VeeamBackup Database Credentials Dump Via Sqlcmd.EXE

 1title: VeeamBackup Database Credentials Dump Via Sqlcmd.EXE
 2id: b57ba453-b384-4ab9-9f40-1038086b4e53
 3status: test
 4description: Detects dump of credentials in VeeamBackup dbo
 5references:
 6    - https://thedfirreport.com/2021/12/13/diavol-ransomware/
 7    - https://forums.veeam.com/veeam-backup-replication-f2/recover-esxi-password-in-veeam-t34630.html
 8author: frack113
 9date: 2021/12/20
10modified: 2023/02/13
11tags:
12    - attack.collection
13    - attack.t1005
14logsource:
15    category: process_creation
16    product: windows
17detection:
18    selection_tools:
19        Image|endswith: '\sqlcmd.exe'
20    selection_query:
21        CommandLine|contains|all:
22            - 'SELECT'
23            - 'TOP'
24            - '[VeeamBackup].[dbo].[Credentials]'
25    condition: all of selection_*
26falsepositives:
27    - Unknown
28level: high

References

• Diavol Ransomware

  

  In this report, we observed threat actors deploy multiple Cobalt Strike DLL beacons, perform internal discovery using Windows utilities, execute lateral movement using AnyDesk and RDP, dump credentials multiple ways, exfiltrate data and deploy domain wide ransomware in as little as 42 hours from initial access.

  
  Read More

• Recover ESXi password in Veeam

  

  Veeam Community discussions and solutions for: Recover ESXi password in Veeam of Veeam Backup & Replication

  
  Read More

Related rules

• PowerShell Get-Clipboard Cmdlet Via CLI
• Files Added To An Archive Using Rar.EXE
• Audio Capture
• Clipboard Collection of Image Data with Xclip Tool
• Clipboard Collection with Xclip Tool - Auditd