Update and rename proc_creation_win_BCP_utility.yml to win_BCP_utilit…

…y_execution.yml
SigmaHQ · Aug 14, 2024 · 7bcd242 · 7bcd242
1 parent 470c3af
commit 7bcd242
Showing 1 changed file with 7 additions and 3 deletions.
diff --git a/...reation/proc_creation_win_BCP_utility.yml → ...ss_creation/win_BCP_utility_execution.yml b/...reation/proc_creation_win_BCP_utility.yml → ...ss_creation/win_BCP_utility_execution.yml
@@ -8,6 +8,9 @@ references:
     https://learn.microsoft.com/en-us/sql/tools/bcp-utility?view=sql-server-ver16&tabs=windows   
 author: MahirAli Khan (https://www.linkedin.com/in/mahiralikhan)
 date: 2024-08-13
+tags:
+  - attack.execution
+  - T1059.001
 logsource:
   category: windows
   product: windows
@@ -29,6 +32,7 @@ fields:
   - Creator Process Name
   - New Process Name
   - Process Command Line
-tags:
-  - attack.execution
-  - T1059.001  # This tag corresponds to the MITRE ATT&CK technique for Command-Line Interface
+falsepositives:
+  - Legitimate data export operations by MSSQL users
+level: medium
+