VeeamBackup Database Credentials Dump Via Sqlcmd.EXE

 1title: VeeamBackup Database Credentials Dump Via Sqlcmd.EXE
 2id: b57ba453-b384-4ab9-9f40-1038086b4e53
 3status: test
 4description: Detects dump of credentials in VeeamBackup dbo
 5references:
 6    - https://thedfirreport.com/2021/12/13/diavol-ransomware/
 7    - https://forums.veeam.com/veeam-backup-replication-f2/recover-esxi-password-in-veeam-t34630.html
 8author: frack113
 9date: 2021-12-20
10modified: 2023-02-13
11tags:
12    - attack.collection
13    - attack.t1005
14logsource:
15    category: process_creation
16    product: windows
17detection:
18    selection_tools:
19        Image|endswith: '\sqlcmd.exe'
20    selection_query:
21        CommandLine|contains|all:
22            - 'SELECT'
23            - 'TOP'
24            - '[VeeamBackup].[dbo].[Credentials]'
25    condition: all of selection_*
26falsepositives:
27    - Unknown
28level: high

References

• Diavol Ransomware

  

  In the past, threat actors have used BazarLoader to deploy Ryuk and Conti ransomware, as reported on many occasions. In this intrusion, however, a BazarLoader infection resulted in deployment of Di…

  
  Read More

• Recover ESXi password in Veeam

  

  Veeam Community discussions and solutions for: Recover ESXi password in Veeam of Veeam Backup & Replication

  
  Read More

Related rules

• ADFS Database Named Pipe Connection By Uncommon Tool
• AWS EC2 VM Export Failure
• Cisco Collect Data
• Esentutl Steals Browser Information
• OpenCanary - SMB File Open Request