security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
b2acd800981e1c8d9f747173eb7803f0405cebd6
blue-team-tools/rules/category/database/db_anomalous_query.yml
T

31 lines
871 B
YAML
Raw Normal View History

rewrite issue 1555 (#3818)
2022-12-27 19:28:34 +01:00
title: Suspicious SQL Query
id: d84c0ded-edd7-4123-80ed-348bb3ccc4d5
Merge PR #4533 from @nasbench - Promote experimental rules
2023-11-02 10:48:45 +01:00
status: test
rewrite issue 1555 (#3818)
2022-12-27 19:28:34 +01:00
description: Detects suspicious SQL query keywrods that are often used during recon, exfiltration or destructive activities. Such as dropping tables and selecting wildcard fields
author: '@juju4'
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
date: 2022-12-27
rewrite issue 1555 (#3818)
2022-12-27 19:28:34 +01:00
references:
- https://github.com/sqlmapproject/sqlmap
tags:
- attack.exfiltration
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12 12:02:50 +02:00
- attack.initial-access
- attack.privilege-escalation
Merge PR #5395 from @david-syk - Update MITRE ATT&CK tags
2025-05-20 23:05:21 +02:00
- attack.persistence
rewrite issue 1555 (#3818)
2022-12-27 19:28:34 +01:00
- attack.t1190
- attack.t1505.001
logsource:
category: database
definition: 'Requirements: Must be able to log the SQL queries'
detection:
keywords:
- 'drop'
- 'truncate'
- 'dump'
- 'select \*'
condition: keywords
falsepositives:
- Inventory and monitoring activity
- Vulnerability scanners
- Legitimate applications
level: medium
Reference in New Issue Copy Permalink