MSSQL Server Failed Logon
Detects failed logon attempts from clients to MSSQL server.
Sigma rule (View on GitHub)
1title: MSSQL Server Failed Logon
2id: 218d2855-2bba-4f61-9c85-81d0ea63ac71
3related:
4 - id: ebfe73c2-5bc9-4ed9-aaa8-8b54b2b4777d
5 type: similar
6status: experimental
7description: Detects failed logon attempts from clients to MSSQL server.
8author: Nasreddine Bencherchali (Nextron Systems), j4son
9date: 2023/10/11
10references:
11 - https://cybersecthreat.com/2020/07/08/enable-mssql-authentication-log-to-eventlog/
12 - https://www.experts-exchange.com/questions/27800944/EventID-18456-Failed-to-open-the-explicitly-specified-database.html
13tags:
14 - attack.credential_access
15 - attack.t1110
16logsource:
17 product: windows
18 service: application
19 definition: 'Requirements: Must enable MSSQL authentication.'
20detection:
21 selection:
22 Provider_Name: 'MSSQLSERVER'
23 EventID: 18456
24 condition: selection
25falsepositives:
26 - This event could stem from users changing an account's password that's used to authenticate via a job or an automated process. Investigate the source of such events and mitigate them
27level: low
References
Related rules
- Password Spray Activity
- HackTool - CrackMapExec Execution
- Failed Logins with Different Accounts from Single Source - Linux
- Sign-in Failure Bad Password Threshold
- HackTool - Hydra Password Bruteforce Execution