Initial Access (TA0001)(external, opens in a new tab or window)
text code block:from logs-system.application-*, logs-windows.forwarded*, winlogbeat-* metadata _id, _version, _index | where host.os.type == "windows" and winlog.provider_name like "MSSQL*" and event.code == "33205" | EVAL message_upper = TO_UPPER(message) | where ( message_upper RLIKE ".*CONVERT\\(INT,\\(SELECT (CHAR\\(\\d{1,3}\\)\\+){3,}.*" or message_upper RLIKE ".*(CHAR\\(\\d{1,3}\\)\\+){3,}CHAR\\(\\d{1,3}\\).*" or message_upper RLIKE ".*CASE WHEN \\(\\d+=\\d+\\).*UNION SELECT \\d+.*" or message_upper RLIKE ".*WAITFOR DELAY \\'0:0:\\d+\\'.*" or message_upper RLIKE ".*;\\s*(EXEC|EXECUTE)\\s*\\(?\\s*(MASTER\\.)?\\.?XP_CMDSHELL.*" or message_upper RLIKE ".*UNION SELECT (NULL\\s*,\\s*){2,}NULL.*" or message_upper RLIKE ".*'\\w*'\\s*\\+\\s*\\(\\(SELECT @@VERSION\\)\\)\\s*\\+\\s*'\\w*'.*" or message_upper RLIKE ".*(OR|AND)\\s+'?\\d+'?\\s*=\\s*'?\\d+'?\\s*--.*" ) | eval Esql.original_message = message | keep @timestamp, host.id, host.name, host.ip, winlog.computer_name, message, event.outcome, Esql.original_message, _id, _version, _index, data_stream.namespace | limit 10
Install detection rules in Elastic Security
Detect Potential SQL Injection Against Microsoft SQL Server in the Elastic Security detection engine by installing this rule into your Elastic Stack.
To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).