MSSQL is still a thing
TheDFIRReport recently posted an article regarding BlueSky ransomware being deployed following MSSQL being brute forced. I’m always interested in things like this because it’s possible that the author will provide clear observables so that folks can consider the information in light of their infrastructure, and write EDR detections, or create filter rules for DFIR work, etc. In this case, I was interested to see how they’d gone about determining that MSSQL had been brute forced.
You’ll have to bear with me…this is one of those write-ups where images and figures aren’t numbered. However, in the section marked “Initial Access”, there’s some really good information shared, specifically where it says, “SQL Server event ID 18456 Failure Audit Events in the Windows application logs:”…specifically, what they’re looking at is MSSQLServer/18456 events in the Application Event Log, indicating a failed login attempt to the server (as opposed to the OS). This is why I wrote the Events Ripper mssql.pl plugin. I’d seen a number of systems running Veeam and MSSQL, and needed a straightforward, consistent, repeatable means to determine if a compromise of Veeam was the culprit, or if something else had occurred.
Read the original article: