From 50f3103b573fdcac2678d27cee98c7a97d150848 Mon Sep 17 00:00:00 2001
From: MahirAli Khan <khanmahir0711@gmail.com>
Date: Thu, 13 Nov 2025 11:49:15 +0530
Subject: [PATCH 1/4] Create Bcp.yml

---
 yml/OSBinaries/Bcp.yml | 42 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 42 insertions(+)
 create mode 100644 yml/OSBinaries/Bcp.yml

diff --git a/yml/OSBinaries/Bcp.yml b/yml/OSBinaries/Bcp.yml
new file mode 100644
index 00000000..efe29c21
--- /dev/null
+++ b/yml/OSBinaries/Bcp.yml
@@ -0,0 +1,42 @@
+Name: Bcp.exe
+Description: Microsoft SQL Server Bulk Copy Program utility for importing and exporting data between SQL Server instances and data files. Can be abused to stage and deliver malicious payloads by storing them in databases and extracting to the file system.
+Author: Mahir Ali Khan
+Created: 13-11-2025
+Commands:
+  - Command: bcp "SELECT payload_data FROM database.dbo.payloads WHERE id=1" queryout "C:\Windows\Temp\payload.exe" -S localhost -T -c
+    Description: Export binary payload stored in SQL Server database to file system
+    Usecase: Extract malicious executable from database storage to local file system for execution
+    Category: Download
+    Privileges: User
+    MitreID: T1105
+    OperatingSystem: Windows
+    Tags:
+      - Payload: Staging
+      - Database: Abuse
+Full_Path:
+  - Path: C:\Program Files\Microsoft SQL Server\Client SDK\ODBC\170\Tools\Binn\bcp.exe
+  - Path: C:\Program Files\Microsoft SQL Server\Client SDK\ODBC\130\Tools\Binn\bcp.exe
+  - Path: C:\Program Files\Microsoft SQL Server\Client SDK\ODBC\110\Tools\Binn\bcp.exe
+  - Path: C:\Program Files (x86)\Microsoft SQL Server\Client SDK\ODBC\170\Tools\Binn\bcp.exe
+  - Path: C:\Program Files (x86)\Microsoft SQL Server\Client SDK\ODBC\130\Tools\Binn\bcp.exe
+  - Path: C:\Program Files (x86)\Microsoft SQL Server\Client SDK\ODBC\110\Tools\Binn\bcp.exe
+  - Path: C:\Program Files (x86)\Microsoft SQL Server\120\Tools\Binn\bcp.exe
+Detection:
+  - IOC: Process creation of bcp.exe with queryout or Out parameter
+  - IOC: bcp.exe writing executable files to temp or users directories
+  - IOC: Network connections from bcp.exe to SQL Server followed by file creation
+  - IOC: Event ID 4688 - Process creation for bcp.exe
+  - IOC: Event ID 4663 - File system access by bcp.exe
+  - Analysis: Monitor for bcp.exe creating files with executable extensions (.exe, .dll, .bat, .ps1)
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_bcp_export_data.yml
+Resources:
+- Link: https://docs.microsoft.com/en-us/sql/tools/bcp-utility
+- Link: https://asec.ahnlab.com/en/61000/
+- Link: https://asec.ahnlab.com/en/78944/
+- Link: https://www.huntress.com/blog/attacking-mssql-servers
+- Link: https://www.huntress.com/blog/attacking-mssql-servers-pt-ii
+- Link: https://news.sophos.com/en-us/2024/08/07/sophos-mdr-hunt-tracks-mimic-ransomware-campaign-against-organizations-in-india/
+- Link: https://research.nccgroup.com/2018/03/10/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/
+Acknowledgement:
+  - Person: Mahir Ali Khan
+    Handle: '@in/mahiralikhan07'

From 0b7b746f71a91c6e6acb09a22e61ce64ccc66139 Mon Sep 17 00:00:00 2001
From: MahirAli Khan <khanmahir0711@gmail.com>
Date: Thu, 20 Nov 2025 11:00:29 +0530
Subject: [PATCH 2/4] Update Bcp.yml

---
 yml/OSBinaries/Bcp.yml | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

diff --git a/yml/OSBinaries/Bcp.yml b/yml/OSBinaries/Bcp.yml
index efe29c21..b991eec0 100644
--- a/yml/OSBinaries/Bcp.yml
+++ b/yml/OSBinaries/Bcp.yml
@@ -1,3 +1,4 @@
+---
 Name: Bcp.exe
 Description: Microsoft SQL Server Bulk Copy Program utility for importing and exporting data between SQL Server instances and data files. Can be abused to stage and deliver malicious payloads by storing them in databases and extracting to the file system.
 Author: Mahir Ali Khan
@@ -30,13 +31,13 @@ Detection:
   - Analysis: Monitor for bcp.exe creating files with executable extensions (.exe, .dll, .bat, .ps1)
   - Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_bcp_export_data.yml
 Resources:
-- Link: https://docs.microsoft.com/en-us/sql/tools/bcp-utility
-- Link: https://asec.ahnlab.com/en/61000/
-- Link: https://asec.ahnlab.com/en/78944/
-- Link: https://www.huntress.com/blog/attacking-mssql-servers
-- Link: https://www.huntress.com/blog/attacking-mssql-servers-pt-ii
-- Link: https://news.sophos.com/en-us/2024/08/07/sophos-mdr-hunt-tracks-mimic-ransomware-campaign-against-organizations-in-india/
-- Link: https://research.nccgroup.com/2018/03/10/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/
+  - Link: https://docs.microsoft.com/en-us/sql/tools/bcp-utility
+  - Link: https://asec.ahnlab.com/en/61000/
+  - Link: https://asec.ahnlab.com/en/78944/
+  - Link: https://www.huntress.com/blog/attacking-mssql-servers
+  - Link: https://www.huntress.com/blog/attacking-mssql-servers-pt-ii
+  - Link: https://news.sophos.com/en-us/2024/08/07/sophos-mdr-hunt-tracks-mimic-ransomware-campaign-against-organizations-in-india/
+  - Link: https://research.nccgroup.com/2018/03/10/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/
 Acknowledgement:
   - Person: Mahir Ali Khan
     Handle: '@in/mahiralikhan07'

From 7951b3db0cafcb744b810bbe282e207578c80c2b Mon Sep 17 00:00:00 2001
From: MahirAli Khan <khanmahir0711@gmail.com>
Date: Thu, 20 Nov 2025 11:05:36 +0530
Subject: [PATCH 3/4] Update Bcp.yml

---
 yml/OSBinaries/Bcp.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/yml/OSBinaries/Bcp.yml b/yml/OSBinaries/Bcp.yml
index b991eec0..a32c8ae9 100644
--- a/yml/OSBinaries/Bcp.yml
+++ b/yml/OSBinaries/Bcp.yml
@@ -2,7 +2,7 @@
 Name: Bcp.exe
 Description: Microsoft SQL Server Bulk Copy Program utility for importing and exporting data between SQL Server instances and data files. Can be abused to stage and deliver malicious payloads by storing them in databases and extracting to the file system.
 Author: Mahir Ali Khan
-Created: 13-11-2025
+Created: 2025-11-13
 Commands:
   - Command: bcp "SELECT payload_data FROM database.dbo.payloads WHERE id=1" queryout "C:\Windows\Temp\payload.exe" -S localhost -T -c
     Description: Export binary payload stored in SQL Server database to file system
@@ -28,7 +28,7 @@ Detection:
   - IOC: Network connections from bcp.exe to SQL Server followed by file creation
   - IOC: Event ID 4688 - Process creation for bcp.exe
   - IOC: Event ID 4663 - File system access by bcp.exe
-  - Analysis: Monitor for bcp.exe creating files with executable extensions (.exe, .dll, .bat, .ps1)
+  - Analysis: Monitor for bcp.exe creating files with executable extensions
   - Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_bcp_export_data.yml
 Resources:
   - Link: https://docs.microsoft.com/en-us/sql/tools/bcp-utility
@@ -40,4 +40,4 @@ Resources:
   - Link: https://research.nccgroup.com/2018/03/10/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/
 Acknowledgement:
   - Person: Mahir Ali Khan
-    Handle: '@in/mahiralikhan07'
+    Handle: '@mahiralikhan07'

From f2019a307a45600ce49d487521e1b93a0e83acb7 Mon Sep 17 00:00:00 2001
From: MahirAli Khan <khanmahir0711@gmail.com>
Date: Thu, 20 Nov 2025 11:09:00 +0530
Subject: [PATCH 4/4] Update Bcp.yml

---
 yml/OSBinaries/Bcp.yml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/yml/OSBinaries/Bcp.yml b/yml/OSBinaries/Bcp.yml
index a32c8ae9..f0e763d6 100644
--- a/yml/OSBinaries/Bcp.yml
+++ b/yml/OSBinaries/Bcp.yml
@@ -28,7 +28,6 @@ Detection:
   - IOC: Network connections from bcp.exe to SQL Server followed by file creation
   - IOC: Event ID 4688 - Process creation for bcp.exe
   - IOC: Event ID 4663 - File system access by bcp.exe
-  - Analysis: Monitor for bcp.exe creating files with executable extensions
   - Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_bcp_export_data.yml
 Resources:
   - Link: https://docs.microsoft.com/en-us/sql/tools/bcp-utility