title: Conti Backup Database
ruletype: Sigma
author: frack113
date: 2021/08/16
description: Detects a command used by conti to dump database
detection:
  SELECTION_1:
    EventID: 1
  SELECTION_2:
    CommandLine:
    - '*sqlcmd *'
    - '*sqlcmd.exe*'
  SELECTION_3:
    CommandLine: '* -S localhost *'
  SELECTION_4:
    CommandLine:
    - '*sys.sysprocesses*'
    - '*master.dbo.sysdatabases*'
    - '*BACKUP DATABASE*'
  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
falsepositives:
- Unknown
id: 2f47f1fd-0901-466e-a770-3b7092834a1b
level: high
logsource:
  category: process_creation
  product: windows
modified: 2021/12/02
references:
- https://twitter.com/vxunderground/status/1423336151860002816?s=20
- https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection
- https://docs.microsoft.com/en-us/sql/tools/sqlcmd-utility?view=sql-server-ver15
status: experimental
tags:
- attack.collection
- attack.t1005