Suspicious SQL Query

Detects suspicious SQL query keywrods that are often used during recon, exfiltration or destructive activities. Such as dropping tables and selecting wildcard fields

Sigma rule (View on GitHub)

 1title: Suspicious SQL Query
 2id: d84c0ded-edd7-4123-80ed-348bb3ccc4d5
 3status: test
 4description: Detects suspicious SQL query keywrods that are often used during recon, exfiltration or destructive activities. Such as dropping tables and selecting wildcard fields
 5author: '@juju4'
 6date: 2022-12-27
 7references:
 8    - https://github.com/sqlmapproject/sqlmap
 9tags:
10    - attack.exfiltration
11    - attack.initial-access
12    - attack.privilege-escalation
13    - attack.persistence
14    - attack.t1190
15    - attack.t1505.001
16logsource:
17    category: database
18    definition: 'Requirements: Must be able to log the SQL queries'
19detection:
20    keywords:
21        - 'drop'
22        - 'truncate'
23        - 'dump'
24        - 'select \*'
25    condition: keywords
26falsepositives:
27    - Inventory and monitoring activity
28    - Vulnerability scanners
29    - Legitimate applications
30level: medium

References

Related rules

to-top