MSSQL Disable Audit Settings
Detects when an attacker calls the "ALTER SERVER AUDIT" or "DROP SERVER AUDIT" transaction in order to delete or disable audit logs on the server
Sigma rule (View on GitHub)
1title: MSSQL Disable Audit Settings
2id: 350dfb37-3706-4cdc-9e2e-5e24bc3a46df
3status: test
4description: Detects when an attacker calls the "ALTER SERVER AUDIT" or "DROP SERVER AUDIT" transaction in order to delete or disable audit logs on the server
5references:
6 - https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/
7 - https://docs.microsoft.com/en-us/sql/t-sql/statements/drop-server-audit-transact-sql?view=sql-server-ver16
8 - https://docs.microsoft.com/en-us/sql/t-sql/statements/alter-server-audit-transact-sql?view=sql-server-ver16
9author: Nasreddine Bencherchali (Nextron Systems)
10date: 2022/07/13
11tags:
12 - attack.defense_evasion
13logsource:
14 product: windows
15 service: application
16 definition: MSSQL audit policy must be enabled in order to receive this event in the application log
17 # warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly
18detection:
19 selection:
20 Provider_Name: 'MSSQLSERVER'
21 EventID: 33205
22 Data|contains:
23 - 'statement:ALTER SERVER AUDIT'
24 - 'statement:DROP SERVER AUDIT'
25 condition: selection
26falsepositives:
27 - This event should only fire when an administrator is modifying the audit policy. Which should be a rare occurrence once it's set up
28level: high
References
Related rules
- AMSI Bypass Pattern Assembly GetType
- Abuse of Service Permissions to Hide Services Via Set-Service
- Abuse of Service Permissions to Hide Services Via Set-Service - PS
- Account Created And Deleted Within A Close Time Frame
- Account Tampering - Suspicious Failed Logon Reasons