Data Export From MSSQL Table Via BCP.EXE
Detects the execution of the BCP utility in order to export data from the database. Attackers were seen saving their malware to a database column or table and then later extracting it via "bcp.exe" into a file.
Sigma rule (View on GitHub)
1title: Data Export From MSSQL Table Via BCP.EXE
2id: c615d676-f655-46b9-b913-78729021e5d7
3status: experimental
4description: |
5 Detects the execution of the BCP utility in order to export data from the database.
6 Attackers were seen saving their malware to a database column or table and then later extracting it via "bcp.exe" into a file.
7references:
8 - https://docs.microsoft.com/en-us/sql/tools/bcp-utility
9 - https://asec.ahnlab.com/en/61000/
10 - https://asec.ahnlab.com/en/78944/
11 - https://www.huntress.com/blog/attacking-mssql-servers
12 - https://www.huntress.com/blog/attacking-mssql-servers-pt-ii
13 - https://news.sophos.com/en-us/2024/08/07/sophos-mdr-hunt-tracks-mimic-ransomware-campaign-against-organizations-in-india/
14 - https://research.nccgroup.com/2018/03/10/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/
15author: Omar Khaled (@beacon_exe), MahirAli Khan (in/mahiralikhan), Nasreddine Bencherchali (Nextron Systems)
16date: 2024-08-20
17tags:
18 - attack.execution
19 - attack.t1048
20logsource:
21 category: process_creation
22 product: windows
23detection:
24 selection_img:
25 - Image|endswith: '\bcp.exe'
26 - OriginalFileName: 'BCP.exe'
27 selection_cli:
28 CommandLine|contains:
29 - ' out ' # Export data from a table
30 - ' queryout ' # Export data based on a SQL query
31 condition: all of selection_*
32falsepositives:
33 - Legitimate data export operations.
34level: medium
References
-
The bulk copy program (bcp) utility bulk copies data between an instance of SQL Server and a data file in a user-specified format.
Read More -
AhnLab SEcurity intelligence Center (ASEC) has recently identified a new activity of the Trigona ransomware threat actor installing Mimic ransomware. Like past cases, the recently detected attack targets MS-SQL servers and is notable for exploiting the Bulk Copy Program (BCP) utility in MS-SQL servers during the malware installation process. Trigona ransomware: Known to have been […]
Read More -
Overview The ASEC analysis team uses the AhnLab Smart Defense (ASD) infrastructure to categorize and respond to attacks on vulnerable MS-SQL servers. This report will cover the current state of damage to MS-SQL servers which have become the target of attacks based on the logs discovered in Q1 2024, and also discuss statistics on […]
Read More -
In addition to social engineering attacks, threat actors target organizations' attack surface, looking for exposed services and applications to gain access into an infrastructure. Microsoft SQL database servers have long been a target for attackers.
Read More -
The publication of the first blog post led a Huntress SOC analyst to identify and escalate a second, similar incident. A deeper investigation into the activity made it clear that the Huntress SOC had obviated several Trigona ransomware attacks, protecting customers from the impact of a ransomware infection.
Read More -
-
In May 2017, NCC Group’s Incident Response team reacted to an ongoing incident where our client, which provides a range of services to UK Government, suffered a network compromise involving the adv...
Read More
Related rules
- Potentially Suspicious Rundll32.EXE Execution of UDL File
- Suspicious Rundll32 Execution of UDL File
- AADInternals PowerShell Cmdlets Execution - ProccessCreation
- AADInternals PowerShell Cmdlets Execution - PsScript
- AMSI Bypass Pattern Assembly GetType