Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumtest

Data Export From MSSQL Table Via BCP.EXE

Detects the execution of the BCP utility in order to export data from the database. Attackers were seen saving their malware to a database column or table and then later extracting it via "bcp.exe" into a file.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Omar Khaled, MahirAli Khan (in/mahiralikhan), Nasreddine Bencherchali (Nextron Systems)Created Tue Aug 20c615d676-f655-46b9-b913-78729021e5d7windows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic
Detection Logic2 selectors
detection:
    selection_img:
        - Image|endswith: '\bcp.exe'
        - OriginalFileName: 'BCP.exe'
    selection_cli:
        CommandLine|contains:
            - ' out ' # Export data from a table
            - ' queryout ' # Export data based on a SQL query
    condition: all of selection_*
False Positives

Legitimate data export operations.

References
1
Resolving title…
docs.microsoft.com
2
Resolving title…
asec.ahnlab.com
3
Resolving title…
asec.ahnlab.com
4
Resolving title…
huntress.com
5
Resolving title…
huntress.com
6
Resolving title…
news.sophos.com
7
Resolving title…
research.nccgroup.com
MITRE ATT&CK
Rule Metadata
Rule ID
c615d676-f655-46b9-b913-78729021e5d7
Status
test
Level
medium
Type
Detection
Created
Tue Aug 20
Author
Omar Khaled, MahirAli Khan (in/mahiralikhan), Nasreddine Bencherchali (Nextron Systems)
Path
rules/windows/process_creation/proc_creation_win_bcp_export_data.yml
Raw Tags
attack.executionattack.exfiltrationattack.t1048
View on GitHub