MSSQL Server Dedicated Admin Connection (DAC) mode activated
Last updated on:
In this page
About the rule
Rule Type
Standard
Rule Description
Detects scenarios where an attacker enables the DAC mode to bypass access controls, trigger logons, perform brute force attacks or run unauthorized queries.
Severity
Trouble
Rule Requirement
Criteria
Action1: actionname = "sa_sql_configuration_change" AND (OBJECTNAME contains "remote admin connections") select Action1.USERNAME,Action1.MESSAGE,Action1.DOMAIN,Action1.HOSTNAME,Action1.OBJECTNAME,Action1.OLDVALUE,Action1.NEWVALUE
Detection
Execution Mode
Realtime
Log Sources
SQL Server
