|
references:
|
|
- https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/
|
|
author: Nasreddine Bencherchali (Nextron Systems)
|
|
date: 2022/07/13
|
|
tags:
|
|
- attack.persistence
|
|
logsource:
|
|
product: windows
|
|
service: application
|
|
definition: MSSQL audit policy must be enabled in order to receive this event in the application log
|
|
# warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly
|
|
detection:
|
|
selection:
|
|
Provider_Name: 'MSSQLSERVER'
|
|
EventID: 33205
|
|
Data|contains|all:
|
|
- 'object_name:sysadmin'
|
|
- 'statement:alter server role [sysadmin] add member '
|
|
condition: selection
|
|
falsepositives:
|
|
- Rare legitimate administrative activity
|
|
level: high
|