Techniques
Sample rules
Data Export From MSSQL Table Via BCP.EXE
- source: sigma
- technicques:
- t1048
Description
Detects the execution of the BCP utility in order to export data from the database. Attackers were seen saving their malware to a database column or table and then later extracting it via “bcp.exe” into a file.
Detection logic
condition: all of selection_*
selection_cli:
CommandLine|contains:
- ' out '
- ' queryout '
selection_img:
- Image|endswith: \bcp.exe
- OriginalFileName: BCP.exe