MSSQL Add Account To Sysadmin Role
Detects when an attacker tries to backdoor the MSSQL server by adding a backdoor account to the sysadmin fixed server role
Sigma rule (View on GitHub)
1title: MSSQL Add Account To Sysadmin Role
2id: 08200f85-2678-463e-9c32-88dce2f073d1
3status: test
4description: Detects when an attacker tries to backdoor the MSSQL server by adding a backdoor account to the sysadmin fixed server role
5references:
6 - https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2022/07/13
9tags:
10 - attack.persistence
11logsource:
12 product: windows
13 service: application
14 definition: MSSQL audit policy must be enabled in order to receive this event in the application log
15 # warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly
16detection:
17 selection:
18 Provider_Name: 'MSSQLSERVER'
19 EventID: 33205
20 Data|contains|all:
21 - 'object_name:sysadmin'
22 - 'statement:alter server role [sysadmin] add member '
23 condition: selection
24falsepositives:
25 - Rare legitimate administrative activity
26level: high
References
-
In this blog series, we're planning to take a look at techniques for maintaining access through SQL Server and how they can be detected by security teams.
Read More
Related rules
- Abuse of Service Permissions to Hide Services Via Set-Service
- Abuse of Service Permissions to Hide Services Via Set-Service - PS
- Account Tampering - Suspicious Failed Logon Reasons
- Added Credentials to Existing Application
- Anydesk Remote Access Software Service Installation