MSSQL Disable Audit Settings

Detects when an attacker calls the "ALTER SERVER AUDIT" or "DROP SERVER AUDIT" transaction in order to delete or disable audit logs on the server

Sigma rule (View on GitHub)

 1title: MSSQL Disable Audit Settings
 2id: 350dfb37-3706-4cdc-9e2e-5e24bc3a46df
 3status: test
 4description: Detects when an attacker calls the "ALTER SERVER AUDIT" or "DROP SERVER AUDIT" transaction in order to delete or disable audit logs on the server
 5references:
 6    - https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/
 7    - https://learn.microsoft.com/en-us/sql/t-sql/statements/drop-server-audit-transact-sql?view=sql-server-ver16
 8    - https://learn.microsoft.com/en-us/sql/t-sql/statements/alter-server-audit-transact-sql?view=sql-server-ver16
 9author: Nasreddine Bencherchali (Nextron Systems)
10date: 2022/07/13
11modified: 2024/06/26
12tags:
13    - attack.defense_evasion
14logsource:
15    product: windows
16    service: application
17    definition: 'Requirements: MSSQL audit policy must be enabled in order to receive this event in the application log'
18    # warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly
19detection:
20    selection:
21        Provider_Name|contains: 'MSSQL' # Note: We use contains to account for other third party providers - See https://github.com/SigmaHQ/sigma/issues/4876
22        EventID: 33205
23        Data|contains:
24            - 'statement:ALTER SERVER AUDIT'
25            - 'statement:DROP SERVER AUDIT'
26    condition: selection
27falsepositives:
28    - This event should only fire when an administrator is modifying the audit policy. Which should be a rare occurrence once it's set up
29level: high

References

Related rules

to-top