security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
d14e287cdf91e2a8b995de5bfbc3fa8540c1922b
blue-team-tools/rules/windows/builtin/application/win_mssql_disable_audit_settings.yml
T
Nasreddine Bencherchali 7c38a5c496 chore: add nextron authors tag
2023-02-01 11:14:59 +01:00

29 lines
1.4 KiB
YAML
Raw Blame History

title: MSSQL Disable Audit Settings
id: 350dfb37-3706-4cdc-9e2e-5e24bc3a46df
status: experimental
description: Detects when an attacker calls the "ALTER SERVER AUDIT" or "DROP SERVER AUDIT" transaction in order to delete or disable audit logs on the server
references:
- https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/
- https://docs.microsoft.com/en-us/sql/t-sql/statements/drop-server-audit-transact-sql?view=sql-server-ver16
- https://docs.microsoft.com/en-us/sql/t-sql/statements/alter-server-audit-transact-sql?view=sql-server-ver16
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022/07/13
tags:
- attack.defense_evasion
logsource:
product: windows
service: application
definition: MSSQL audit policy must be enabled in order to receive this event in the application log
# warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly
detection:
selection:
Provider_Name: 'MSSQLSERVER'
EventID: 33205
Data|contains:
- 'statement:ALTER SERVER AUDIT'
- 'statement:DROP SERVER AUDIT'
condition: selection
falsepositives:
- This event should only fire when an administrator is modifying the audit policy. Which should be a rare occurrence once it's set up
level: high
Reference in New Issue View Git Blame Copy Permalink