Data Export From MSSQL Table Via BCP.EXE

Rule Info

Name
Data Export From MSSQL Table Via BCP.EXE
Author
Omar Khaled (@beacon_exe), MahirAli Khan (in/mahiralikhan), Nasreddine Bencherchali (Nextron Systems)
Description
Detects the execution of the BCP utility in order to export data from the database. Attackers were seen saving their malware to a database column or table and then later extracting it via "bcp.exe" into a file.
Reference
https://docs.microsoft.com/en-us/sql/tools/bcp-utility
Date
2024-08-20 00:00:00
Modified
None
Id
c615d676-f655-46b9-b913-78729021e5d7
Tags
attack.execution attack.t1048
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=c615d676-f655-46b9-b913-78729021e5d7

Rule History

Author
Title
Date
Commit
Omar A.
Merge PR #4948 from @omaramin17 - Add `Data Export From MSSQL Table Via BCP.EXE`
2024-08-20
0504f18f6
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022