From f793a4d5c9702da95549f83f9cb61846b1646cba Mon Sep 17 00:00:00 2001
From: MahirAli Khan <khanmahir0711@gmail.com>
Date: Sun, 7 Dec 2025 03:04:11 +0530
Subject: [PATCH] Create Bcp.yml (#476)

Co-authored-by: Wietze <wietze@users.noreply.github.com>
---
 yml/OtherMSBinaries/Bcp.yml | 39 +++++++++++++++++++++++++++++++++++++
 1 file changed, 39 insertions(+)
 create mode 100644 yml/OtherMSBinaries/Bcp.yml

diff --git a/yml/OtherMSBinaries/Bcp.yml b/yml/OtherMSBinaries/Bcp.yml
new file mode 100644
index 0000000..bb1f518
--- /dev/null
+++ b/yml/OtherMSBinaries/Bcp.yml
@@ -0,0 +1,39 @@
+---
+Name: Bcp.exe
+Description: Microsoft SQL Server Bulk Copy Program utility for importing and exporting data between SQL Server instances and data files.
+Author: Mahir Ali Khan
+Created: 2025-11-13
+Commands:
+  - Command: bcp "SELECT payload_data FROM database.dbo.payloads WHERE id=1" queryout "C:\Windows\Temp\payload.exe" -S localhost -T -c
+    Description: Export binary payload stored in SQL Server database to file system.
+    Usecase: Extract malicious executable from database storage to local file system for execution.
+    Category: Download
+    Privileges: User
+    MitreID: T1105
+    OperatingSystem: Windows
+Full_Path:
+  - Path: C:\Program Files\Microsoft SQL Server\Client SDK\ODBC\170\Tools\Binn\bcp.exe
+  - Path: C:\Program Files\Microsoft SQL Server\Client SDK\ODBC\130\Tools\Binn\bcp.exe
+  - Path: C:\Program Files\Microsoft SQL Server\Client SDK\ODBC\110\Tools\Binn\bcp.exe
+  - Path: C:\Program Files (x86)\Microsoft SQL Server\Client SDK\ODBC\170\Tools\Binn\bcp.exe
+  - Path: C:\Program Files (x86)\Microsoft SQL Server\Client SDK\ODBC\130\Tools\Binn\bcp.exe
+  - Path: C:\Program Files (x86)\Microsoft SQL Server\Client SDK\ODBC\110\Tools\Binn\bcp.exe
+  - Path: C:\Program Files (x86)\Microsoft SQL Server\120\Tools\Binn\bcp.exe
+Detection:
+  - IOC: Process creation of bcp.exe with queryout or Out parameter
+  - IOC: bcp.exe writing executable files to temp or users directories
+  - IOC: Network connections from bcp.exe to SQL Server followed by file creation
+  - IOC: Event ID 4688 - Process creation for bcp.exe
+  - IOC: Event ID 4663 - File system access by bcp.exe
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_bcp_export_data.yml
+Resources:
+  - Link: https://docs.microsoft.com/en-us/sql/tools/bcp-utility
+  - Link: https://asec.ahnlab.com/en/61000/
+  - Link: https://asec.ahnlab.com/en/78944/
+  - Link: https://www.huntress.com/blog/attacking-mssql-servers
+  - Link: https://www.huntress.com/blog/attacking-mssql-servers-pt-ii
+  - Link: https://news.sophos.com/en-us/2024/08/07/sophos-mdr-hunt-tracks-mimic-ransomware-campaign-against-organizations-in-india/
+  - Link: https://research.nccgroup.com/2018/03/10/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/
+Acknowledgement:
+  - Person: Mahir Ali Khan
+    Handle: '@mahiralikhan07'