Detectionmediumtest
MSSQL Server Failed Logon From External Network
Detects failed logon attempts from clients with external network IP to an MSSQL server. This can be a sign of a bruteforce attack.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Log Source
Windowsapplication
ProductWindows← raw: windows
Serviceapplication← raw: application
Definition
Requirements: Must enable MSSQL authentication.
Detection Logic
Detection Logic2 selectors
detection:
selection:
Provider_Name|contains: 'MSSQL' # Note: We use contains to account for other third party providers - See https://github.com/SigmaHQ/sigma/issues/4876
EventID: 18456
filter_main_local_ips:
Data|contains:
- 'CLIENT: 10.' # filter_range_IP: 10.0.0.0/8
- 'CLIENT: 172.16.' # filter_range_IP: 172.16.0.0/12
- 'CLIENT: 172.17.'
- 'CLIENT: 172.18.'
- 'CLIENT: 172.19.'
- 'CLIENT: 172.20.'
- 'CLIENT: 172.21.'
- 'CLIENT: 172.22.'
- 'CLIENT: 172.23.'
- 'CLIENT: 172.24.'
- 'CLIENT: 172.25.'
- 'CLIENT: 172.26.'
- 'CLIENT: 172.27.'
- 'CLIENT: 172.28.'
- 'CLIENT: 172.29.'
- 'CLIENT: 172.30.'
- 'CLIENT: 172.31.'
- 'CLIENT: 192.168.' # filter_range_IP: 192.168.0.0/16
- 'CLIENT: 127.' # filter_loop_back: 127.0.0.0/8
- 'CLIENT: 169.254.' # fileter_link-local_addressing: 169.254.0.0/16
- 'CLIENT: <local machine>'
condition: selection and not 1 of filter_main_*False Positives
Unknown
False positive likelihood has not been assessed. Additional context may be needed during triage.
MITRE ATT&CK
Tactics
Techniques
Rule Metadata
Rule ID
ebfe73c2-5bc9-4ed9-aaa8-8b54b2b4777d
Status
test
Level
medium
Type
Detection
Created
Wed Oct 11
Modified
Wed May 28
Author
Path
rules/windows/builtin/application/mssqlserver/win_mssql_failed_logon_from_external_network.yml
Raw Tags
attack.credential-accessattack.t1110