
Summary
Identifies potential SQL injection attempts against Microsoft SQL Server by analyzing Windows MSSQL Audit events (event ID 33205) written to the Windows Application log. The rule targets obfuscated T-SQL patterns used to bypass input validation, including CHAR concatenation, CONVERT-based subqueries, CASE/UNION constructs, and other payloads that aim to extract data or execute unauthorized statements. It inspects the MSSQL Audit message within Windows host context, preserving the original message for investigation and correlating with related logs for triage.
Categories
- Endpoint
- Windows
- Application
Data Sources
- Application Log
ATT&CK Techniques
- T1190
Created: 2026-07-01