Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumexperimental

MSSQL Destructive Query

Detects the invocation of MS SQL transactions that are destructive towards table or database data, such as "DROP TABLE" or "DROP DATABASE".

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Daniel DegasperiCreated Wed Jun 0400321fee-ca72-4cce-b011-5415af3b9960windows
Log Source
Windowsapplication
ProductWindows← raw: windows
Serviceapplication← raw: application

Definition

Requirements: MSSQL audit policy must be enabled in order to receive this event (event id 33205)

Detection Logic
Detection Logic1 selector
detection:
    selection:
        Provider_Name: 'MSSQLSERVER$AUDIT'
        EventID: 33205
        Data|contains:
            - 'statement:TRUNCATE TABLE'
            - 'statement:DROP TABLE'
            - 'statement:DROP DATABASE'
    condition: selection
False Positives

Legitimate transaction from a sysadmin.

References
1
Resolving title…
learn.microsoft.com
2
Resolving title…
learn.microsoft.com
3
Resolving title…
learn.microsoft.com
MITRE ATT&CK
Rule Metadata
Rule ID
00321fee-ca72-4cce-b011-5415af3b9960
Status
experimental
Level
medium
Type
Detection
Created
Wed Jun 04
Author
Daniel Degasperi
Path
rules/windows/builtin/application/mssqlserver/win_mssql_destructive_query.yml
Raw Tags
attack.exfiltrationattack.impactattack.t1485
View on GitHub