Dumping Process via Sqldumper.exe
Detects process dump via legitimate sqldumper.exe binary
Sigma rule (View on GitHub)
1title: Dumping Process via Sqldumper.exe
2id: 23ceaf5c-b6f1-4a32-8559-f2ff734be516
3status: test
4description: Detects process dump via legitimate sqldumper.exe binary
5references:
6 - https://twitter.com/countuponsec/status/910977826853068800
7 - https://twitter.com/countuponsec/status/910969424215232518
8 - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqldumper/
9author: Kirill Kiryanov, oscd.community
10date: 2020/10/08
11modified: 2021/11/27
12tags:
13 - attack.credential_access
14 - attack.t1003.001
15logsource:
16 category: process_creation
17 product: windows
18detection:
19 selection:
20 Image|endswith: '\sqldumper.exe'
21 CommandLine|contains:
22 - '0x0110'
23 - '0x01100:40'
24 condition: selection
25falsepositives:
26 - Legitimate MSSQL Server actions
27level: medium
References
-
-
-
Dump process by PID and create a dump file (Appears to create a dump file called SQLDmprXXXX.mdmp). sqldumper.exe 464 0 0x0110 Use caseDump process using PID. Privileges requiredAdministrator Opera...
Read More
Related rules
- Password Dumper Activity on LSASS
- Time Travel Debugging Utility Usage
- Invocation of Active Directory Diagnostic Tool (ntdsutil.exe)
- Suspicious SYSVOL Domain Group Policy Access
- WCE wceaux.dll Access