MSSQL Server Failed Logon From External Network

 1title: MSSQL Server Failed Logon From External Network
 2id: ebfe73c2-5bc9-4ed9-aaa8-8b54b2b4777d
 3related:
 4    - id: 218d2855-2bba-4f61-9c85-81d0ea63ac71
 5      type: similar
 6status: experimental
 7description: Detects failed logon attempts from clients with external network IP to an MSSQL server. This can be a sign of a bruteforce attack.
 8author: j4son
 9date: 2023/10/11
10references:
11    - https://cybersecthreat.com/2020/07/08/enable-mssql-authentication-log-to-eventlog/
12    - https://www.experts-exchange.com/questions/27800944/EventID-18456-Failed-to-open-the-explicitly-specified-database.html
13tags:
14    - attack.credential_access
15    - attack.t1110
16logsource:
17    product: windows
18    service: application
19    definition: 'Requirements: Must enable MSSQL authentication.'
20detection:
21    selection:
22        Provider_Name: 'MSSQLSERVER'
23        EventID: 18456
24    filter_main_local_ips:
25        Data|contains:
26            - 'CLIENT: 10.' # filter_range_IP: 10.0.0.0/8
27            - 'CLIENT: 172.16.' # filter_range_IP: 172.16.0.0/12
28            - 'CLIENT: 172.17.'
29            - 'CLIENT: 172.18.'
30            - 'CLIENT: 172.19.'
31            - 'CLIENT: 172.20.'
32            - 'CLIENT: 172.21.'
33            - 'CLIENT: 172.22.'
34            - 'CLIENT: 172.23.'
35            - 'CLIENT: 172.24.'
36            - 'CLIENT: 172.25.'
37            - 'CLIENT: 172.26.'
38            - 'CLIENT: 172.27.'
39            - 'CLIENT: 172.28.'
40            - 'CLIENT: 172.29.'
41            - 'CLIENT: 172.30.'
42            - 'CLIENT: 172.31.'
43            - 'CLIENT: 192.168.' # filter_range_IP: 192.168.0.0/16
44            - 'CLIENT: 127.' # filter_loop_back: 127.0.0.0/8
45            - 'CLIENT: 169.254.' # fileter_link-local_addressing: 169.254.0.0/16
46    condition: selection and not 1 of filter_main_*
47falsepositives:
48    - Unknown
49level: medium