Suspicious SQL Query

Nov 2, 2023 · attack.exfiltration attack.initial_access attack.privilege_escalation attack.t1190 attack.t1505.001 ·

Detects suspicious SQL query keywrods that are often used during recon, exfiltration or destructive activities. Such as dropping tables and selecting wildcard fields

Sigma rule (View on GitHub)

 1title: Suspicious SQL Query
 2id: d84c0ded-edd7-4123-80ed-348bb3ccc4d5
 3status: test
 4description: Detects suspicious SQL query keywrods that are often used during recon, exfiltration or destructive activities. Such as dropping tables and selecting wildcard fields
 5author: '@juju4'
 6date: 2022/12/27
 7references:
 8    - https://github.com/sqlmapproject/sqlmap
 9tags:
10    - attack.exfiltration
11    - attack.initial_access
12    - attack.privilege_escalation
13    - attack.t1190
14    - attack.t1505.001
15logsource:
16    category: database
17    definition: 'Requirements: Must be able to log the SQL queries'
18detection:
19    keywords:
20        - 'drop'
21        - 'truncate'
22        - 'dump'
23        - 'select \*'
24    condition: keywords
25falsepositives:
26    - Inventory and monitoring activity
27    - Vulnerability scanners
28    - Legitimate applications
29level: medium

References

GitHub - sqlmapproject/sqlmap: Automatic SQL injection and database takeover tool

Automatic SQL injection and database takeover tool - sqlmapproject/sqlmap

Read More

Suspicious SQL Query

Sigma rule (View on GitHub)

References

GitHub - sqlmapproject/sqlmap: Automatic SQL injection and database takeover tool

Related rules