Veeam Backup Database Suspicious Query

 1title: Veeam Backup Database Suspicious Query
 2id: 696bfb54-227e-4602-ac5b-30d9d2053312
 3status: test
 4description: Detects potentially suspicious SQL queries using SQLCmd targeting the Veeam backup databases in order to steal information.
 5references:
 6    - https://labs.withsecure.com/publications/fin7-target-veeam-servers
 7author: Nasreddine Bencherchali (Nextron Systems)
 8date: 2023-05-04
 9tags:
10    - attack.collection
11    - attack.t1005
12logsource:
13    category: process_creation
14    product: windows
15detection:
16    selection_sql:
17        Image|endswith: '\sqlcmd.exe'
18        CommandLine|contains|all:
19            - 'VeeamBackup'
20            - 'From '
21    selection_db:
22        CommandLine|contains:
23            - 'BackupRepositories'
24            - 'Backups'
25            - 'Credentials'
26            - 'HostCreds'
27            - 'SmbFileShares'
28            - 'Ssh_creds'
29            - 'VSphereInfo'
30    condition: all of selection_*
31falsepositives:
32    - Unknown
33level: medium

References

• FIN7 tradecraft seen in attacks against Veeam backup servers

  

  WithSecure Intelligence identified attacks which occurred in late March 2023 against internet-facing servers running Veeam Backup & Replication software. Our research indicates that the intrusion set used in these attacks has overlaps with those attributed to the FIN7 activity group. It is likely that initial access & execution was achieved through a recently patched Veeam Backup & Replication vulnerability, CVE-2023-27532.

  
  Read More

Related rules

• ADFS Database Named Pipe Connection By Uncommon Tool
• AWS EC2 VM Export Failure
• Cisco Collect Data
• Esentutl Steals Browser Information
• OpenCanary - SMB File Open Request