Dumping Process via Sqldumper.exe
Detects process dump via legitimate sqldumper.exe binary
Sigma rule (View on GitHub)
1title: Dumping Process via Sqldumper.exe
2id: 23ceaf5c-b6f1-4a32-8559-f2ff734be516
3status: test
4description: Detects process dump via legitimate sqldumper.exe binary
5references:
6 - https://twitter.com/countuponsec/status/910977826853068800
7 - https://twitter.com/countuponsec/status/910969424215232518
8 - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqldumper/
9author: Kirill Kiryanov, oscd.community
10date: 2020-10-08
11modified: 2021-11-27
12tags:
13 - attack.credential-access
14 - attack.t1003.001
15logsource:
16 category: process_creation
17 product: windows
18detection:
19 selection:
20 Image|endswith: '\sqldumper.exe'
21 CommandLine|contains:
22 - '0x0110'
23 - '0x01100:40'
24 condition: selection
25falsepositives:
26 - Legitimate MSSQL Server actions
27level: medium
References
-
Sqldumper.exe is a living-of-the-land file containing unexpected functionality that can be abused by attackers; this page lists all its use cases.
Read More
Related rules
- APT31 Judgement Panda Activity
- Cred Dump Tools Dropped Files
- Credential Dumping Activity By Python Based Tool
- Credential Dumping Attempt Via WerFault
- Credential Dumping Tools Service Execution - Security