Detectionhightest
MSSQL Disable Audit Settings
Detects when an attacker calls the "ALTER SERVER AUDIT" or "DROP SERVER AUDIT" transaction in order to delete or disable audit logs on the server
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Nasreddine Bencherchali (Nextron Systems)Created Wed Jul 13Updated Wed Jun 26350dfb37-3706-4cdc-9e2e-5e24bc3a46dfwindows
Log Source
Windowsapplication
ProductWindows← raw: windows
Serviceapplication← raw: application
Definition
Requirements: MSSQL audit policy must be enabled in order to receive this event in the application log
Detection Logic
Detection Logic1 selector
detection:
selection:
Provider_Name|contains: 'MSSQL' # Note: We use contains to account for other third party providers - See https://github.com/SigmaHQ/sigma/issues/4876
EventID: 33205
Data|contains:
- 'statement:ALTER SERVER AUDIT'
- 'statement:DROP SERVER AUDIT'
condition: selectionFalse Positives
This event should only fire when an administrator is modifying the audit policy. Which should be a rare occurrence once it's set up
MITRE ATT&CK
Tactics
Rule Metadata
Rule ID
350dfb37-3706-4cdc-9e2e-5e24bc3a46df
Status
test
Level
high
Type
Detection
Created
Wed Jul 13
Modified
Wed Jun 26
Path
rules/windows/builtin/application/mssqlserver/win_mssql_disable_audit_settings.yml
Raw Tags
attack.defense-evasion