rules/windows/process_creation/proc_creation_win_coti_sqlcmd.yml

title: Conti Backup Database
id: 2f47f1fd-0901-466e-a770-3b7092834a1b
status: experimental
author: frack113
date: 2021/08/16
modified: 2021/12/02
description: Detects a command used by conti to dump database 
references:
    - https://twitter.com/vxunderground/status/1423336151860002816?s=20 #the leak info not the files itself 
    - https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection
    - https://docs.microsoft.com/en-us/sql/tools/sqlcmd-utility?view=sql-server-ver15
tags:
    - attack.collection
    - attack.t1005
logsource:
    category: process_creation
    product: windows
detection:
    selection_tools:
        CommandLine|contains:
            - 'sqlcmd '
            - 'sqlcmd.exe'
    selection_svr:
        CommandLine|contains: ' -S localhost '
    selection_query:
        CommandLine|contains:
            - 'sys.sysprocesses'
            - 'master.dbo.sysdatabases'
            - 'BACKUP DATABASE'
    condition: all of selection*
falsepositives:
    - Unknown
level: high
$frack113$ fix title 2021-08-16 11:15:32 +02:00			`title: Conti Backup Database`
$frack113$ add process_creation_coti_sqlcmd.yml 2021-08-16 11:08:19 +02:00			`id: 2f47f1fd-0901-466e-a770-3b7092834a1b`
			`status: experimental`
			`author: frack113`
			`date: 2021/08/16`
feat: discourage the usage of 'all of them' and migrate existing rules to use the preferred method 'all of selection*' 2021-12-02 14:30:09 +01:00			`modified: 2021/12/02`
$frack113$ add process_creation_coti_sqlcmd.yml 2021-08-16 11:08:19 +02:00			`description: Detects a command used by conti to dump database`
			`references:`
			`- https://twitter.com/vxunderground/status/1423336151860002816?s=20 #the leak info not the files itself`
			`- https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection`
			`- https://docs.microsoft.com/en-us/sql/tools/sqlcmd-utility?view=sql-server-ver15`
			`tags:`
			`- attack.collection`
$frack113$ Add MITTRE Technique 2021-11-20 10:56:41 +01:00			`- attack.t1005`
$frack113$ add process_creation_coti_sqlcmd.yml 2021-08-16 11:08:19 +02:00			`logsource:`
			`category: process_creation`
			`product: windows`
			`detection:`
			`selection_tools:`
$frack113$ fix very bad cut and paste 2021-08-16 11:22:50 +02:00			`CommandLine\|contains:`
$frack113$ add process_creation_coti_sqlcmd.yml 2021-08-16 11:08:19 +02:00			`- 'sqlcmd '`
			`- 'sqlcmd.exe'`
			`selection_svr:`
$frack113$ fix very bad cut and paste 2021-08-16 11:22:50 +02:00			`CommandLine\|contains: ' -S localhost '`
$frack113$ add process_creation_coti_sqlcmd.yml 2021-08-16 11:08:19 +02:00			`selection_query:`
$frack113$ fix very bad cut and paste 2021-08-16 11:22:50 +02:00			`CommandLine\|contains:`
$frack113$ add process_creation_coti_sqlcmd.yml 2021-08-16 11:08:19 +02:00			`- 'sys.sysprocesses'`
			`- 'master.dbo.sysdatabases'`
			`- 'BACKUP DATABASE'`
feat: discourage the usage of 'all of them' and migrate existing rules to use the preferred method 'all of selection*' 2021-12-02 14:30:09 +01:00			`condition: all of selection*`
$frack113$ add process_creation_coti_sqlcmd.yml 2021-08-16 11:08:19 +02:00			`falsepositives:`
			`- Unknown`
$frack113$ fix title 2021-08-16 11:15:32 +02:00			`level: high`