
Summary
This rule detects a specific type of attack on Microsoft SQL Server (MSSQL) where an attacker attempts to gain persistent administrative privileges by adding an unauthorized user to the sysadmin role. The detection is primarily focused on event logging, specifically monitoring for Event ID 33205 that indicates a change in role membership within the SQL Server environment. The rule checks whether the log indicates that a member is being added to the sysadmin role through the statement 'alter server role [sysadmin] add member'. This kind of action is typically indicative of an attempt to create a backdoor for later access to the database server. For this detection to work, MSSQL auditing must be enabled to capture the relevant events required for analysis. While the detection is highly sensitive to potential intrusion attempts, it may also trigger false positives during rare legitimate administrative activities. The main vulnerability being exploited here is the ability of malicious actors to elevate privileges and perform unauthorized actions on the SQL Server without detection. As such, this rule is categorized as high severity given the potential impact that successful exploitation could have on an organization's data integrity and security.
Categories
- Database
- Application
Data Sources
- Application Log
Created: 2022-07-13