Skip to content

[New] Potential SQL Injection Against Microsoft SQL Server#6364

Open
Samirbous wants to merge 4 commits into
mainfrom
sql_inj
Open

[New] Potential SQL Injection Against Microsoft SQL Server#6364
Samirbous wants to merge 4 commits into
mainfrom
sql_inj

Conversation

@Samirbous

@Samirbous Samirbous commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Identifies potential SQL injection attempts against Microsoft SQL Server by detecting obfuscated T-SQL patterns in SQL Server Audit events. Attackers use CHAR concatenation, CONVERT-based subqueries, and CASE/UNION constructs to bypass input validation and extract data or execute unauthorized statements.

image
Identifies potential SQL injection attempts against Microsoft SQL Server by detecting obfuscated T-SQL patterns in SQL Server Audit events. Attackers use CHAR concatenation, CONVERT-based subqueries, and CASE/UNION constructs to bypass input validation and extract data or execute unauthorized statements.
@Samirbous Samirbous self-assigned this Jul 1, 2026
Copilot AI review requested due to automatic review settings July 1, 2026 11:44
@Samirbous Samirbous added Rule: New Proposal for new rule OS: Windows windows related rules labels Jul 1, 2026
@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Rule: New - Guidelines

These guidelines serve as a reminder set of considerations when proposing a new rule.

Documentation and Context

  • Detailed description of the rule.
  • List any new fields required in ECS/data sources.
  • Link related issues or PRs.
  • Include references.

Rule Metadata Checks

  • creation_date matches the date of creation PR initially merged.
  • min_stack_version should support the widest stack versions.
  • name and description should be descriptive and not include typos.
  • query should be inclusive, not overly exclusive, considering performance for diverse environments. Non ecs fields should be added to non-ecs-schema.json if not available in an integration.
  • min_stack_comments and min_stack_version should be included if the rule is only compatible starting from a specific stack version.
  • index pattern should be neither too specific nor too vague, ensuring it accurately matches the relevant data stream (e.g., use logs-endpoint.process-* for process data).
  • integration should align with the index. If the integration is newly introduced, ensure the manifest, schemas, and new_rule.yaml template are updated.
  • setup should include the necessary steps to configure the integration.
  • note should include any additional information (e.g. Triage and analysis investigation guides, timeline templates).
  • tags should be relevant to the threat and align/added to the EXPECTED_RULE_TAGS in the definitions.py file.
  • threat, techniques, and subtechniques should map to ATT&CK always if possible.

New BBR Rules

  • building_block_type should be included if the rule is a building block and the rule should be located in the rules_building_block folder.
  • bypass_bbr_timing should be included if adding custom lookback timing to the rule.

Testing and Validation

  • Provide evidence of testing and detecting the expected threat.
  • Check for existence of coverage to prevent duplication.
@tradebot-elastic

tradebot-elastic commented Jul 1, 2026

Copy link
Copy Markdown

⛔️ Test failed

Results
  • ❌ Potential SQL Injection Against Microsoft SQL Server (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
@tradebot-elastic

tradebot-elastic commented Jul 1, 2026

Copy link
Copy Markdown

⛔️ Test failed

Results
  • ❌ Potential SQL Injection Against Microsoft SQL Server (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds a new Windows ES|QL detection rule intended to identify potential SQL injection attempts against Microsoft SQL Server by matching obfuscated T-SQL patterns in SQL Server Audit (Windows Application log) events.

Changes:

  • Introduces a new production-ready rule for SQL Server Audit event ID 33205 with regex-based matching of obfuscated T-SQL payload patterns.
  • Adds investigation guidance and setup instructions for enabling SQL Server Audit logging to the Windows Application log.
  • Maps the detection to MITRE ATT&CK Initial Access (T1190).
Comment thread rules/windows/initial_access_mssql_potential_sql_injection.toml
Comment thread rules/windows/initial_access_mssql_potential_sql_injection.toml Outdated
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
@tradebot-elastic

tradebot-elastic commented Jul 1, 2026

Copy link
Copy Markdown

⛔️ Test failed

Results
  • ❌ Potential SQL Injection Against Microsoft SQL Server (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
@tradebot-elastic

tradebot-elastic commented Jul 1, 2026

Copy link
Copy Markdown

⛔️ Test failed

Results
  • ❌ Potential SQL Injection Against Microsoft SQL Server (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

backport: auto Domain: Endpoint OS: Windows windows related rules Rule: New Proposal for new rule

3 participants