MSSQL Add Account To Sysadmin Role
Detects when an attacker tries to backdoor the MSSQL server by adding a backdoor account to the sysadmin fixed server role
Sigma rule (View on GitHub)
1title: MSSQL Add Account To Sysadmin Role
2id: 08200f85-2678-463e-9c32-88dce2f073d1
3status: test
4description: Detects when an attacker tries to backdoor the MSSQL server by adding a backdoor account to the sysadmin fixed server role
5references:
6 - https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2022-07-13
9modified: 2024-06-26
10tags:
11 - attack.persistence
12logsource:
13 product: windows
14 service: application
15 definition: 'Requirements: MSSQL audit policy must be enabled in order to receive this event in the application log'
16 # warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly
17detection:
18 selection:
19 Provider_Name|contains: 'MSSQL' # Note: We use contains to account for other third party providers - See https://github.com/SigmaHQ/sigma/issues/4876
20 EventID: 33205
21 Data|contains|all:
22 - 'object_name:sysadmin'
23 - 'statement:alter server role [sysadmin] add member '
24 condition: selection
25falsepositives:
26 - Rare legitimate administrative activity
27level: high
References
-
In this blog series, we're planning to take a look at techniques for maintaining access through SQL Server and how they can be detected by security teams.
Read More
Related rules
- A Member Was Added to a Security-Enabled Global Group
- A Member Was Removed From a Security-Enabled Global Group
- A New Trust Was Created To A Domain
- A Security-Enabled Global Group Was Deleted
- AWS ECS Task Definition That Queries The Credential Endpoint