frack113
7060db3d47
* Promotion rules * fix missing null * fix: modified date Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
34 lines
1.0 KiB
YAML
34 lines
1.0 KiB
YAML
title: Conti Backup Database
|
|
id: 2f47f1fd-0901-466e-a770-3b7092834a1b
|
|
status: test
|
|
description: Detects a command used by conti to dump database
|
|
references:
|
|
- https://twitter.com/vxunderground/status/1423336151860002816?s=20 #the leak info not the files itself
|
|
- https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection
|
|
- https://docs.microsoft.com/en-us/sql/tools/sqlcmd-utility?view=sql-server-ver15
|
|
author: frack113
|
|
date: 2021/08/16
|
|
modified: 2022/12/25
|
|
tags:
|
|
- attack.collection
|
|
- attack.t1005
|
|
logsource:
|
|
category: process_creation
|
|
product: windows
|
|
detection:
|
|
selection_tools:
|
|
CommandLine|contains:
|
|
- 'sqlcmd '
|
|
- 'sqlcmd.exe'
|
|
selection_svr:
|
|
CommandLine|contains: ' -S localhost '
|
|
selection_query:
|
|
CommandLine|contains:
|
|
- 'sys.sysprocesses'
|
|
- 'master.dbo.sysdatabases'
|
|
- 'BACKUP DATABASE'
|
|
condition: all of selection*
|
|
falsepositives:
|
|
- Unknown
|
|
level: high
|