This note documents detection patterns related to Database Dumping within Windows environments.
Direct Indicators
| Log | Event ID | Meaning | Forensic Value | Notes |
|---|---|---|---|---|
| Security | 4688 | Process creation | Critical | Detects dump tooling and database utilities. |
| Sysmon | 1 | Process creation | Critical | Best lineage source for dumping chains. |
| Sysmon | 11 | File create | Critical | Dump file creation is primary artifact. |
| Security | 4663 | File access | High | Sensitive DB files accessed before dump. |
| Sysmon | 3 | Network connection | High | Remote DB extraction sessions. |
| Sysmon | 22 | DNS query | Medium | External DB targets or exfil paths. |
Indirect Indicators
| Indicator | What To Look For | Forensic Value | Notes |
|---|---|---|---|
| SQL utility launches archive/export | sqlcmd / mysqldump | Critical | Core dumping pattern. |
| Large dump file appears | .sql / .bak / export files | Critical | Strong artifact clue. |
| DB service followed by file write | Dump triggered locally | Critical | Valuable sequence. |
| Dump stored in Temp/Desktop | Operator staging pattern | High | Common exfil prep. |
| Compression follows dump | Archive chain | Critical | Strong exfil sequence. |
| Service account runs dump | Unusual maintenance pattern | High | Valuable anomaly. |
Common Tools
| Tool | Usage |
|---|---|
| sqlcmd | MSSQL export |
| mysqldump | MySQL dump |
| pg_dump | PostgreSQL dump |
| PowerShell | DB extraction scripts |
Relevant Artifacts
- Security Event IDs 4688, 4663
- Sysmon Event IDs 1, 11, 3, 22
- Dump files:
.sql.bak.dump
- Prefetch:
SQLCMD.EXEMYSQLDUMP.EXE
- MFT / USN timeline
- Archive correlation
MITRE ATT&CK References
- T1005 Data from Local System
- T1020 Automated Exfiltration
Decision Tree
-
Which DB type?
- MSSQL
- MySQL
- PostgreSQL
-
Which tool?
- Native utility
- Script
- Custom dump
-
Dump destination?
- Temp
- Desktop
- Network path
-
Follow-on action?
- Archive
- Cloud sync
- Outbound transfer
-
Expand:
- Credential source
- DB access path
- User context
-
Scope:
- Single DB
- Multi-database
- Campaign extraction
Example Detection Templates
KQL
SecurityEvent
| where EventID == 4688
| where CommandLine has_any ("sqlcmd","mysqldump","pg_dump")
| project TimeGenerated, Computer, CommandLine
Sysmon
| where EventID == 11
| where TargetFilename endswith ".sql" or TargetFilename endswith ".bak"
| project TimeGenerated, Computer, TargetFilename
EQL
process where process.command_line like "*mysqldump*" or process.command_line like "*sqlcmd*"
sequence by host.name with maxspan=10m
[ process where process.command_line like "*mysqldump*" ]
[ file where file.extension in ("sql","bak","dump") ]
Sigma
title: Database Dumping Detection
id: 5e2c7d18-database-dumping
status: experimental
description: Detects suspicious database export activity
references:
- https://attack.mitre.org/
author: Vergil
date: 2026-03-07
logsource:
product: windows
service: security
detection:
selection:
EventID: 4688
keywords:
CommandLine|contains:
- 'sqlcmd'
- 'mysqldump'
- 'pg_dump'
condition: selection and keywords
fields:
- CommandLine
falsepositives:
- Legitimate DB administration
level: high
tags:
- attack.collection
Mitigation & Hardening
| Control Area | Mitigation | Effectiveness | Notes |
|---|---|---|---|
| Alert on dump utilities | Strong signal | Critical | Core visibility |
| Watch dump file creation | Primary artifact | Critical | High-value triage |
| Correlate dump + archive | Strong exfil chain | Critical | High confidence |
| Restrict DB tool presence | Reduce abuse | High | Prevent misuse |
| Monitor service-account dumps | Rare anomaly | High | Valuable context |