MSSQL Destructive Query

Rule Info

Name
MSSQL Destructive Query
Author
Daniel Degasperi '@d4ns4n_'
Description
Detects the invocation of MS SQL transactions that are destructive towards table or database data, such as "DROP TABLE" or "DROP DATABASE".
Reference
https://learn.microsoft.com/en-us/sql/t-sql/statements/drop-table-transact-sql?view=sql-server-ver16
Date
2025-06-04 00:00:00
Modified
None
Id
00321fee-ca72-4cce-b011-5415af3b9960
Tags
attack.exfiltration attack.impact attack.t1485
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=00321fee-ca72-4cce-b011-5415af3b9960

Rule History

Author
Title
Date
Commit
dan21san
Merge PR #5221 from @dan21san - MSSQL Destructive Query
2025-06-11
fd62c55e4
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022