MSSQL Server - Instance level privilege grant detected
Last updated on:
In this page
About the rule
Rule Type
Standard
Rule Description
Detects scenarios where an attacker grants new server-level privileges on a SQL instance, which could indicate persistence or privilege escalation activity.
Severity
Attention
Rule Requirement
Criteria
Action1:
actionname = "MSSQL Operation" AND (ACTIONID = "G,GWG" AND CLASSTYPE = "SR")
select Action1.USERNAME,Action1.MESSAGE,Action1.DOMAIN,Action1.HOSTNAME,Action1.STATEMENT,Action1.OBJECTNAME,Action1.SCHEMANAME,Action1.DATABASENAME,Action1.INSTANCENAME,Action1.CLASSTYPE,Action1.ACTIONID
Detection
Execution Mode
realtime
Log Sources
SQL Server


