Data Export From MSSQL Table Via BCP.EXE

    Wednesday, August 21, 2024 In: Threat Research Print

    Date: 08/21/2024

    Severity: Medium

    Summary

    "Data Export From MSSQL Table Via BCP.EXE" involves using the Bulk Copy Program (BCP) utility to export data from a Microsoft SQL Server (MSSQL) table to a file. BCP is a command-line tool that allows for high-performance data export and import operations. To export data, you typically execute a BCP command specifying the SQL Server instance, database, table, and file path where the data will be saved. The process includes defining data format options and potentially configuring the output file format to suit specific needs. BCP is useful for handling large volumes of data and for integrating with other systems or processes.

    Indicators of Compromise (IOC) List

    Image

    '\bcp.exe'

    OriginalFileName

    'BCP.exe'

    CommandLine

    ' out '

    ' queryout '

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1

    (((Resourcename in ("Sysmon") AND eventtype = "1") AND image = "\bcp.exe") AND originalfilename = "BCP.exe") AND commandline in ("out","queryout")

    Detection Query 2

    (((Technologygroup = "EDR" ) AND image = "\bcp.exe") AND originalfilename = "BCP.exe") AND commandline in ("out","queryout")

    Reference:

    https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_bcp_export_data.yml


    Tags

    SigmaSQL injection

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.