Suspicious Child Process Of Veeam Dabatase

calendar Aug 12, 2024 · attack.initial-access attack.persistence attack.privilege-escalation  ·
Share on: linkedin copy

Detects suspicious child processes of the Veeam service process. This could indicate potential RCE or SQL Injection.

Sigma rule (View on GitHub)

 1title: Suspicious Child Process Of Veeam Dabatase
 2id: d55b793d-f847-4eea-b59a-5ab09908ac90
 3related:
 4    - id: 869b9ca7-9ea2-4a5a-8325-e80e62f75445
 5      type: similar
 6status: test
 7description: Detects suspicious child processes of the Veeam service process. This could indicate potential RCE or SQL Injection.
 8references:
 9    - https://labs.withsecure.com/publications/fin7-target-veeam-servers
10author: Nasreddine Bencherchali (Nextron Systems)
11date: 2023-05-04
12tags:
13    - attack.initial-access
14    - attack.persistence
15    - attack.privilege-escalation
16logsource:
17    category: process_creation
18    product: windows
19detection:
20    selection_parent:
21        ParentImage|endswith: '\sqlservr.exe'
22        ParentCommandLine|contains: 'VEEAMSQL'
23    selection_child_1:
24        Image|endswith:
25            - '\cmd.exe'
26            - '\powershell.exe'
27            - '\pwsh.exe'
28            - '\wsl.exe'
29            - '\wt.exe'
30        CommandLine|contains:
31            - '-ex '
32            - 'bypass'
33            - 'cscript'
34            - 'DownloadString'
35            - 'http://'
36            - 'https://'
37            - 'mshta'
38            - 'regsvr32'
39            - 'rundll32'
40            - 'wscript'
41            - 'copy '
42    selection_child_2:
43        Image|endswith:
44            - '\net.exe'
45            - '\net1.exe'
46            - '\netstat.exe'
47            - '\nltest.exe'
48            - '\ping.exe'
49            - '\tasklist.exe'
50            - '\whoami.exe'
51    condition: selection_parent and 1 of selection_child_*
52level: critical

References

  • FIN7 tradecraft seen in attacks against Veeam backup servers

    WithSecure Intelligence identified attacks which occurred in late March 2023 against internet-facing servers running Veeam Backup & Replication software. Our research indicates that the intrusion set used in these attacks has overlaps with those attributed to the FIN7 activity group. It is likely that initial access & execution was achieved through a recently patched Veeam Backup & Replication vulnerability, CVE-2023-27532.


    Read More

Related rules

to-top