EXPLORE
Sign In
← Back to Explore
sigmamediumHunting

MSSQL Server Failed Logon From External Network

Detects failed logon attempts from clients with external network IP to an MSSQL server. This can be a sign of a bruteforce attack.

MITRE ATT&CK

T1110
credential-access

Detection Query

selection:
  Provider_Name|contains: MSSQL
  EventID: 18456
filter_main_local_ips:
  Data|contains:
    - "CLIENT: 10."
    - "CLIENT: 172.16."
    - "CLIENT: 172.17."
    - "CLIENT: 172.18."
    - "CLIENT: 172.19."
    - "CLIENT: 172.20."
    - "CLIENT: 172.21."
    - "CLIENT: 172.22."
    - "CLIENT: 172.23."
    - "CLIENT: 172.24."
    - "CLIENT: 172.25."
    - "CLIENT: 172.26."
    - "CLIENT: 172.27."
    - "CLIENT: 172.28."
    - "CLIENT: 172.29."
    - "CLIENT: 172.30."
    - "CLIENT: 172.31."
    - "CLIENT: 192.168."
    - "CLIENT: 127."
    - "CLIENT: 169.254."
    - "CLIENT: <local machine>"
condition: selection and not 1 of filter_main_*

Author

j4son

Created

2023-10-11

Data Sources

windowsapplication

Platforms

windows

References

Tags

attack.credential-accessattack.t1110
Raw Content
title: MSSQL Server Failed Logon From External Network
id: ebfe73c2-5bc9-4ed9-aaa8-8b54b2b4777d
related:
    - id: 218d2855-2bba-4f61-9c85-81d0ea63ac71
      type: similar
status: test
description: Detects failed logon attempts from clients with external network IP to an MSSQL server. This can be a sign of a bruteforce attack.
references:
    - https://cybersecthreat.com/2020/07/08/enable-mssql-authentication-log-to-eventlog/
    - https://www.experts-exchange.com/questions/27800944/EventID-18456-Failed-to-open-the-explicitly-specified-database.html
author: j4son
date: 2023-10-11
modified: 2025-05-28
tags:
    - attack.credential-access
    - attack.t1110
logsource:
    product: windows
    service: application
    definition: 'Requirements: Must enable MSSQL authentication.'
detection:
    selection:
        Provider_Name|contains: 'MSSQL' # Note: We use contains to account for other third party providers - See https://github.com/SigmaHQ/sigma/issues/4876
        EventID: 18456
    filter_main_local_ips:
        Data|contains:
            - 'CLIENT: 10.' # filter_range_IP: 10.0.0.0/8
            - 'CLIENT: 172.16.' # filter_range_IP: 172.16.0.0/12
            - 'CLIENT: 172.17.'
            - 'CLIENT: 172.18.'
            - 'CLIENT: 172.19.'
            - 'CLIENT: 172.20.'
            - 'CLIENT: 172.21.'
            - 'CLIENT: 172.22.'
            - 'CLIENT: 172.23.'
            - 'CLIENT: 172.24.'
            - 'CLIENT: 172.25.'
            - 'CLIENT: 172.26.'
            - 'CLIENT: 172.27.'
            - 'CLIENT: 172.28.'
            - 'CLIENT: 172.29.'
            - 'CLIENT: 172.30.'
            - 'CLIENT: 172.31.'
            - 'CLIENT: 192.168.' # filter_range_IP: 192.168.0.0/16
            - 'CLIENT: 127.' # filter_loop_back: 127.0.0.0/8
            - 'CLIENT: 169.254.' # fileter_link-local_addressing: 169.254.0.0/16
            - 'CLIENT: <local machine>'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: medium