MSSQL Disable Audit Settings

calendar Oct 17, 2023 · attack.defense_evasion  ·
Share on: linkedin copy

Detects when an attacker calls the "ALTER SERVER AUDIT" or "DROP SERVER AUDIT" transaction in order to delete or disable audit logs on the server

Sigma rule (View on GitHub)

 1title: MSSQL Disable Audit Settings
 2id: 350dfb37-3706-4cdc-9e2e-5e24bc3a46df
 3status: test
 4description: Detects when an attacker calls the "ALTER SERVER AUDIT" or "DROP SERVER AUDIT" transaction in order to delete or disable audit logs on the server
 5references:
 6    - https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/
 7    - https://docs.microsoft.com/en-us/sql/t-sql/statements/drop-server-audit-transact-sql?view=sql-server-ver16
 8    - https://docs.microsoft.com/en-us/sql/t-sql/statements/alter-server-audit-transact-sql?view=sql-server-ver16
 9author: Nasreddine Bencherchali (Nextron Systems)
10date: 2022/07/13
11tags:
12    - attack.defense_evasion
13logsource:
14    product: windows
15    service: application
16    definition: MSSQL audit policy must be enabled in order to receive this event in the application log
17    # warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly
18detection:
19    selection:
20        Provider_Name: 'MSSQLSERVER'
21        EventID: 33205
22        Data|contains:
23            - 'statement:ALTER SERVER AUDIT'
24            - 'statement:DROP SERVER AUDIT'
25    condition: selection
26falsepositives:
27    - This event should only fire when an administrator is modifying the audit policy. Which should be a rare occurrence once it's set up
28level: high

References

Related rules

to-top