{"id":7029,"date":"2025-10-07T16:59:00","date_gmt":"2025-10-07T21:59:00","guid":{"rendered":"https:\/\/andreas-wolter.com\/?p=7029"},"modified":"2026-04-16T18:54:52","modified_gmt":"2026-04-16T23:54:52","slug":"202510_dataaccess_auditing_sqlserver_advanced","status":"publish","type":"post","link":"https:\/\/andreas-wolter.com\/en\/202510_dataaccess_auditing_sqlserver_advanced\/","title":{"rendered":"Evading Data Access Auditing in Microsoft SQL Server \u2013 special commands \u2013 and how to close the gaps"},"content":{"rendered":"\n<style type=\"text\/css\" data-created_by=\"avia_inline_auto\" id=\"style-css-av-m0cxh8ps-fe0c91d7594a469f15ea943d838d3976\">\n#top .av-special-heading.av-m0cxh8ps-fe0c91d7594a469f15ea943d838d3976{\npadding-bottom:10px;\n}\nbody .av-special-heading.av-m0cxh8ps-fe0c91d7594a469f15ea943d838d3976 .av-special-heading-tag .heading-char{\nfont-size:25px;\n}\n.av-special-heading.av-m0cxh8ps-fe0c91d7594a469f15ea943d838d3976 .av-subheading{\nfont-size:15px;\n}\n<\/style>\n<div  class='av-special-heading av-m0cxh8ps-fe0c91d7594a469f15ea943d838d3976 av-special-heading-h3 blockquote modern-quote  avia-builder-el-0  el_before_av_textblock  avia-builder-el-first '><h3 class='av-special-heading-tag'  itemprop=\"headline\"  >Evading Data Access Auditing in Microsoft SQL Server \u2013 special commands \u2013 and how to close the gaps<\/h3><div class=\"special-heading-border\"><div class=\"special-heading-inner-border\"><\/div><\/div><\/div>\r\n\r\n<section  class='av_textblock_section av-m0cxgkjy-c935304b4106b45214698f40e83a9894 '   itemscope=\"itemscope\" itemtype=\"https:\/\/schema.org\/BlogPosting\" itemprop=\"blogPost\" ><div class='avia_textblock'  itemprop=\"text\" ><p>In this article, I detail complex evasion techniques that security teams and auditors should be aware of when monitoring data access.<\/p>\n<ul>\n<li>Recently, I already published some indirect ways how malicious users can evade security Auditing in Microsoft SQL Server (and Azure SQL) databases, and how to ensure those methods are detected:<\/li>\n<li><a href=\"https:\/\/andreas-wolter.com\/en\/202508_evading_dataaccess_auditing_sqlserver\/\">Evading Data Access Auditing in Microsoft SQL Server \u2013 and how to close the gaps<\/a><\/li>\n<li><a href=\"https:\/\/andreas-wolter.com\/en\/202508_dataaccess_auditing_data_classification_sqlserver\/\">How to Use Data Classification to Audit specific Data Access in Microsoft SQL Server<\/a><\/li>\n<li>2b) make sure to also consider this still unfixed security bug: <a href=\"https:\/\/andreas-wolter.com\/en\/2509-sql-auditing-security-bug-classified-data-exfiltration\/\">Bug in Auditing allows for undetected Data Exfiltration by low privileged user<\/a><\/li>\n<\/ul>\n<p>The methods that I will share here allow an attacker to either conceal his identity or even evade auditing completely.<\/p>\n<p>Most of these commands require sysadmin privileges. However, if your goal is to audit every access to sensitive data, this typically means \u201call users\u201d\u00a0 &#8211;\u00a0 not with an exception for administrators. Because of this, it\u2019s important to understand these methods so you can make an informed decision about whether to include them in your auditing scope.<\/p>\n<p>Here is what you need to watch out for:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-7032 size-large\" src=\"https:\/\/andreas-wolter.com\/wp-content\/uploads\/2025\/10\/2510_DBCC_PAGE-1030x439.jpg\" alt=\"\" width=\"1030\" height=\"439\" srcset=\"https:\/\/andreas-wolter.com\/wp-content\/uploads\/2025\/10\/2510_DBCC_PAGE-1030x439.jpg 1030w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2025\/10\/2510_DBCC_PAGE-300x128.jpg 300w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2025\/10\/2510_DBCC_PAGE-768x328.jpg 768w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2025\/10\/2510_DBCC_PAGE-705x301.jpg 705w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2025\/10\/2510_DBCC_PAGE.jpg 1172w\" sizes=\"auto, (max-width: 1030px) 100vw, 1030px\" \/><\/p>\n<h2>DBCC PAGE<\/h2>\n<p>Using the undocumented but well-known command DBCC PAGE, a DBA can read raw table or index data as it is stored in the 8-KB data pages inside the data file.<\/p>\n<p><strong>Mitigation<\/strong>: Monitor any DBCC command usage, and specifically this one, as it should hardly ever be used for good reasons.<\/p>\n<h2>Using a Linked Server query<\/h2>\n<p>This is a real tricky one:<\/p>\n<p>Many SQL Server systems have Linked Servers set up. And some of them are set up with a common security principal that will log on to the linked server. Like here:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-7038 size-medium\" src=\"https:\/\/andreas-wolter.com\/wp-content\/uploads\/2025\/10\/2510_LinkedServer_Security-300x113.jpg\" alt=\"\" width=\"300\" height=\"113\" srcset=\"https:\/\/andreas-wolter.com\/wp-content\/uploads\/2025\/10\/2510_LinkedServer_Security-300x113.jpg 300w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2025\/10\/2510_LinkedServer_Security-705x264.jpg 705w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2025\/10\/2510_LinkedServer_Security.jpg 765w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/p>\n<p>That means that if someone wants to simply hide their identity, they can use a linked server query, like the following:<\/p>\n<p>SELECT * FROM [LinkedServerName].AdventureWorks2022.Sales.CreditCard<\/p>\n<p>If we are auditing the Sales.CreditCard table, all we will see in the Audit log is the principal \u201csomesysadmin\u201d.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-7036 alignnone\" src=\"https:\/\/andreas-wolter.com\/wp-content\/uploads\/2025\/10\/2510_LinkedServer_Query_AuditRecord.jpg\" alt=\"\" width=\"815\" height=\"104\" srcset=\"https:\/\/andreas-wolter.com\/wp-content\/uploads\/2025\/10\/2510_LinkedServer_Query_AuditRecord.jpg 815w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2025\/10\/2510_LinkedServer_Query_AuditRecord-300x38.jpg 300w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2025\/10\/2510_LinkedServer_Query_AuditRecord-768x98.jpg 768w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2025\/10\/2510_LinkedServer_Query_AuditRecord-705x90.jpg 705w\" sizes=\"auto, (max-width: 815px) 100vw, 815px\" \/><\/p>\n<p>SQL Auditing currently has no way of telling which user initiated the SELECT on the table, since the Linked Server query is essentially a new Logon. It is not an impersonation like with EXECUTE AS, where SQL Server has the \u201coriginal Login\u201d information.<\/p>\n<p><strong>Mitigation<\/strong>: To cover this, you need a combination of Extended Events in addition to the Audit functionality.<\/p>\n<h2>Change Data Capture<\/h2>\n<p>If <a href=\"https:\/\/learn.microsoft.com\/en-us\/sql\/relational-databases\/track-changes\/enable-and-disable-change-data-capture-sql-server?view=sql-server-ver17\" target=\"_blank\" rel=\"noopener\">Change Data Capture<\/a> has been set up on a table, all changes are kept in a special capture table. This table is not audited by default. Querying the capture table discloses the data just as the original table:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-7030 alignnone\" src=\"https:\/\/andreas-wolter.com\/wp-content\/uploads\/2025\/10\/2510_ChangeDataCapture_ChangeTable.jpg\" alt=\"\" width=\"792\" height=\"170\" srcset=\"https:\/\/andreas-wolter.com\/wp-content\/uploads\/2025\/10\/2510_ChangeDataCapture_ChangeTable.jpg 792w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2025\/10\/2510_ChangeDataCapture_ChangeTable-300x64.jpg 300w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2025\/10\/2510_ChangeDataCapture_ChangeTable-768x165.jpg 768w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2025\/10\/2510_ChangeDataCapture_ChangeTable-705x151.jpg 705w\" sizes=\"auto, (max-width: 792px) 100vw, 792px\" \/><\/p>\n<p>This method works only for data that has changed and normally does not allow reading the whole table content at once.<\/p>\n<p><strong>Mitigation<\/strong>: Ensure all Capture tables access is audited if they can contain sensitive data.<\/p>\n<h2>DML Triggers<\/h2>\n<p>DML Triggers can easily be abused for copying data that is changed into a separate table that is not being audited.<\/p>\n<p><strong>Mitigation<\/strong>: Audit DML Trigger creation and do a code-analysis.<\/p>\n<h2>Complex or inefficient methods<\/h2>\n<h3>fn_dblog and fn_dump_dblog<\/h3>\n<p>These commands read data from the transaction log. fn_dblog reads the current, active transaction log, whereas fn_dump_dblog can read a Transaction Log backup.<\/p>\n<p>That limits the usefulness of these commands since the transaction log only contains data that has been changed \u2013 much like using Change Data Capture. If the sensitive data in question has not been changed for a long time, it may not be in reach through these commands at all.<\/p>\n<p>But since every data change must go through the transaction log, an update such as this statement:<\/p>\n<p>UPDATE Sales.CreditCard<br \/>\nSET CardNumber = 33332126386433<br \/>\nWHERE CardNumber = 33332126386493<\/p>\n<p>can be found using fn_dblog. It requires some conversion and knowledge of the underlying table schema, but it\u2019s doable:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-large wp-image-7034\" src=\"https:\/\/andreas-wolter.com\/wp-content\/uploads\/2025\/10\/2510_fn_dblog_Update-1030x420.jpg\" alt=\"\" width=\"1030\" height=\"420\" srcset=\"https:\/\/andreas-wolter.com\/wp-content\/uploads\/2025\/10\/2510_fn_dblog_Update-1030x420.jpg 1030w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2025\/10\/2510_fn_dblog_Update-300x122.jpg 300w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2025\/10\/2510_fn_dblog_Update-768x313.jpg 768w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2025\/10\/2510_fn_dblog_Update-705x287.jpg 705w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2025\/10\/2510_fn_dblog_Update.jpg 1200w\" sizes=\"auto, (max-width: 1030px) 100vw, 1030px\" \/><\/p>\n<p><strong>Mitigation<\/strong>: Monitor special system function usage. In the article <a href=\"https:\/\/andreas-wolter.com\/en\/202508_evading_dataaccess_auditing_sqlserver\/\">Evading Data Access Auditing in Microsoft SQL Server \u2013 and how to close the gaps<\/a>, I share an example.<\/p>\n<h3>Query Plans<\/h3>\n<p>In theory, it is possible to extract sensitive values from query plans. This can be done using the DMV sys.dm_exec_query_plan or the Query Store procedure sys.query_store_plan.<br \/>\nHowever, this technique is very limited since mostly such values are only stored once per query plan and typically just one value per parameter, like in the following example:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-large wp-image-7042\" src=\"https:\/\/andreas-wolter.com\/wp-content\/uploads\/2025\/10\/2510_QueryPlan_Parameters-1030x488.jpg\" alt=\"\" width=\"1030\" height=\"488\" srcset=\"https:\/\/andreas-wolter.com\/wp-content\/uploads\/2025\/10\/2510_QueryPlan_Parameters-1030x488.jpg 1030w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2025\/10\/2510_QueryPlan_Parameters-300x142.jpg 300w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2025\/10\/2510_QueryPlan_Parameters-768x364.jpg 768w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2025\/10\/2510_QueryPlan_Parameters-705x334.jpg 705w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2025\/10\/2510_QueryPlan_Parameters.jpg 1200w\" sizes=\"auto, (max-width: 1030px) 100vw, 1030px\" \/><\/p>\n<p><strong>Mitigation<\/strong>: If this is of concern, you need to (A) limit who can read query plans and (B) audit the specific system procedures. Also, don\u2019t forget to cover the Query Store objects if it is enabled.<\/p>\n<h3>Stack dump using XEvents<\/h3>\n<p>Technically, anyone who has the power to create XEvents sessions and add Events, can also add Actions. And the Action \u201ccreate_dump_single_thread\u201d can create a minidump for just an individual thread. With some filtering, one could create a minidump every time a user somehow touches the table CreditCard, like this snippet shows:<\/p>\n<p>ADD EVENT sqlserver.sql_batch_completed(SET collect_batch_text=(1)<\/p>\n<p>ACTION(sqlserver.create_dump_single_thread,sqlserver.tsql_stack)<\/p>\n<p>WHERE ([sqlserver].[equal_i_sql_unicode_string]([sqlserver].[database_name],N&#8217;AdventureWorks2022&#8242;) AND [sqlserver].[like_i_sql_unicode_string]([sqlserver].[sql_text],N&#8217;%CreditCard%&#8217;)))<\/p>\n<p>Note:<br \/>\nDo not test this on your system! This method puts a huge performance penalty on these queries.<\/p>\n<p>The Minidump file contains the data in clear text:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-7040\" src=\"https:\/\/andreas-wolter.com\/wp-content\/uploads\/2025\/10\/2510_Minidump.jpg\" alt=\"\" width=\"1000\" height=\"200\" srcset=\"https:\/\/andreas-wolter.com\/wp-content\/uploads\/2025\/10\/2510_Minidump.jpg 1000w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2025\/10\/2510_Minidump-300x60.jpg 300w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2025\/10\/2510_Minidump-768x154.jpg 768w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2025\/10\/2510_Minidump-705x141.jpg 705w\" sizes=\"auto, (max-width: 1000px) 100vw, 1000px\" \/><\/p>\n<p><strong>Mitigation<\/strong>: Because of the huge performance impact on the queries that will trigger the minidump, this method will surely draw immediate attention. Besides that, it is of course not very efficient. But if you must make sure, you should grant permissions for Extended Events to only those who need it and limit the permissions further. For some examples, see here: <a href=\"https:\/\/andreas-wolter.com\/en\/extended-events-tracing-sql-compliance-principle-of-least-privilege-role-separation\/\">Using Extended Events for Tracing SQL Server and Azure SQL DB in compliance with Principle of Least Privilege \u2013 Example role separation<\/a><\/p>\n<h3>DBCC OUTPUTBUFFER and INPUTBUFFER statements<\/h3>\n<p>In theory, it is possible to capture statements that expose the sensitive values a part of the statement using DBCC INPUTBUFFER, when the value in question is the input for a WHERE-clause for example.<br \/>\nThe other way around, capturing the OUTPUTBUFFER of queries that return sensitive data is even more difficult, as that data is in hexadecimal and ASCII, so you would at least have to have a very precise pattern to search for.<\/p>\n<p>None of these are efficient methods, since the person using them would have to wait for other users to read the data that he is interested in. And that will realistically be only be a very tiny percentage of the overall sessions running on a system.<\/p>\n<p>So, take it more as a remote possibility than an actual realistic attack vector.<\/p>\n<p><strong>Mitigation<\/strong>: Always monitor any use of DBCC commands for suspicious patterns as you should do anyway.<\/p>\n<h2>Replication in SQL Server<\/h2>\n<p>If you need to audit data access, you cannot forget about all the kinds of copies that may exist of that data. Always On Availability group read-only replicas should have the same Audit setting just like everything else should be aligned across the involved nodes.<br \/>\nOn the other hand, <a href=\"https:\/\/learn.microsoft.com\/en-us\/sql\/relational-databases\/replication\/sql-server-replication?view=sql-server-ver17\" target=\"_blank\" rel=\"noopener\">Replication in SQ Server<\/a> based on reading the data from the table rather than the log-stream, and then distributing that data on a record-level to other databases, which can reside locally or remote. And that other database structure is completely independent from the source. That means Auditing needs to be set up separately as well.<\/p>\n<p><strong>Mitigation<\/strong>: Set up Auditing on all SQL Server databases that contain copies of your data.<\/p>\n<h2>Mirroring in Fabric<\/h2>\n<p>Similar to SQL Server Replication, <a href=\"https:\/\/learn.microsoft.com\/en-us\/fabric\/mirroring\/overview\" target=\"_blank\" rel=\"noopener\">Mirroring in Fabric<\/a> creates copies of the data, not the whole database, and does not copy auditing configuration.<br \/>\nBut on top of that, the copy is not another SQL Server database, but a Parquet-file in OneLake, which is a whole different technology.<\/p>\n<p><strong>Mitigation<\/strong>: At the time of this writing (Oct 2025), there is no auditing for read-access available for OneLake data. Hence, you need to decide:<br \/>\n(A) ensure that no sensitive tables can be mirrored to Fabric<br \/>\n(B) Consider all mirrored databases as exposed to anyone who has access to the Fabric workspace that can host mirrored data.<\/p>\n<h2>Windows level<\/h2>\n<p>For completeness, of course, it is also possible to read data from the <strong>Data files or Transaction Log files<\/strong> \u2013 when the SQL Server process does not have them locked, <strong>Backup files, bcp-files for Replication data<\/strong>, or with a bit more work from <strong>memory<\/strong>. So of course, data security does not stop at the SQL Server process.<\/p>\n<p><strong>Mitigation<\/strong>: You should audit file-level access to database-files and backup files at least \u2013 wherever they may reside (also to help detect ransomware attacks early on). Auditing access to memory is a bit more complex and goes beyond what this post can cover. Also, if someone has gained the necessary privileges to do that, reading data from memory is probably not worth the effort since there are more effective attacks possible at this moment \ud83d\ude09<\/p>\n<h2>Summary<\/h2>\n<p>While many of the methods shown are cumbersome and impractical for large-scale data exfiltration without detection, whether they pose a real concern depends on what you&#8217;re storing, what needs to be protected, and your specific threat model.<\/p>\n<p>And some of them are easy enough to allow Admins to go undetected if you are not auditing DBCC commands, for example.<\/p>\n<p><strong><em>And for those who cannot accept exceptions:<\/em><\/strong><\/p>\n<p>If comprehensive auditing of sysadmin-level access to sensitive data is required, consider enforcing privileged access through hardened, dedicated jump hosts. These systems should be instrumented with OS-level auditing capabilities such as screen recording, input logging (e.g., keystrokes), and session capture. Access to these workstations\u2014and the associated privileged accounts\u2014should be provisioned just-in-time (JIT) and removed immediately after use, ideally integrated with a Privileged Access Management (PAM) solution.<\/p>\n<p>Hopefully, you find these insights useful.<\/p>\n<p>If you&#8217;re unsure whether your auditing practices are sufficient or find it challenging to analyze the data you collect, we can help. My team specializes in helping organizations with strict security requirements secure their databases and effectively audit for suspicious activity.<br \/>\n<strong><a href=\"https:\/\/sarpedonqualitylab.us\/contact\/\" target=\"_blank\" rel=\"noopener\">Let\u2019s connect.<\/a><\/strong><\/p>\n<p>Happy Auditing<\/p>\n<p>Andreas<\/p>\n<p>Kindly reviewed by:<br \/>\n<strong>Thomas Grohser<\/strong>, SQL Server Infrastructure Architect<br \/>\n<strong>Sravani Saluru<\/strong>, Senior Product Manager at Microsoft Azure Data and responsible for Auditing in Azure SQL, Fabric SQL and SQL Server<\/p>\n<p>Links to the other articles in this series on database security auditing, with examples for Microsoft SQL Server:<\/p>\n<ul>\n<li><a href=\"https:\/\/andreas-wolter.com\/en\/202507_recommended_security_auditing_databases_sql_server\/\">Recommendation for Security Auditing for databases \u2013 with example for Microsoft SQL Server<\/a><\/li>\n<li><a href=\"https:\/\/andreas-wolter.com\/en\/202508_evading_dataaccess_auditing_sqlserver\/\">Evading Data Access Auditing in Microsoft SQL Server \u2013 and how to close the gaps<\/a><\/li>\n<li><a href=\"https:\/\/andreas-wolter.com\/en\/202508_dataaccess_auditing_data_classification_sqlserver\/\">How to Use Data Classification to Audit specific Data Access in Microsoft SQL Server<\/a><\/li>\n<\/ul>\n<\/div><\/section>\r\n\r\n<div  class='flex_column av-av_one_full-048119fdb636ea3d70edc0b975509c6c av_one_full  avia-builder-el-2  el_after_av_textblock  el_before_av_social_share  first flex_column_div  column-top-margin'     ><div  class='hr av-av_hr-23b3846cdd0fbd0e234720a594f6db24 hr-default  avia-builder-el-3  el_before_av_textblock  avia-builder-el-first '><span class='hr-inner '><span class=\"hr-inner-style\"><\/span><\/span><\/div>\n<section  class='av_textblock_section av-mo24yn2q-c47161f5daad88b47e6e50be85ec8624 '   itemscope=\"itemscope\" itemtype=\"https:\/\/schema.org\/BlogPosting\" itemprop=\"blogPost\" ><div class='avia_textblock'  itemprop=\"text\" ><p>Are you sure your current SQL Server auditing captures every access attempt? Don&#8217;t leave blind spots in your compliance. The team at Sarpedon Quality Lab designs tamper-proof, comprehensive database auditing architectures.<\/p>\n<\/div><\/section>\n<div  class='avia-button-wrap av-mo24y4wq-bee285c14618975569c0e7c7eacb2c55-wrap avia-button-center  avia-builder-el-5  el_after_av_textblock  el_before_av_hr '>\n<style type=\"text\/css\" data-created_by=\"avia_inline_auto\" id=\"style-css-av-mo24y4wq-bee285c14618975569c0e7c7eacb2c55\">\n#top #wrap_all .avia-button.av-mo24y4wq-bee285c14618975569c0e7c7eacb2c55{\nfont-size:14px;\nbackground-color:#75a823;\nborder-color:#75a823;\ncolor:#ffffff;\nbox-shadow: 0 0 5px 5px ;\ntransition:all 0.4s ease-in-out;\n}\n<\/style>\n<a href=\"https:\/\/sarpedonqualitylab.us\/services\/#audit\" class=\"avia-button av-mo24y4wq-bee285c14618975569c0e7c7eacb2c55 avia-icon_select-yes-left-icon avia-size-medium avia-position-center\" target=\"_blank\" rel=\"noopener\"><span class='avia_button_icon avia_button_icon_left' aria-hidden='true' data-av_icon='\ue832' data-av_iconfont='entypo-fontello'><\/span><span class='avia_iconbox_title' >Explore Our Auditing Services<\/span><\/a><\/div>\n<div  class='hr av-av_hr-23b3846cdd0fbd0e234720a594f6db24 hr-default  avia-builder-el-6  el_after_av_button  avia-builder-el-last '><span class='hr-inner '><span class=\"hr-inner-style\"><\/span><\/span><\/div><\/div><div  class='av-social-sharing-box av-5n5vpa-78ffdd9d224b4a246af65bdc00dce900 av-social-sharing-box-default  avia-builder-el-7  el_after_av_one_full  el_before_av_hr  av-social-sharing-box-fullwidth'><div class=\"av-share-box\"><h5 class='av-share-link-description av-no-toc '>Share article<\/h5><ul class=\"av-share-box-list noLightbox\"><li class='av-share-link av-social-link-facebook' ><a target=\"_blank\" aria-label=\"Share on Facebook\" href=\"https:\/\/www.facebook.com\/sharer.php?u=https:\/\/andreas-wolter.com\/en\/202510_dataaccess_auditing_sqlserver_advanced\/&#038;t=Evading%20Data%20Access%20Auditing%20in%20Microsoft%20SQL%20Server%20%E2%80%93%20special%20commands%20%E2%80%93%20and%20how%20to%20close%20the%20gaps\" aria-hidden=\"false\" data-av_icon=\"\ue8f3\" data-av_iconfont=\"entypo-fontello\" title=\"\" data-avia-related-tooltip=\"Share on Facebook\" rel=\"noopener\"><span class='avia_hidden_link_text'>Share on Facebook<\/span><\/a><\/li><li class='av-share-link av-social-link-twitter' ><a target=\"_blank\" aria-label=\"Share on Twitter\" href=\"https:\/\/twitter.com\/share?text=Evading%20Data%20Access%20Auditing%20in%20Microsoft%20SQL%20Server%20%E2%80%93%20special%20commands%20%E2%80%93%20and%20how%20to%20close%20the%20gaps&#038;url=https:\/\/andreas-wolter.com\/en\/?p=7029\" aria-hidden=\"false\" data-av_icon=\"\ue8f1\" data-av_iconfont=\"entypo-fontello\" title=\"\" data-avia-related-tooltip=\"Share on Twitter\" rel=\"noopener\"><span class='avia_hidden_link_text'>Share on Twitter<\/span><\/a><\/li><li class='av-share-link av-social-link-linkedin' ><a target=\"_blank\" aria-label=\"Share on LinkedIn\" href=\"https:\/\/linkedin.com\/shareArticle?mini=true&#038;title=Evading%20Data%20Access%20Auditing%20in%20Microsoft%20SQL%20Server%20%E2%80%93%20special%20commands%20%E2%80%93%20and%20how%20to%20close%20the%20gaps&#038;url=https:\/\/andreas-wolter.com\/en\/202510_dataaccess_auditing_sqlserver_advanced\/\" aria-hidden=\"false\" data-av_icon=\"\ue8fc\" data-av_iconfont=\"entypo-fontello\" title=\"\" data-avia-related-tooltip=\"Share on LinkedIn\" rel=\"noopener\"><span class='avia_hidden_link_text'>Share on LinkedIn<\/span><\/a><\/li><\/ul><\/div><\/div>\r\n\r\n\n<style type=\"text\/css\" data-created_by=\"avia_inline_auto\" id=\"style-css-av-4ofg9q-c2108540b480aba02923089240a3a176\">\n#top .hr.hr-invisible.av-4ofg9q-c2108540b480aba02923089240a3a176{\nheight:50px;\n}\n<\/style>\n<div  class='hr av-4ofg9q-c2108540b480aba02923089240a3a176 hr-invisible  avia-builder-el-8  el_after_av_social_share  el_before_av_comments_list '><span class='hr-inner '><span class=\"hr-inner-style\"><\/span><\/span><\/div>\r\n\r\n<div  class='av-buildercomment av-284ftq-f5a1564cd6b8ffad6ce835e2d40de4b7  av-blog-meta-author-disabled av-blog-meta-html-info-disabled'><\/div>","protected":false},"excerpt":{"rendered":"","protected":false},"author":4,"featured_media":7034,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[57],"tags":[380,206],"class_list":["post-7029","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security-en","tag-auditing","tag-sql-security"],"_links":{"self":[{"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/posts\/7029","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/comments?post=7029"}],"version-history":[{"count":3,"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/posts\/7029\/revisions"}],"predecessor-version":[{"id":7078,"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/posts\/7029\/revisions\/7078"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/media\/7034"}],"wp:attachment":[{"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/media?parent=7029"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/categories?post=7029"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/tags?post=7029"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}