Sqlwriter Executed from Non-Standard Directory

[PMorningstar98]

title: Sqlwriter Executed from Non-Standard Directory
id: 3f2d8a66-9f61-4e61-b7d1-4d77d2f47a22
status: experimental
description: >
Detects execution of sqlwriter.exe from non-standard directories.
Legitimate sqlwriter.exe is part of Microsoft SQL Server and is
normally executed from SQL Server installation paths. Execution
from user-writable or temporary directories may indicate abuse,
including DLL side-loading techniques observed in real-world attacks.
references:

• https://www.zscaler.com/blogs/security-research/european-diplomats-targeted-apt29-cozy-bear-wineloader
• https://research.splunk.com/endpoint/2ed89ba9-c6c7-46aa-9f08-a2a1c2955aa3/
  author: Parth Jamodkar
  date: 2026-01-05
  tags:
• attack.execution
• attack.defense_evasion
• attack.t1574.002
  logsource:
  category: process_creation
  product: windows
  detection:
  selection:
  Image|endswith: '\sqlwriter.exe'
  suspicious_path:
  Image|contains:
  • '\Windows\Tasks'
  • '\Temp'
  • '\AppData'
  • '\ProgramData'
  • '\Users\Public'
    filter_sql_install:
    Image|contains:
  • '\Program Files\Microsoft SQL Server'
    condition: selection and suspicious_path and not filter_sql_install
    falsepositives:
• SQL Server installed in non-default locations
• Administrator testing or forensic activity
  level: high

[github-actions]

Welcome 👋

It looks like this is your first issue on the Sigma rules repository!

The following repository accepts issues related to false positives or rule ideas.

If you're reporting an issue related to the pySigma library please consider submitting it here

Thanks for taking the time to open this issue, and welcome to the Sigma community! 😃

[swachchhanda000]

Hi @PMorningstar98,

Thanks for the rule suggestion. While detecting sqlwriter execution from uncommon locations could indicate something suspicious such as DLL side-loading (specifically with vcruntime140.dll), however a more efficient approach would be through image_load event for vcruntime140.dll side-loading attempts. This would catch any binary performing this technique, not just sqlwriter.

I would create a new PR with that rule.

Thanks

[PMorningstar98]

Thanks for the update @swachchhanda000