EXPLORE
Sign In
← Back to Explore
sigmacriticalHunting

Suspicious Child Process Of Veeam Dabatase

Detects suspicious child processes of the Veeam service process. This could indicate potential RCE or SQL Injection.

Detection Query

selection_parent:
  ParentImage|endswith: \sqlservr.exe
  ParentCommandLine|contains: VEEAMSQL
selection_child_1:
  Image|endswith:
    - \cmd.exe
    - \powershell.exe
    - \pwsh.exe
    - \wsl.exe
    - \wt.exe
  CommandLine|contains:
    - "-ex "
    - bypass
    - cscript
    - DownloadString
    - http://
    - https://
    - mshta
    - regsvr32
    - rundll32
    - wscript
    - "copy "
selection_child_2:
  Image|endswith:
    - \net.exe
    - \net1.exe
    - \netstat.exe
    - \nltest.exe
    - \ping.exe
    - \tasklist.exe
    - \whoami.exe
condition: selection_parent and 1 of selection_child_*

Author

Nasreddine Bencherchali (Nextron Systems)

Created

2023-05-04

Data Sources

windowsProcess Creation Events

Platforms

windows

References

Tags

attack.initial-accessattack.persistenceattack.privilege-escalation
Raw Content
title: Suspicious Child Process Of Veeam Dabatase
id: d55b793d-f847-4eea-b59a-5ab09908ac90
related:
    - id: 869b9ca7-9ea2-4a5a-8325-e80e62f75445
      type: similar
status: test
description: Detects suspicious child processes of the Veeam service process. This could indicate potential RCE or SQL Injection.
references:
    - https://labs.withsecure.com/publications/fin7-target-veeam-servers
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-04
tags:
    - attack.initial-access
    - attack.persistence
    - attack.privilege-escalation
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        ParentImage|endswith: '\sqlservr.exe'
        ParentCommandLine|contains: 'VEEAMSQL'
    selection_child_1:
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
            - '\wsl.exe'
            - '\wt.exe'
        CommandLine|contains:
            - '-ex '
            - 'bypass'
            - 'cscript'
            - 'DownloadString'
            - 'http://'
            - 'https://'
            - 'mshta'
            - 'regsvr32'
            - 'rundll32'
            - 'wscript'
            - 'copy '
    selection_child_2:
        Image|endswith:
            - '\net.exe'
            - '\net1.exe'
            - '\netstat.exe'
            - '\nltest.exe'
            - '\ping.exe'
            - '\tasklist.exe'
            - '\whoami.exe'
    condition: selection_parent and 1 of selection_child_*
level: critical