title: Dumping Process via Sqldumper.exe
author: Kirill Kiryanov, oscd.community
date: 2020/10/08
description: Detects process dump via legitimate sqldumper.exe binary
detection:
  SELECTION_1:
    EventID: 1
  SELECTION_2:
    Image: '*\sqldumper.exe'
  SELECTION_3:
    CommandLine:
    - '*0x0110*'
    - '*0x01100:40*'
  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
falsepositives:
- Legitimate MSSQL Server actions
id: 23ceaf5c-b6f1-4a32-8559-f2ff734be516
level: medium
logsource:
  category: process_creation
  product: windows
references:
- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Sqldumper.yml
- https://twitter.com/countuponsec/status/910977826853068800
- https://twitter.com/countuponsec/status/910969424215232518
- https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqldumper/
status: experimental
tags:
- attack.credential_access
- attack.t1003.001
ruletype: SIGMA