MSSQL Destructive Query

Title: MSSQL Destructive Query
Status: experimental
Description:Detects the invocation of MS SQL transactions that are destructive towards table or database data, such as "DROP TABLE" or "DROP DATABASE".
References:
  -https://learn.microsoft.com/en-us/sql/t-sql/statements/drop-table-transact-sql?view=sql-server-ver16
  -https://learn.microsoft.com/en-us/sql/t-sql/statements/drop-database-transact-sql?view=sql-server-ver16
  -https://learn.microsoft.com/en-us/sql/t-sql/statements/truncate-table-transact-sql?view=sql-server-ver16
Author: Daniel Degasperi '@d4ns4n_'
Date: 2025-06-04
modified:None
Tags:

• -'attack.exfiltration'
• -'attack.impact'
• -'attack.t1485'

Logsource:

• product: windows
• service: application
• definition: Requirements: MSSQL audit policy must be enabled in order to receive this event (event id 33205)

Detection:
  selection:
    Provider_Name: 'MSSQLSERVER$AUDIT'
    EventID: '33205'
    Data|contains:
      -'statement:TRUNCATE TABLE'
      -'statement:DROP TABLE'
      -'statement:DROP DATABASE'

  condition:selection
Falsepositives:
  -Legitimate transaction from a sysadmin.
Level: medium