Suspicious SQL Query
Detects suspicious SQL query keywrods that are often used during recon, exfiltration or destructive activities. Such as dropping tables and selecting wildcard fields
Sigma rule (View on GitHub)
1title: Suspicious SQL Query
2id: d84c0ded-edd7-4123-80ed-348bb3ccc4d5
3status: test
4description: Detects suspicious SQL query keywrods that are often used during recon, exfiltration or destructive activities. Such as dropping tables and selecting wildcard fields
5author: '@juju4'
6date: 2022-12-27
7references:
8 - https://github.com/sqlmapproject/sqlmap
9tags:
10 - attack.exfiltration
11 - attack.initial-access
12 - attack.privilege-escalation
13 - attack.persistence
14 - attack.t1190
15 - attack.t1505.001
16logsource:
17 category: database
18 definition: 'Requirements: Must be able to log the SQL queries'
19detection:
20 keywords:
21 - 'drop'
22 - 'truncate'
23 - 'dump'
24 - 'select \*'
25 condition: keywords
26falsepositives:
27 - Inventory and monitoring activity
28 - Vulnerability scanners
29 - Legitimate applications
30level: medium
References
Related rules
- Suspicious Child Process Of SQL Server
- Suspicious Processes Spawned by WinRM
- Exchange WebShell Creation
- Suspicious Commands by SQL Server
- Potential CVE-2024-3400 Exploitation - Palo Alto GlobalProtect OS Command Injection