KQL Search

Query Details

HomeAI ToolsDevice Query

Veeam PSQL Dump

Query

# Rule : Credential Dump from Veeam PostgreSQL Database

## Description
Detects suspicious use of PostgreSQL client tools or SQL queries that extract credentials or configuration data from backup product databases (e.g., Veeam). Attackers may query Veeam's PostgreSQL database to obtain stored credentials for targets or backup repositories.

- **Source:** The DFIR Report — From Bing Search to Ransomware: Bumblebee and AdaptixC2 Deliver Akira (Aug 05, 2025)

## Detection Logic
- Alert on `psql.exe` or `psql` commandline usage, especially with queries referencing tables that contain credentials or configuration (e.g., `credentials`, `backup`, `repository`).
- Correlate with local database service connections or dumps to files.
- Flag when database queries are run by non-database admins or from atypical hosts.

## Tags
- Credential Access  
- Data Exfiltration  
- MITRE ATT&CK: T1005 (Data from Local System), T1537 (Transfer Data to Cloud Account)

## Search Query
```kql
DeviceProcessEvents
| where FileName =~ "psql.exe" or ProcessCommandLine contains "psql "
| where ProcessCommandLine contains "Veeam" or ProcessCommandLine has_all ("SELECT","username","credentials") or ProcessCommandLine contains "COPY"
| project Timestamp, DeviceName, InitiatingProcessAccountName, ProcessCommandLine, ReportId
```

Explanation

This query is designed to detect potentially malicious activities involving the use of PostgreSQL client tools to access sensitive information from Veeam backup databases. Here's a simple breakdown:

  1. Purpose: The query aims to identify suspicious actions where someone might be trying to extract credentials or configuration data from Veeam's PostgreSQL database, which could indicate an attempt to access sensitive information or prepare for a cyber attack.

  2. Detection Criteria:

    • It looks for the use of PostgreSQL command-line tools (psql.exe or psql) on a device.
    • It specifically checks if these tools are used to run SQL queries that involve tables related to credentials or backups, such as those containing the words "credentials," "backup," or "repository."
    • It flags activities where these queries are executed by users who are not database administrators or from unusual locations.

  3. Tags and Context:

    • The query is associated with potential credential access and data exfiltration activities.
    • It aligns with specific MITRE ATT&CK tactics, indicating that the detected behavior could be part of a broader attack strategy.

  4. Output:

    • The query returns details such as the time of the event, the device name, the account that initiated the process, the command line used, and a report ID for further investigation.

Overall, this query helps security teams monitor and respond to unauthorized attempts to access or extract sensitive data from Veeam's PostgreSQL databases, which could be a precursor to more severe cyber threats.

Details

Ali Hussein profile picture

Ali Hussein

Released: November 11, 2025

Tables

DeviceProcessEvents

Keywords

DeviceProcessEventsVeeamUsernameCredentialsTimestampDeviceNameInitiatingProcessAccountNameProcessCommandLineReportId

Operators

|where=~orcontainshas_allproject

Actions