security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
Files
b2acd800981e1c8d9f747173eb7803f0405cebd6
blue-team-tools/rules/category/database/db_anomalous_query.yml
T
david-syk a869abc3cc Merge PR #5395 from @david-syk - Update MITRE ATT&CK tags 
chore: update the tags of multiple rules
2025-05-20 23:05:21 +02:00

31 lines
871 B
YAML
Raw Blame History

title: Suspicious SQL Query
id: d84c0ded-edd7-4123-80ed-348bb3ccc4d5
status: test
description: Detects suspicious SQL query keywrods that are often used during recon, exfiltration or destructive activities. Such as dropping tables and selecting wildcard fields
author: '@juju4'
date: 2022-12-27
references:
- https://github.com/sqlmapproject/sqlmap
tags:
- attack.exfiltration
- attack.initial-access
- attack.privilege-escalation
- attack.persistence
- attack.t1190
- attack.t1505.001
logsource:
category: database
definition: 'Requirements: Must be able to log the SQL queries'
detection:
keywords:
- 'drop'
- 'truncate'
- 'dump'
- 'select \*'
condition: keywords
falsepositives:
- Inventory and monitoring activity
- Vulnerability scanners
- Legitimate applications
level: medium
Reference in New Issue View Git Blame Copy Permalink