LoFP / rare legitimate administrative activity

Techniques

Sample rules

MSSQL Add Account To Sysadmin Role

source: sigma
technicques:

Description

Detects when an attacker tries to backdoor the MSSQL server by adding a backdoor account to the sysadmin fixed server role

Detection logic

condition: selection
selection:
  Data|contains|all:
  - object_name:sysadmin
  - 'statement:alter server role [sysadmin] add member '
  EventID: 33205
  Provider_Name|contains: MSSQL