detection.wiki

Detection rules › Sigma

SQL Server database auditing deactivated

Status
experimental
Severity
high
Log source
product mssql, category application
Author
mdecrevoisier
Source
github.com/mdecrevoisier/SIGMA-detection-rules

Detects scenarios where an attacker deactivates SQL Server database auditing capacities. SQL auditing requires previous configuration on each SQL instance.

MITRE ATT&CK coverage

TacticTechniques
StealthT1562.002 Impair Defenses: Disable Windows Event Logging

Event coverage

ProviderEvent
MSSQLSERVEREvent ID 33205

Rule body yaml

title: SQL Server database auditing deactivated
description: Detects scenarios where an attacker deactivates SQL Server database auditing capacities. SQL auditing requires previous configuration on each SQL instance.
references:
- https://github.com/mdecrevoisier/EVTX-to-MITRE-Attack/tree/master/TA0005-Defense%20Evasion/T1562.002-Disable%20Windows%20Event%20Logging
- https://www.ultimatewindowssecurity.com/sqlserver/auditlog/sampleevent.aspx
- https://docs.microsoft.com/en-us/sql/relational-databases/security/auditing/sql-server-audit-action-groups-and-actions?view=sql-server-2017
- https://www.sqlshack.com/various-techniques-to-audit-sql-server-databases/
tags:
- attack.defense_evasion
- attack.t1562.002
author: mdecrevoisier
status: experimental
logsource:
  product: mssql
  category: application
detection:
  sql_server_event:
    EventID: 33205

  database_audit_spec_disable:
    action_id: AL   # Alter
    class_type: DA  # Database Audit Specification
    statement|contains: 'STATE = OFF'

  database_audit_spec_delete:
    action_id: DR   # Drop
    class_type: DA  # Database Audit Specification

  condition: sql_server_event and (database_audit_spec_disable or database_audit_spec_delete)
falsepositives:
- DBA policy change
level: high

Stages and Predicates

Stage 0: condition

sql_server_event and (database_audit_spec_disable or database_audit_spec_delete)

Stage 1: sql_server_event

sql_server_event:
  EventID: 33205

Stage 2: database_audit_spec_disable

database_audit_spec_disable:
  action_id: AL
  class_type: DA
  statement|contains: 'STATE = OFF'

Stage 3: database_audit_spec_delete

database_audit_spec_delete:
  action_id: DR
  class_type: DA

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
action_ideq
  • AL corpus 2 (sigma 2)
  • DR corpus 2 (sigma 2)
class_typeeq
  • DA
statementmatch
  • STATE = OFF corpus 2 (sigma 2)