security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
Files
bcce3a85aa43a936412fd32ffdfd41ea71ce1e02
blue-team-tools/rules/application/database/db_anomalous_query.yml
T
frack113 e1707c8f50 rewrite issue 1555 (#3818) 
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
2022-12-27 19:28:34 +01:00

30 lines
854 B
YAML
Raw Blame History

title: Suspicious SQL Query
id: d84c0ded-edd7-4123-80ed-348bb3ccc4d5
status: experimental
description: Detects suspicious SQL query keywrods that are often used during recon, exfiltration or destructive activities. Such as dropping tables and selecting wildcard fields
author: '@juju4'
date: 2022/12/27
references:
- https://github.com/sqlmapproject/sqlmap
tags:
- attack.exfiltration
- attack.initial_access
- attack.privilege_escalation
- attack.t1190
- attack.t1505.001
logsource:
category: database
definition: 'Requirements: Must be able to log the SQL queries'
detection:
keywords:
- 'drop'
- 'truncate'
- 'dump'
- 'select \*'
condition: keywords
falsepositives:
- Inventory and monitoring activity
- Vulnerability scanners
- Legitimate applications
level: medium
Reference in New Issue View Git Blame Copy Permalink