MSSQL Server - Instance level privilege grant detected

Last updated on:

About the rule

Rule Type

Standard

Rule Description

Detects scenarios where an attacker grants new server-level privileges on a SQL instance, which could indicate persistence or privilege escalation activity.

Severity

Attention

Rule Requirement

Criteria

Action1: actionname = "MSSQL Operation" AND (ACTIONID = "G,GWG" AND CLASSTYPE = "SR") select Action1.USERNAME,Action1.MESSAGE,Action1.DOMAIN,Action1.HOSTNAME,Action1.STATEMENT,Action1.OBJECTNAME,Action1.SCHEMANAME,Action1.DATABASENAME,Action1.INSTANCENAME,Action1.CLASSTYPE,Action1.ACTIONID

Detection

Execution Mode

realtime

Log Sources

SQL Server