Detectionhightest

OpenCanary - MSSQL Login Attempt Via Windows Authentication

Detects instances where an MSSQL service on an OpenCanary node has had a login attempt using Windows Authentication.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Security Onion SolutionsCreated Fri Mar 086e78f90f-0043-4a01-ac41-f97681613a66application

Log Source

opencanaryapplication

Productopencanary← raw: opencanary

Categoryapplication← raw: application

Detection Logic

detection:
    selection:
        logtype: 9002
    condition: selection

False Positives

Unlikely

False positives are unlikely for most environments. High confidence detection.

References

MITRE ATT&CK

Tactics

Techniques

Rule Metadata

Rule ID

6e78f90f-0043-4a01-ac41-f97681613a66

Status

test

Level

high

Type

Detection

Created

Fri Mar 08

Author

Path

rules/application/opencanary/opencanary_mssql_login_winauth.yml

Raw Tags

attack.credential-accessattack.collectionattack.t1003attack.t1213