detection.wiki

Detection rules › Sigma

SQL Server auditing deactivated

Status
experimental
Severity
high
Log source
product mssql, category application
Author
mdecrevoisier
Source
github.com/mdecrevoisier/SIGMA-detection-rules

Detects scenarios where an attacker deactivates SQL Server auditing capacities. SQL auditing requires previous configuration on each SQL instance.

MITRE ATT&CK coverage

TacticTechniques
StealthT1562.002 Impair Defenses: Disable Windows Event Logging

Event coverage

ProviderEvent
MSSQLSERVEREvent ID 33205

Rule body yaml

title: SQL Server auditing deactivated
description: Detects scenarios where an attacker deactivates SQL Server auditing capacities. SQL auditing requires previous configuration on each SQL instance.
references:
- https://github.com/mdecrevoisier/EVTX-to-MITRE-Attack/tree/master/TA0005-Defense%20Evasion/T1562.002-Disable%20Windows%20Event%20Logging
- https://www.ultimatewindowssecurity.com/sqlserver/auditlog/sampleevent.aspx
- https://docs.microsoft.com/en-us/sql/relational-databases/security/auditing/sql-server-audit-action_id-groups-and-action_ids?view=sql-server-2017
- https://www.sqlshack.com/various-techniques-to-audit-sql-server-databases/
- https://sqlquantumleap.com/reference/server-audit-filter-values-for-action_id_id/
tags:
- attack.defense_evasion
- attack.t1562.002
author: mdecrevoisier
status: experimental
logsource:
  product: mssql
  category: application
detection:
  sql_server_event:
    EventID: 33205

  # Server audit specifications
  server_audit_spec_disabled:
    action_id: AL  # Alter
    class_type: SA # Server Audit Specifications
    statement|contains: 'STATE = OFF'

  server_audit_spec_deleted:
    action_id: DR  # Drop
    class_type: SA # Server Audit Specifications

  # Server audit object
  server_audit_obj_disabled:
    action_id: AL # Alter
    class_type: A # Server audit
    statement|contains: 'STATE = OFF'

  server_audit_obj_deleted:
    action_id: DR # Drop
    class_type: A # Server audit

  condition: sql_server_event and (1 of server_audit_*)
falsepositives:
- DBA policy change
level: high

Stages and Predicates

Stage 0: condition

sql_server_event and (1 of server_audit_*)

Stage 1: sql_server_event

sql_server_event:
  EventID: 33205

Stage 2: server_audit_spec_disabled

server_audit_spec_disabled:
  action_id: AL
  class_type: SA
  statement|contains: 'STATE = OFF'

Stage 3: server_audit_spec_deleted

server_audit_spec_deleted:
  action_id: DR
  class_type: SA

Stage 4: server_audit_obj_disabled

server_audit_obj_disabled:
  action_id: AL
  class_type: A
  statement|contains: 'STATE = OFF'

Stage 5: server_audit_obj_deleted

server_audit_obj_deleted:
  action_id: DR
  class_type: A

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
action_ideq
  • AL corpus 2 (sigma 2)
  • DR corpus 2 (sigma 2)
class_typeeq
  • A
  • SA
statementmatch
  • STATE = OFF corpus 2 (sigma 2)