MSSQL Server Failed Logon
Detects failed logon attempts from clients to MSSQL server.
Sigma rule (View on GitHub)
1title: MSSQL Server Failed Logon
2id: 218d2855-2bba-4f61-9c85-81d0ea63ac71
3related:
4 - id: ebfe73c2-5bc9-4ed9-aaa8-8b54b2b4777d
5 type: similar
6status: experimental
7description: Detects failed logon attempts from clients to MSSQL server.
8author: Nasreddine Bencherchali (Nextron Systems), j4son
9date: 2023/10/11
10references:
11 - https://cybersecthreat.com/2020/07/08/enable-mssql-authentication-log-to-eventlog/
12 - https://www.experts-exchange.com/questions/27800944/EventID-18456-Failed-to-open-the-explicitly-specified-database.html
13tags:
14 - attack.credential_access
15 - attack.t1110
16logsource:
17 product: windows
18 service: application
19 definition: 'Requirements: Must enable MSSQL authentication.'
20detection:
21 selection:
22 Provider_Name: 'MSSQLSERVER'
23 EventID: 18456
24 condition: selection
25falsepositives:
26 - This event could stem from users changing an account's password that's used to authenticate via a job or an automated process. Investigate the source of such events and mitigate them
27level: low
References
-
Some MSSQL instance by default using "Network Service" to start MSSQL service. It will automatically generate both successful and failure logon from this account. It is advise not to explicit grant database permission to this service account, and monitoring other privilege account with database access.
Read More -
Find answers to EventID: 18456 - Failed to open the explicitly specified database from the expert community at Experts Exchange
Read More
Related rules
- Password Spray Activity
- HackTool - CrackMapExec Execution
- Failed Logins with Different Accounts from Single Source - Linux
- Sign-in Failure Bad Password Threshold
- HackTool - Hydra Password Bruteforce Execution