Skip to content

Create Bcp.yml #476

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
wietze merged 5 commits into from
Dec 6, 2025
Merged

Create Bcp.yml #476

Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
50f3103
Create Bcp.yml
Mahir-Ali-khan Nov 13, 2025
0b7b746
Update Bcp.yml
Mahir-Ali-khan Nov 20, 2025
7951b3d
Update Bcp.yml
Mahir-Ali-khan Nov 20, 2025
f2019a3
Update Bcp.yml
Mahir-Ali-khan Nov 20, 2025
0562c5e
Move Bcp.yml to OtherMSBinaries directory
wietze Dec 6, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
39 changes: 39 additions & 0 deletions yml/OtherMSBinaries/Bcp.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
---
Name: Bcp.exe
Description: Microsoft SQL Server Bulk Copy Program utility for importing and exporting data between SQL Server instances and data files.
Author: Mahir Ali Khan
Created: 2025-11-13
Commands:
- Command: bcp "SELECT payload_data FROM database.dbo.payloads WHERE id=1" queryout "C:\Windows\Temp\payload.exe" -S localhost -T -c
Description: Export binary payload stored in SQL Server database to file system.
Usecase: Extract malicious executable from database storage to local file system for execution.
Category: Download
Privileges: User
MitreID: T1105
OperatingSystem: Windows
Full_Path:
- Path: C:\Program Files\Microsoft SQL Server\Client SDK\ODBC\170\Tools\Binn\bcp.exe
- Path: C:\Program Files\Microsoft SQL Server\Client SDK\ODBC\130\Tools\Binn\bcp.exe
- Path: C:\Program Files\Microsoft SQL Server\Client SDK\ODBC\110\Tools\Binn\bcp.exe
- Path: C:\Program Files (x86)\Microsoft SQL Server\Client SDK\ODBC\170\Tools\Binn\bcp.exe
- Path: C:\Program Files (x86)\Microsoft SQL Server\Client SDK\ODBC\130\Tools\Binn\bcp.exe
- Path: C:\Program Files (x86)\Microsoft SQL Server\Client SDK\ODBC\110\Tools\Binn\bcp.exe
- Path: C:\Program Files (x86)\Microsoft SQL Server\120\Tools\Binn\bcp.exe
Detection:
- IOC: Process creation of bcp.exe with queryout or Out parameter
- IOC: bcp.exe writing executable files to temp or users directories
- IOC: Network connections from bcp.exe to SQL Server followed by file creation
- IOC: Event ID 4688 - Process creation for bcp.exe
- IOC: Event ID 4663 - File system access by bcp.exe
- Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_bcp_export_data.yml
Resources:
- Link: https://docs.microsoft.com/en-us/sql/tools/bcp-utility
- Link: https://asec.ahnlab.com/en/61000/
- Link: https://asec.ahnlab.com/en/78944/
- Link: https://www.huntress.com/blog/attacking-mssql-servers
- Link: https://www.huntress.com/blog/attacking-mssql-servers-pt-ii
- Link: https://news.sophos.com/en-us/2024/08/07/sophos-mdr-hunt-tracks-mimic-ransomware-campaign-against-organizations-in-india/
- Link: https://research.nccgroup.com/2018/03/10/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/
Acknowledgement:
- Person: Mahir Ali Khan
Handle: '@mahiralikhan07'