Classification:

attack

Tactic:

TA0003-persistence

Technique:

T1136-create-account

VIEW RULE IN DATADOG VIEW SIGNALS

Goal

Detects when an account is added to the sysadmin server role in Microsoft SQL Server, which grants highest privileges within the database environment.

Strategy

This rule monitors Windows event logs for SQL Server audit events with ID 33205 that contain indicators of the sysadmin role being modified. Specifically, it looks for events where the object_name is sysadmin and the SQL statement includes alter server role [sysadmin] add member. Adding a user to the sysadmin server role grants them complete control over the SQL Server instance, including the ability to execute arbitrary commands on the underlying operating system. Attackers who gain access to SQL credentials often attempt to escalate their privileges to sysadmin to establish persistence and expand their access within an environment.

Triage & Response

• Identify which account was added to the sysadmin role by examining the event details on {{host}}.
• Verify if this action was authorized through a change management process.
• Determine who executed the role change command by analyzing the SQL Server audit logs.
• Check if the account is a legitimate administrative account that should have sysadmin privileges.
• Review recent activity from both the account that executed the change and the account that received sysadmin privileges.
• Review all stored procedures and jobs created or modified by the suspicious account.
• Reset credentials for any compromised accounts.