MSSQL Add Account To Sysadmin Role

Detects when an attacker tries to backdoor the MSSQL server by adding a backdoor account to the sysadmin fixed server role

Sigma rule (View on GitHub)

 1title: MSSQL Add Account To Sysadmin Role
 2id: 08200f85-2678-463e-9c32-88dce2f073d1
 3status: test
 4description: Detects when an attacker tries to backdoor the MSSQL server by adding a backdoor account to the sysadmin fixed server role
 5references:
 6    - https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/
 7author: Nasreddine Bencherchali (Nextron Systems)
 8date: 2022-07-13
 9modified: 2024-06-26
10tags:
11    - attack.persistence
12logsource:
13    product: windows
14    service: application
15    definition: 'Requirements: MSSQL audit policy must be enabled in order to receive this event in the application log'
16    # warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly
17detection:
18    selection:
19        Provider_Name|contains: 'MSSQL' # Note: We use contains to account for other third party providers - See https://github.com/SigmaHQ/sigma/issues/4876
20        EventID: 33205
21        Data|contains|all:
22            - 'object_name:sysadmin'
23            - 'statement:alter server role [sysadmin] add member '
24    condition: selection
25falsepositives:
26    - Rare legitimate administrative activity
27level: high

References

Related rules

to-top