Potential Conti Ransomware Database Dumping Activity Via SQLCmd

 1title: Potential Conti Ransomware Database Dumping Activity Via SQLCmd
 2id: 2f47f1fd-0901-466e-a770-3b7092834a1b
 3status: test
 4description: Detects a command used by conti to dump database
 5references:
 6    - https://twitter.com/vxunderground/status/1423336151860002816?s=20 # The leak info not the files itself
 7    - https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection
 8    - https://docs.microsoft.com/en-us/sql/tools/sqlcmd-utility?view=sql-server-ver15
 9author: frack113
10date: 2021/08/16
11modified: 2023/05/04
12tags:
13    - attack.collection
14    - attack.t1005
15    - detection.emerging_threats
16logsource:
17    category: process_creation
18    product: windows
19detection:
20    selection_tools:
21        - Image|endswith: '\sqlcmd.exe'
22        - CommandLine|contains:
23              - 'sqlcmd '
24              - 'sqlcmd.exe'
25    selection_svr:
26        CommandLine|contains: ' -S localhost '
27    selection_query:
28        CommandLine|contains:
29            - 'sys.sysprocesses'
30            - 'master.dbo.sysdatabases'
31            - 'BACKUP DATABASE'
32    condition: all of selection_*
33falsepositives:
34    - Unknown
35level: high

References

• Something went wrong, but don’t fret — let’s give it another shot.

  
  Read More

• VirusTotal

  VirusTotal

  
  Read More

• sqlcmd utility - SQL Server

  

  The sqlcmd utility lets you enter Transact-SQL statements, system procedures, and script files using different modes, using go-mssqldb or ODBC to run T-SQL batches.

  
  Read More

Related rules

• AWS EC2 VM Export Failure
• Conti NTDS Exfiltration Command
• VeeamBackup Database Credentials Dump Via Sqlcmd.EXE
• 7Zip Compressing Dump Files
• Adwind RAT / JRAT