MSSQL Destructive Query
Detects the invocation of MS SQL transactions that are destructive towards table or database data, such as "DROP TABLE" or "DROP DATABASE".
Sigma rule (View on GitHub)
1title: MSSQL Destructive Query
2id: 00321fee-ca72-4cce-b011-5415af3b9960
3status: experimental
4description: |
5 Detects the invocation of MS SQL transactions that are destructive towards table or database data, such as "DROP TABLE" or "DROP DATABASE".
6references:
7 - https://learn.microsoft.com/en-us/sql/t-sql/statements/drop-table-transact-sql?view=sql-server-ver16
8 - https://learn.microsoft.com/en-us/sql/t-sql/statements/drop-database-transact-sql?view=sql-server-ver16
9 - https://learn.microsoft.com/en-us/sql/t-sql/statements/truncate-table-transact-sql?view=sql-server-ver16
10author: Daniel Degasperi '@d4ns4n_'
11date: 2025-06-04
12tags:
13 - attack.exfiltration
14 - attack.impact
15 - attack.t1485
16logsource:
17 product: windows
18 service: application
19 definition: 'Requirements: MSSQL audit policy must be enabled in order to receive this event (event id 33205)'
20detection:
21 selection:
22 Provider_Name: 'MSSQLSERVER$AUDIT'
23 EventID: 33205
24 Data|contains:
25 - 'statement:TRUNCATE TABLE'
26 - 'statement:DROP TABLE'
27 - 'statement:DROP DATABASE'
28 condition: selection
29falsepositives:
30 - Legitimate transaction from a sysadmin.
31level: medium
References
-
-
DROP DATABASE removes one or more user databases or database snapshots from an instance of the SQL Server Database Engine.
Read More -
Related rules
- Azure Container Registry Created or Deleted
- Azure Kubernetes Cluster Created or Deleted
- Azure Kubernetes Network Policy Change
- Azure Kubernetes RoleBinding/ClusterRoleBinding Modified and Deleted
- Azure Kubernetes Secret or Config Object Access