.. /Sqldumper.exe
Star

Debugging utility included with Microsoft SQL.

Paths:

C:\Program Files\Microsoft SQL Server\90\Shared\SQLDumper.exe
C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis\AS OLEDB\140\SQLDumper.exe

Resources:

Acknowledgements:

Luis Rocha (@countuponsec)

Detection:

Dump

Dump process by PID and create a dump file (Appears to create a dump file called SQLDmprXXXX.mdmp).
```
sqldumper.exe 464 0 0x0110
```
Use case
Dump process using PID.

Privileges required
Administrator

Operating systems
Windows

ATT&CK® technique
T1003
0x01100:40 flag will create a Mimikatz compatible dump file.
```
sqldumper.exe 540 0 0x01100:40
```
Use case
Dump LSASS.exe to Mimikatz compatible dump using PID.

Privileges required
Administrator

Operating systems
Windows

ATT&CK® technique
T1003.001