sigmamediumHunting

Veeam Backup Database Suspicious Query

Detects potentially suspicious SQL queries using SQLCmd targeting the Veeam backup databases in order to steal information.

MITRE ATT&CK

T1005

collection

Detection Query

selection_sql:
  Image|endswith: \sqlcmd.exe
  CommandLine|contains|all:
    - VeeamBackup
    - "From "
selection_db:
  CommandLine|contains:
    - BackupRepositories
    - Backups
    - Credentials
    - HostCreds
    - SmbFileShares
    - Ssh_creds
    - VSphereInfo
condition: all of selection_*

Author

Nasreddine Bencherchali (Nextron Systems)

Created

2023-05-04

Data Sources

windowsProcess Creation Events

Platforms

windows

References

https://labs.withsecure.com/publications/fin7-target-veeam-servers

Tags

attack.collectionattack.t1005

Raw Content

title: Veeam Backup Database Suspicious Query
id: 696bfb54-227e-4602-ac5b-30d9d2053312
status: test
description: Detects potentially suspicious SQL queries using SQLCmd targeting the Veeam backup databases in order to steal information.
references:
    - https://labs.withsecure.com/publications/fin7-target-veeam-servers
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-04
tags:
    - attack.collection
    - attack.t1005
logsource:
    category: process_creation
    product: windows
detection:
    selection_sql:
        Image|endswith: '\sqlcmd.exe'
        CommandLine|contains|all:
            - 'VeeamBackup'
            - 'From '
    selection_db:
        CommandLine|contains:
            - 'BackupRepositories'
            - 'Backups'
            - 'Credentials'
            - 'HostCreds'
            - 'SmbFileShares'
            - 'Ssh_creds'
            - 'VSphereInfo'
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium