database administrators frequently make legitimate configuration changes for maintenance, performance tuning, and security hardening. to reduce false positives, establish a baseline of normal configuration changes, document approved configuration modifications, implement change control procedures, and maintain an inventory of expected settings.

Techniques

T1505.001

Sample rules

Windows SQL Server Configuration Option Hunt

source: splunk
technicques:
- T1505.001

Description

This detection helps hunt for changes to SQL Server configuration options that could indicate malicious activity. It monitors for modifications to any SQL Server configuration settings, allowing analysts to identify potentially suspicious changes that may be part of an attack, such as enabling dangerous features or modifying security-relevant settings.

Detection logic

`wineventlog_application` EventCode=15457 
| rex field=EventData_Xml "<Data>(?<config_name>[^<]+)</Data><Data>(?<new_value>[^<]+)</Data><Data>(?<old_value>[^<]+)</Data>" 
| rename host as dest 
| eval change_type=case( old_value="0" AND new_value="1", "enabled", old_value="1" AND new_value="0", "disabled", true(), "modified" ) 
| eval risk_score=case( change_type="enabled", 90, change_type="disabled", 60, true(), 70 ) 
| eval risk_message="SQL Server ".config_name." was ".change_type." on host ".dest 
| stats count min(_time) as firstTime max(_time) as lastTime by dest EventCode config_name change_type risk_message risk_score 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_sql_server_configuration_option_hunt_filter`