Suspicious SQL Query
Detects suspicious SQL query keywrods that are often used during recon, exfiltration or destructive activities. Such as dropping tables and selecting wildcard fields
Sigma rule (View on GitHub)
1title: Suspicious SQL Query
2id: d84c0ded-edd7-4123-80ed-348bb3ccc4d5
3status: test
4description: Detects suspicious SQL query keywrods that are often used during recon, exfiltration or destructive activities. Such as dropping tables and selecting wildcard fields
5author: '@juju4'
6date: 2022/12/27
7references:
8 - https://github.com/sqlmapproject/sqlmap
9tags:
10 - attack.exfiltration
11 - attack.initial_access
12 - attack.privilege_escalation
13 - attack.t1190
14 - attack.t1505.001
15logsource:
16 category: database
17 definition: 'Requirements: Must be able to log the SQL queries'
18detection:
19 keywords:
20 - 'drop'
21 - 'truncate'
22 - 'dump'
23 - 'select \*'
24 condition: keywords
25falsepositives:
26 - Inventory and monitoring activity
27 - Vulnerability scanners
28 - Legitimate applications
29level: medium
References
-
Automatic SQL injection and database takeover tool - GitHub - sqlmapproject/sqlmap: Automatic SQL injection and database takeover tool
Read More
Related rules
- OMIGOD HTTP No Authentication RCE
- OMIGOD SCX RunAsProvider ExecuteScript
- OMIGOD SCX RunAsProvider ExecuteShellCommand
- OMIGOD SCX RunAsProvider ExecuteShellCommand - Auditd
- Suspicious Processes Spawned by WinRM