MSSQL Server Failed Logon From External Network

Aug 12, 2024 · attack.credential-access attack.t1110 ·

Detects failed logon attempts from clients with external network IP to an MSSQL server. This can be a sign of a bruteforce attack.

Sigma rule (View on GitHub)

 1title: MSSQL Server Failed Logon From External Network
 2id: ebfe73c2-5bc9-4ed9-aaa8-8b54b2b4777d
 3related:
 4    - id: 218d2855-2bba-4f61-9c85-81d0ea63ac71
 5      type: similar
 6status: experimental
 7description: Detects failed logon attempts from clients with external network IP to an MSSQL server. This can be a sign of a bruteforce attack.
 8references:
 9    - https://cybersecthreat.com/2020/07/08/enable-mssql-authentication-log-to-eventlog/
10    - https://www.experts-exchange.com/questions/27800944/EventID-18456-Failed-to-open-the-explicitly-specified-database.html
11author: j4son
12date: 2023-10-11
13modified: 2024-06-26
14tags:
15    - attack.credential-access
16    - attack.t1110
17logsource:
18    product: windows
19    service: application
20    definition: 'Requirements: Must enable MSSQL authentication.'
21detection:
22    selection:
23        Provider_Name|contains: 'MSSQL' # Note: We use contains to account for other third party providers - See https://github.com/SigmaHQ/sigma/issues/4876
24        EventID: 18456
25    filter_main_local_ips:
26        Data|contains:
27            - 'CLIENT: 10.' # filter_range_IP: 10.0.0.0/8
28            - 'CLIENT: 172.16.' # filter_range_IP: 172.16.0.0/12
29            - 'CLIENT: 172.17.'
30            - 'CLIENT: 172.18.'
31            - 'CLIENT: 172.19.'
32            - 'CLIENT: 172.20.'
33            - 'CLIENT: 172.21.'
34            - 'CLIENT: 172.22.'
35            - 'CLIENT: 172.23.'
36            - 'CLIENT: 172.24.'
37            - 'CLIENT: 172.25.'
38            - 'CLIENT: 172.26.'
39            - 'CLIENT: 172.27.'
40            - 'CLIENT: 172.28.'
41            - 'CLIENT: 172.29.'
42            - 'CLIENT: 172.30.'
43            - 'CLIENT: 172.31.'
44            - 'CLIENT: 192.168.' # filter_range_IP: 192.168.0.0/16
45            - 'CLIENT: 127.' # filter_loop_back: 127.0.0.0/8
46            - 'CLIENT: 169.254.' # fileter_link-local_addressing: 169.254.0.0/16
47    condition: selection and not 1 of filter_main_*
48falsepositives:
49    - Unknown
50level: medium

References

Monitor MSSQL authentication with Splunk

Some MSSQL instance by default using "Network Service" to start MSSQL service. It will automatically generate both successful and failure logon from this account. It is advise not to explicit grant database permission to this service account, and monitoring other privilege account with database access.

Read More
Solved: EventID: 18456 - "Failed to open the explicitly specified database" | Experts Exchange

Find answers to EventID: 18456 - Failed to open the explicitly specified database from the expert community at Experts Exchange

Read More

MSSQL Server Failed Logon From External Network

Sigma rule (View on GitHub)

References

Monitor MSSQL authentication with Splunk

Solved: EventID: 18456 - &quot;Failed to open the explicitly specified database&quot; | Experts Exchange

Related rules

Solved: EventID: 18456 - "Failed to open the explicitly specified database" | Experts Exchange