Suspicious SQL Query

May 20, 2025 · attack.exfiltration attack.initial-access attack.privilege-escalation attack.persistence attack.t1190 attack.t1505.001 ·

Share on:

Detects suspicious SQL query keywrods that are often used during recon, exfiltration or destructive activities. Such as dropping tables and selecting wildcard fields

Sigma rule (View on GitHub)

 1title: Suspicious SQL Query
 2id: d84c0ded-edd7-4123-80ed-348bb3ccc4d5
 3status: test
 4description: Detects suspicious SQL query keywrods that are often used during recon, exfiltration or destructive activities. Such as dropping tables and selecting wildcard fields
 5author: '@juju4'
 6date: 2022-12-27
 7references:
 8    - https://github.com/sqlmapproject/sqlmap
 9tags:
10    - attack.exfiltration
11    - attack.initial-access
12    - attack.privilege-escalation
13    - attack.persistence
14    - attack.t1190
15    - attack.t1505.001
16logsource:
17    category: database
18    definition: 'Requirements: Must be able to log the SQL queries'
19detection:
20    keywords:
21        - 'drop'
22        - 'truncate'
23        - 'dump'
24        - 'select \*'
25    condition: keywords
26falsepositives:
27    - Inventory and monitoring activity
28    - Vulnerability scanners
29    - Legitimate applications
30level: medium

References

GitHub - sqlmapproject/sqlmap: Automatic SQL injection and database takeover tool

Automatic SQL injection and database takeover tool - sqlmapproject/sqlmap

Read More

Suspicious SQL Query

Sigma rule (View on GitHub)

References

GitHub - sqlmapproject/sqlmap: Automatic SQL injection and database takeover tool

Related rules