Data Export From MSSQL Table Via BCP.EXE

calendar Jul 1, 2025 · attack.execution attack.exfiltration attack.t1048  ·
Share on: linkedin copy

Detects the execution of the BCP utility in order to export data from the database. Attackers were seen saving their malware to a database column or table and then later extracting it via "bcp.exe" into a file.

Sigma rule (View on GitHub)

 1title: Data Export From MSSQL Table Via BCP.EXE
 2id: c615d676-f655-46b9-b913-78729021e5d7
 3status: test
 4description: |
 5    Detects the execution of the BCP utility in order to export data from the database.
 6    Attackers were seen saving their malware to a database column or table and then later extracting it via "bcp.exe" into a file.    
 7references:
 8    - https://docs.microsoft.com/en-us/sql/tools/bcp-utility
 9    - https://asec.ahnlab.com/en/61000/
10    - https://asec.ahnlab.com/en/78944/
11    - https://www.huntress.com/blog/attacking-mssql-servers
12    - https://www.huntress.com/blog/attacking-mssql-servers-pt-ii
13    - https://news.sophos.com/en-us/2024/08/07/sophos-mdr-hunt-tracks-mimic-ransomware-campaign-against-organizations-in-india/
14    - https://research.nccgroup.com/2018/03/10/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/
15author: Omar Khaled (@beacon_exe), MahirAli Khan (in/mahiralikhan), Nasreddine Bencherchali (Nextron Systems)
16date: 2024-08-20
17tags:
18    - attack.execution
19    - attack.exfiltration
20    - attack.t1048
21logsource:
22    category: process_creation
23    product: windows
24detection:
25    selection_img:
26        - Image|endswith: '\bcp.exe'
27        - OriginalFileName: 'BCP.exe'
28    selection_cli:
29        CommandLine|contains:
30            - ' out ' # Export data from a table
31            - ' queryout ' # Export data based on a SQL query
32    condition: all of selection_*
33falsepositives:
34    - Legitimate data export operations.
35level: medium

References

Related rules

to-top