MSSQL Server Failed Logon
Detects failed logon attempts from clients to MSSQL server.
Sigma rule (View on GitHub)
1title: MSSQL Server Failed Logon
2id: 218d2855-2bba-4f61-9c85-81d0ea63ac71
3related:
4 - id: ebfe73c2-5bc9-4ed9-aaa8-8b54b2b4777d
5 type: similar
6status: experimental
7description: Detects failed logon attempts from clients to MSSQL server.
8references:
9 - https://cybersecthreat.com/2020/07/08/enable-mssql-authentication-log-to-eventlog/
10 - https://www.experts-exchange.com/questions/27800944/EventID-18456-Failed-to-open-the-explicitly-specified-database.html
11author: Nasreddine Bencherchali (Nextron Systems), j4son
12date: 2023-10-11
13modified: 2024-06-26
14tags:
15 - attack.credential-access
16 - attack.t1110
17logsource:
18 product: windows
19 service: application
20 definition: 'Requirements: Must enable MSSQL authentication.'
21detection:
22 selection:
23 Provider_Name|contains: 'MSSQL' # Note: We use contains to account for other third party providers - See https://github.com/SigmaHQ/sigma/issues/4876
24 EventID: 18456
25 condition: selection
26falsepositives:
27 - This event could stem from users changing an account's password that's used to authenticate via a job or an automated process. Investigate the source of such events and mitigate them
28level: low
References
-
Some MSSQL instance by default using "Network Service" to start MSSQL service. It will automatically generate both successful and failure logon from this account. It is advise not to explicit grant database permission to this service account, and monitoring other privilege account with database access.
Read More -
Find answers to EventID: 18456 - Failed to open the explicitly specified database from the expert community at Experts Exchange
Read More
Related rules
- Account Lockout
- Bitbucket User Login Failure
- Cisco BGP Authentication Failures
- Cisco LDP Authentication Failures
- External Remote RDP Logon from Public IP