← Back to SOC feed Coverage →

Suspicious Child Process Of Veeam Dabatase

sigma CRITICAL SigmaHQ
imProcessCreate
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at SigmaHQ →
Retrieved: 2026-05-11T11:00:00Z · Confidence: medium

Hunt Hypothesis

Detects suspicious child processes of the Veeam service process. This could indicate potential RCE or SQL Injection.

Detection Rule

Sigma (Original)

title: Suspicious Child Process Of Veeam Dabatase
id: d55b793d-f847-4eea-b59a-5ab09908ac90
related:
    - id: 869b9ca7-9ea2-4a5a-8325-e80e62f75445
      type: similar
status: test
description: Detects suspicious child processes of the Veeam service process. This could indicate potential RCE or SQL Injection.
references:
    - https://labs.withsecure.com/publications/fin7-target-veeam-servers
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-04
tags:
    - attack.initial-access
    - attack.persistence
    - attack.privilege-escalation
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        ParentImage|endswith: '\sqlservr.exe'
        ParentCommandLine|contains: 'VEEAMSQL'
    selection_child_1:
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
            - '\wsl.exe'
            - '\wt.exe'
        CommandLine|contains:
            - '-ex '
            - 'bypass'
            - 'cscript'
            - 'DownloadString'
            - 'http://'
            - 'https://'
            - 'mshta'
            - 'regsvr32'
            - 'rundll32'
            - 'wscript'
            - 'copy '
    selection_child_2:
        Image|endswith:
            - '\net.exe'
            - '\net1.exe'
            - '\netstat.exe'
            - '\nltest.exe'
            - '\ping.exe'
            - '\tasklist.exe'
            - '\whoami.exe'
    condition: selection_parent and 1 of selection_child_*
level: critical

KQL (Azure Sentinel)

imProcessCreate
| where ((ParentProcessName endswith "\\sqlservr.exe" or ActingProcessName endswith "\\sqlservr.exe") and ActingProcessCommandLine contains "VEEAMSQL") and (((TargetProcessName endswith "\\cmd.exe" or TargetProcessName endswith "\\powershell.exe" or TargetProcessName endswith "\\pwsh.exe" or TargetProcessName endswith "\\wsl.exe" or TargetProcessName endswith "\\wt.exe") and (TargetProcessCommandLine contains "-ex " or TargetProcessCommandLine contains "bypass" or TargetProcessCommandLine contains "cscript" or TargetProcessCommandLine contains "DownloadString" or TargetProcessCommandLine contains "http://" or TargetProcessCommandLine contains "https://" or TargetProcessCommandLine contains "mshta" or TargetProcessCommandLine contains "regsvr32" or TargetProcessCommandLine contains "rundll32" or TargetProcessCommandLine contains "wscript" or TargetProcessCommandLine contains "copy ")) or (TargetProcessName endswith "\\net.exe" or TargetProcessName endswith "\\net1.exe" or TargetProcessName endswith "\\netstat.exe" or TargetProcessName endswith "\\nltest.exe" or TargetProcessName endswith "\\ping.exe" or TargetProcessName endswith "\\tasklist.exe" or TargetProcessName endswith "\\whoami.exe"))

Required Data Sources

Sentinel TableNotes
imProcessCreateEnsure this data connector is enabled

False Positive Guidance

No known false positives documented.

MITRE ATT&CK Context

References

Original source: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_mssql_veaam_susp_child_processes.yml