heroui logo

Dumping Process via Sqldumper.exe

Sigma Rules

View Source
Summary
The detection rule targets the suspicious use of the legitimate binary sqldumper.exe, which can be exploited by attackers to dump memory from running processes, particularly those associated with MSSQL. The rule is configured to trigger when a new process is created that matches the path ending with sqldumper.exe in Windows. Additionally, it looks for specific command line parameters (0x0110 and 0x01100:40) that are often utilized in credential dumping techniques. This behavior can indicate potential unauthorized access attempts to extract sensitive information. It is pertinent to monitor this activity closely as it is associated with credential access techniques outlined in the MITRE ATT&CK framework (T1003.001). While this rule captures potential threats, there exists a possibility of false positives from legitimate MSSQL Server operations that might employ the same binary for valid reasons. Given that the rule specifically watches for a combination of process image name and certain command line arguments, it serves as a means to filter out benign uses vs. potentially malicious intentions.
Categories
  • Windows
  • Endpoint
Data Sources
  • Process
  • Application Log
Created: 2020-10-08