Veeam Backup Database Suspicious Query
Detects potentially suspicious SQL queries using SQLCmd targeting the Veeam backup databases in order to steal information.
Sigma rule (View on GitHub)
1title: Veeam Backup Database Suspicious Query
2id: 696bfb54-227e-4602-ac5b-30d9d2053312
3status: test
4description: Detects potentially suspicious SQL queries using SQLCmd targeting the Veeam backup databases in order to steal information.
5references:
6 - https://labs.withsecure.com/publications/fin7-target-veeam-servers
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2023/05/04
9tags:
10 - attack.collection
11 - attack.t1005
12logsource:
13 category: process_creation
14 product: windows
15detection:
16 selection_sql:
17 Image|endswith: '\sqlcmd.exe'
18 CommandLine|contains|all:
19 - 'VeeamBackup'
20 - 'From '
21 selection_db:
22 CommandLine|contains:
23 - 'BackupRepositories'
24 - 'Backups'
25 - 'Credentials'
26 - 'HostCreds'
27 - 'SmbFileShares'
28 - 'Ssh_creds'
29 - 'VSphereInfo'
30 condition: all of selection_*
31falsepositives:
32 - Unknown
33level: medium
References
-
WithSecure Intelligence identified attacks which occurred in late March 2023 against internet-facing servers running Veeam Backup & Replication software. Our research indicates that the intrusion set used in these attacks has overlaps with those attributed to the FIN7 activity group. It is likely that initial access & execution was achieved through a recently patched Veeam Backup & Replication vulnerability, CVE-2023-27532.
Read More
Related rules
- Cisco Collect Data
- ADFS Database Named Pipe Connection By Uncommon Tool
- SQLite Chromium Profile Data DB Access
- SQLite Firefox Profile Data DB Access
- Potential Conti Ransomware Database Dumping Activity Via SQLCmd