Potential SQL Injection Against Microsoft SQL Server

Last updated 3 days ago on 2026-07-01
Created 3 days ago on 2026-07-01

About

Identifies potential SQL injection attempts against Microsoft SQL Server by detecting obfuscated T-SQL patterns in SQL Server Audit events. Attackers use CHAR concatenation, CONVERT-based subqueries, and CASE/UNION constructs to bypass input validation and extract data or execute unauthorized statements.
Tags
Domain: EndpointOS: WindowsUse Case: Threat DetectionTactic: Initial AccessData Source: Windows Application Event LogsLanguage: esql
Severity
high
Risk Score
73
MITRE ATT&CK™

Initial Access (TA0001)(external, opens in a new tab or window)

License
Elastic License v2(external, opens in a new tab or window)

Definition

Integration Pack
Prebuilt Security Detection Rules
Related Integrations

system(external, opens in a new tab or window)

windows(external, opens in a new tab or window)

Query
text code block:
from logs-system.application-*, logs-windows.forwarded*, winlogbeat-* metadata _id, _version, _index | where host.os.type == "windows" and winlog.provider_name like "MSSQL*" and event.code == "33205" | EVAL message_upper = TO_UPPER(message) | where ( message_upper RLIKE ".*CONVERT\\(INT,\\(SELECT (CHAR\\(\\d{1,3}\\)\\+){3,}.*" or message_upper RLIKE ".*(CHAR\\(\\d{1,3}\\)\\+){3,}CHAR\\(\\d{1,3}\\).*" or message_upper RLIKE ".*CASE WHEN \\(\\d+=\\d+\\).*UNION SELECT \\d+.*" or message_upper RLIKE ".*WAITFOR DELAY \\'0:0:\\d+\\'.*" or message_upper RLIKE ".*;\\s*(EXEC|EXECUTE)\\s*\\(?\\s*(MASTER\\.)?\\.?XP_CMDSHELL.*" or message_upper RLIKE ".*UNION SELECT (NULL\\s*,\\s*){2,}NULL.*" or message_upper RLIKE ".*'\\w*'\\s*\\+\\s*\\(\\(SELECT @@VERSION\\)\\)\\s*\\+\\s*'\\w*'.*" or message_upper RLIKE ".*(OR|AND)\\s+'?\\d+'?\\s*=\\s*'?\\d+'?\\s*--.*" ) | eval Esql.original_message = message | keep @timestamp, host.id, host.name, host.ip, winlog.computer_name, message, event.outcome, Esql.original_message, _id, _version, _index, data_stream.namespace | limit 10

Install detection rules in Elastic Security

Detect Potential SQL Injection Against Microsoft SQL Server in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).