From 7bcd242571dd109161e04522d099ecbc908571ba Mon Sep 17 00:00:00 2001
From: Mahir-Ali-khan <khanmahir0711@gmail.com>
Date: Wed, 14 Aug 2024 17:28:22 +0530
Subject: [PATCH] Update and rename proc_creation_win_BCP_utility.yml to
 win_BCP_utility_execution.yml

---
 ...n_BCP_utility.yml => win_BCP_utility_execution.yml} | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)
 rename rules-threat-hunting/windows/process_creation/{proc_creation_win_BCP_utility.yml => win_BCP_utility_execution.yml} (88%)

diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_BCP_utility.yml b/rules-threat-hunting/windows/process_creation/win_BCP_utility_execution.yml
similarity index 88%
rename from rules-threat-hunting/windows/process_creation/proc_creation_win_BCP_utility.yml
rename to rules-threat-hunting/windows/process_creation/win_BCP_utility_execution.yml
index c3af87e99ac..0ecd23f0905 100644
--- a/rules-threat-hunting/windows/process_creation/proc_creation_win_BCP_utility.yml
+++ b/rules-threat-hunting/windows/process_creation/win_BCP_utility_execution.yml
@@ -8,6 +8,9 @@ references:
     https://learn.microsoft.com/en-us/sql/tools/bcp-utility?view=sql-server-ver16&tabs=windows   
 author: MahirAli Khan (https://www.linkedin.com/in/mahiralikhan)
 date: 2024-08-13
+tags:
+  - attack.execution
+  - T1059.001
 logsource:
   category: windows
   product: windows
@@ -29,6 +32,7 @@ fields:
   - Creator Process Name
   - New Process Name
   - Process Command Line
-tags:
-  - attack.execution
-  - T1059.001  # This tag corresponds to the MITRE ATT&CK technique for Command-Line Interface
+falsepositives:
+  - Legitimate data export operations by MSSQL users
+level: medium
+