Detectionhightest
SQL Injection Strings In URI
Detects potential SQL injection attempts via GET requests in access logs.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Saw Win Naung, Nasreddine Bencherchali (Nextron Systems), Thurein Oo (Yoma Bank)Created Sat Feb 22Updated Mon Sep 045513deaf-f49a-46c2-a6c8-3f111b5cb453web
Log Source
Web Server Log
CategoryWeb Server Log← raw: webserver
HTTP access logs from web servers capturing request paths, methods, and status codes.
Detection Logic
Detection Logic3 selectors
detection:
selection:
cs-method: 'GET'
keywords:
- '@@version'
- '%271%27%3D%271'
- '=select '
- '=select('
- '=select%20'
- 'concat_ws('
- 'CONCAT(0x'
- 'from mysql.innodb_table_stats'
- 'from%20mysql.innodb_table_stats'
- 'group_concat('
- 'information_schema.tables'
- 'json_arrayagg('
- 'or 1=1#'
- 'or%201=1#'
- 'order by '
- 'order%20by%20'
- 'select * '
- 'select database()'
- 'select version()'
- 'select%20*%20'
- 'select%20database()'
- 'select%20version()'
- 'select%28sleep%2810%29'
- 'SELECTCHAR('
- 'table_schema'
- 'UNION ALL SELECT'
- 'UNION SELECT'
- 'UNION%20ALL%20SELECT'
- 'UNION%20SELECT'
- "'1'='1"
filter_main_status:
sc-status: 404
condition: selection and keywords and not 1 of filter_main_*False Positives
Java scripts and CSS Files
User searches in search boxes of the respective website
Internal vulnerability scanners can cause some serious FPs when used, if you experience a lot of FPs due to this think of adding more filters such as "User Agent" strings and more response codes
MITRE ATT&CK
Tactics
Rule Metadata
Rule ID
5513deaf-f49a-46c2-a6c8-3f111b5cb453
Status
test
Level
high
Type
Detection
Created
Sat Feb 22
Modified
Mon Sep 04
Path
rules/web/webserver_generic/web_sql_injection_in_access_logs.yml
Raw Tags
attack.initial-accessattack.t1190