security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity
Files
b2acd800981e1c8d9f747173eb7803f0405cebd6
blue-team-tools/rules/windows/builtin/application/mssqlserver/win_mssql_destructive_query.yml
T
dan21san fd62c55e47 Merge PR #5221 from @dan21san - MSSQL Destructive Query 
new: MSSQL Destructive Query
---------

Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com>
2025-06-11 11:25:56 +02:00

32 lines
1.2 KiB
YAML
Raw Blame History

title: MSSQL Destructive Query
id: 00321fee-ca72-4cce-b011-5415af3b9960
status: experimental
description: |
Detects the invocation of MS SQL transactions that are destructive towards table or database data, such as "DROP TABLE" or "DROP DATABASE".
references:
- https://learn.microsoft.com/en-us/sql/t-sql/statements/drop-table-transact-sql?view=sql-server-ver16
- https://learn.microsoft.com/en-us/sql/t-sql/statements/drop-database-transact-sql?view=sql-server-ver16
- https://learn.microsoft.com/en-us/sql/t-sql/statements/truncate-table-transact-sql?view=sql-server-ver16
author: Daniel Degasperi '@d4ns4n_'
date: 2025-06-04
tags:
- attack.exfiltration
- attack.impact
- attack.t1485
logsource:
product: windows
service: application
definition: 'Requirements: MSSQL audit policy must be enabled in order to receive this event (event id 33205)'
detection:
selection:
Provider_Name: 'MSSQLSERVER$AUDIT'
EventID: 33205
Data|contains:
- 'statement:TRUNCATE TABLE'
- 'statement:DROP TABLE'
- 'statement:DROP DATABASE'
condition: selection
falsepositives:
- Legitimate transaction from a sysadmin.
level: medium
Reference in New Issue View Git Blame Copy Permalink