Rule : Credential Dump from Veeam PostgreSQL Database
Veeam PSQL Dump
Query
DeviceProcessEvents
| where FileName =~ "psql.exe" or ProcessCommandLine contains "psql "
| where ProcessCommandLine contains "Veeam" or ProcessCommandLine has_all ("SELECT","username","credentials") or ProcessCommandLine contains "COPY"
| project Timestamp, DeviceName, InitiatingProcessAccountName, ProcessCommandLine, ReportIdAbout this query
Rule : Credential Dump from Veeam PostgreSQL Database
Description
Detects suspicious use of PostgreSQL client tools or SQL queries that extract credentials or configuration data from backup product databases (e.g., Veeam). Attackers may query Veeam's PostgreSQL database to obtain stored credentials for targets or backup repositories.
- Source: The DFIR Report — From Bing Search to Ransomware: Bumblebee and AdaptixC2 Deliver Akira (Aug 05, 2025)
Detection Logic
- Alert on
psql.exeorpsqlcommandline usage, especially with queries referencing tables that contain credentials or configuration (e.g.,credentials,backup,repository). - Correlate with local database service connections or dumps to files.
- Flag when database queries are run by non-database admins or from atypical hosts.
Tags
- Credential Access
- Data Exfiltration
- MITRE ATT&CK: T1005 (Data from Local System), T1537 (Transfer Data to Cloud Account)
Search Query
Explanation
This query is designed to detect potentially malicious activities involving the use of PostgreSQL client tools to access sensitive information from Veeam backup databases. Here's a simple breakdown:
-
Purpose: The query aims to identify suspicious actions where someone might be trying to extract credentials or configuration data from Veeam's PostgreSQL database, which could indicate an attempt to access sensitive information or prepare for a cyber attack.
-
Detection Criteria:
- It looks for the use of PostgreSQL command-line tools (
psql.exeorpsql) on a device. - It specifically checks if these tools are used to run SQL queries that involve tables related to credentials or backups, such as those containing the words "credentials," "backup," or "repository."
- It flags activities where these queries are executed by users who are not database administrators or from unusual locations.
- It looks for the use of PostgreSQL command-line tools (
-
Tags and Context:
- The query is associated with potential credential access and data exfiltration activities.
- It aligns with specific MITRE ATT&CK tactics, indicating that the detected behavior could be part of a broader attack strategy.
-
Output:
- The query returns details such as the time of the event, the device name, the account that initiated the process, the command line used, and a report ID for further investigation.
Overall, this query helps security teams monitor and respond to unauthorized attempts to access or extract sensitive data from Veeam's PostgreSQL databases, which could be a precursor to more severe cyber threats.
