Detectionmediumtest

Suspicious SQL Query

Detects suspicious SQL query keywrods that are often used during recon, exfiltration or destructive activities. Such as dropping tables and selecting wildcard fields

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

@juju4Created Tue Dec 27d84c0ded-edd7-4123-80ed-348bb3ccc4d5category

Log Source

database

Categorydatabase← raw: database

Definition

Requirements: Must be able to log the SQL queries

Detection Logic

detection:
    keywords:
        - 'drop'
        - 'truncate'
        - 'dump'
        - 'select \*'
    condition: keywords

False Positives

Inventory and monitoring activity

Vulnerability scanners

Legitimate applications

References

Resolving title…

github.com

MITRE ATT&CK

Tactics

TA0010 · Exfiltration TA0001 · Initial Access TA0004 · Privilege Escalation TA0003 · Persistence

Techniques

T1190 · Exploit Public-Facing Application

Sub-techniques

T1505.001 · SQL Stored Procedures

Rule Metadata

Rule ID

d84c0ded-edd7-4123-80ed-348bb3ccc4d5

Status

test

Level

medium

Type

Detection

Created

Tue Dec 27

Author

@juju4

Path

rules/category/database/db_anomalous_query.yml

Raw Tags

attack.exfiltrationattack.initial-accessattack.privilege-escalationattack.persistenceattack.t1190attack.t1505.001

View on GitHub