Vendor: Microsoft

July 25, 2023 · View on GitHub

Product: Microsoft SQL Server

RulesModelsMITRE TTPsEvent TypesParsers
72377
Use-CaseEvent Types/ParsersMITRE TTPContent
Compromised Credentialsdatabase-access
cef-mssql-database-access

database-activity-failed
mssql-database-query-2

database-delete
cef-microsoft-database-delete

database-failed-login
cef-microsoft-database-failed-login
xml-mssql-database-login
xml-mssql-database-login-1
mssql-database-login-1
s-microsoft-database-login

database-login
s-database-login-18454
s-database-login-18453
cef-syslog-microsoft-db-login
cef-syslog-microsoft-db-impersonate
mssql-database-login
cef-microsoft-database-login
xml-mssql-database-login
xml-mssql-database-login-1
cef-mssql-database-login
s-microsoft-database-login

database-query
xml-mssql-database-login
mssql-database-query-3
mssql-database-query-2

failed-app-login
s-failed-app-login
exalms-sqlserver-failed-login
T1078 - Valid Accounts
T1133 - External Remote Services
  • 3 Rules
  • 2 Models
Data Accessdatabase-access
cef-mssql-database-access

database-activity-failed
mssql-database-query-2

database-delete
cef-microsoft-database-delete

database-failed-login
cef-microsoft-database-failed-login
xml-mssql-database-login
xml-mssql-database-login-1
mssql-database-login-1
s-microsoft-database-login

database-login
s-database-login-18454
s-database-login-18453
cef-syslog-microsoft-db-login
cef-syslog-microsoft-db-impersonate
mssql-database-login
cef-microsoft-database-login
xml-mssql-database-login
xml-mssql-database-login-1
cef-mssql-database-login
s-microsoft-database-login

database-query
xml-mssql-database-login
mssql-database-query-3
mssql-database-query-2

failed-app-login
s-failed-app-login
exalms-sqlserver-failed-login
T1078 - Valid Accounts
  • 1 Rules
Evasiondatabase-access
cef-mssql-database-access

database-activity-failed
mssql-database-query-2

database-delete
cef-microsoft-database-delete

database-failed-login
cef-microsoft-database-failed-login
xml-mssql-database-login
xml-mssql-database-login-1
mssql-database-login-1
s-microsoft-database-login

database-login
s-database-login-18454
s-database-login-18453
cef-syslog-microsoft-db-login
cef-syslog-microsoft-db-impersonate
mssql-database-login
cef-microsoft-database-login
xml-mssql-database-login
xml-mssql-database-login-1
cef-mssql-database-login
s-microsoft-database-login

database-query
xml-mssql-database-login
mssql-database-query-3
mssql-database-query-2

failed-app-login
s-failed-app-login
exalms-sqlserver-failed-login
T1090.003 - Proxy: Multi-hop Proxy
  • 1 Rules
Malwaredatabase-access
cef-mssql-database-access

database-activity-failed
mssql-database-query-2

database-delete
cef-microsoft-database-delete

database-failed-login
cef-microsoft-database-failed-login
xml-mssql-database-login
xml-mssql-database-login-1
mssql-database-login-1
s-microsoft-database-login

database-login
s-database-login-18454
s-database-login-18453
cef-syslog-microsoft-db-login
cef-syslog-microsoft-db-impersonate
mssql-database-login
cef-microsoft-database-login
xml-mssql-database-login
xml-mssql-database-login-1
cef-mssql-database-login
s-microsoft-database-login

database-query
xml-mssql-database-login
mssql-database-query-3
mssql-database-query-2

failed-app-login
s-failed-app-login
exalms-sqlserver-failed-login
T1090.003 - Proxy: Multi-hop Proxy
  • 1 Rules
Privilege Abusedatabase-access
cef-mssql-database-access

database-activity-failed
mssql-database-query-2

database-delete
cef-microsoft-database-delete

database-failed-login
cef-microsoft-database-failed-login
xml-mssql-database-login
xml-mssql-database-login-1
mssql-database-login-1
s-microsoft-database-login

database-login
s-database-login-18454
s-database-login-18453
cef-syslog-microsoft-db-login
cef-syslog-microsoft-db-impersonate
mssql-database-login
cef-microsoft-database-login
xml-mssql-database-login
xml-mssql-database-login-1
cef-mssql-database-login
s-microsoft-database-login

database-query
xml-mssql-database-login
mssql-database-query-3
mssql-database-query-2

failed-app-login
s-failed-app-login
exalms-sqlserver-failed-login
T1078 - Valid Accounts
  • 1 Rules
Privileged Activitydatabase-access
cef-mssql-database-access

database-activity-failed
mssql-database-query-2

database-delete
cef-microsoft-database-delete

database-failed-login
cef-microsoft-database-failed-login
xml-mssql-database-login
xml-mssql-database-login-1
mssql-database-login-1
s-microsoft-database-login

database-login
s-database-login-18454
s-database-login-18453
cef-syslog-microsoft-db-login
cef-syslog-microsoft-db-impersonate
mssql-database-login
cef-microsoft-database-login
xml-mssql-database-login
xml-mssql-database-login-1
cef-mssql-database-login
s-microsoft-database-login

database-query
xml-mssql-database-login
mssql-database-query-3
mssql-database-query-2

failed-app-login
s-failed-app-login
exalms-sqlserver-failed-login
T1078 - Valid Accounts
  • 1 Rules
Ransomwaredatabase-access
cef-mssql-database-access

database-activity-failed
mssql-database-query-2

database-delete
cef-microsoft-database-delete

database-failed-login
cef-microsoft-database-failed-login
xml-mssql-database-login
xml-mssql-database-login-1
mssql-database-login-1
s-microsoft-database-login

database-login
s-database-login-18454
s-database-login-18453
cef-syslog-microsoft-db-login
cef-syslog-microsoft-db-impersonate
mssql-database-login
cef-microsoft-database-login
xml-mssql-database-login
xml-mssql-database-login-1
cef-mssql-database-login
s-microsoft-database-login

database-query
xml-mssql-database-login
mssql-database-query-3
mssql-database-query-2

failed-app-login
s-failed-app-login
exalms-sqlserver-failed-login
T1078 - Valid Accounts
  • 1 Rules

ATT&CK Matrix for Enterprise

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
External Remote Services

Valid Accounts

External Remote Services

Valid Accounts

Valid Accounts

Valid Accounts

Proxy: Multi-hop Proxy

Proxy