Detect Backup Software Discovery in Google Chronicle
Adversaries may attempt to get a listing of backup software or configurations installed on a system. This discovery technique is commonly performed as pre-ransomware reconnaissance to identify backup solutions (Veeam, Acronis, Backup Exec, Commvault, Windows Server Backup) so attackers can disable, destroy, or encrypt them before deploying ransomware payloads. Methods include registry queries (reg query), process enumeration (tasklist, wmic), service enumeration (sc query, net start), directory listings, and PowerShell-based enumeration scripts such as the Get-DataInfo.ps1 script used by Wizard Spider (FIN12).
MITRE ATT&CK
- Tactic
- Discovery
- Technique
- T1518 Software Discovery
- Sub-technique
- T1518.002 Backup Software Discovery
- Canonical reference
- https://attack.mitre.org/techniques/T1518/002/
YARA-L Detection Query
rule backup_software_discovery_t1518_002 {
meta:
author = "df00tech"
description = "Detects backup software discovery (MITRE ATT&CK T1518.002) — pre-ransomware reconnaissance targeting Veeam, Acronis, Commvault, Arcserve, Carbonite, Barracuda, and Windows Backup utilities via registry query, service enumeration, WMI, PowerShell, tasklist, and directory listing."
severity = "HIGH"
priority = "HIGH"
mitre_attack_tactic = "Discovery"
mitre_attack_technique = "T1518.002"
mitre_attack_url = "https://attack.mitre.org/techniques/T1518/002/"
reference = "Wizard Spider FIN12 Get-DataInfo.ps1 script; pre-ransomware backup destruction pattern"
version = "1.0"
events:
$e.metadata.event_type = "PROCESS_LAUNCH"
$e.target.process.file.full_path != ""
(
(
re.regex($e.target.process.file.full_path, `(?i)(^|[\\/])reg\.exe$`) and
re.regex($e.target.process.command_line, `(?i)query`) and
re.regex($e.target.process.command_line, `(?i)(veeam|acronis|commvault|arcserve|paragon|cobian|backupassist|windowsbackup)`)
) or
(
re.regex($e.target.process.file.full_path, `(?i)(^|[\\/])sc\.exe$`) and
re.regex($e.target.process.command_line, `(?i)query`) and
re.regex($e.target.process.command_line, `(?i)(veeam|acronis|backup|commvault|arcserve|wbengine|sdrsvc)`)
) or
(
re.regex($e.target.process.file.full_path, `(?i)(^|[\\/])net1?\.exe$`) and
re.regex($e.target.process.command_line, `(?i)start`) and
re.regex($e.target.process.command_line, `(?i)(veeam|acronis|backup|commvault|arcserve|carbonite|wbengine)`)
) or
(
re.regex($e.target.process.file.full_path, `(?i)(^|[\\/])wmic\.exe$`) and
re.regex($e.target.process.command_line, `(?i)(product|process|service)`) and
re.regex($e.target.process.command_line, `(?i)(veeam|acronis|backup|commvault|arcserve|carbonite|crashplan|barracuda|datto|zerto|veritas|wbadmin|ntbackup)`)
) or
(
re.regex($e.target.process.file.full_path, `(?i)(^|[\\/])(powershell|pwsh)\.exe$`) and
re.regex($e.target.process.command_line, `(?i)(get-datainfo|get-service|get-itemproperty|get-wmiobject|get-ciminstance)`) and
re.regex($e.target.process.command_line, `(?i)(veeam|acronis|backup|commvault|carbonite|crashplan|barracuda|datto|zerto|veritas|wbadmin)`)
) or
(
re.regex($e.target.process.file.full_path, `(?i)(^|[\\/])tasklist\.exe$`) and
re.regex($e.target.process.command_line, `(?i)(veeam|acronis|backup|commvault|carbonite|crashplan|barracuda)`)
) or
(
re.regex($e.target.process.file.full_path, `(?i)(^|[\\/])cmd\.exe$`) and
re.regex($e.target.process.command_line, `(?i)\bdir\b`) and
re.regex($e.target.process.command_line, `(?i)(veeam|acronis|backup|commvault|arcserve|carbonite)`)
)
)
$hostname = $e.principal.hostname
$user = $e.principal.user.userid
$process = $e.target.process.file.full_path
$cmdline = $e.target.process.command_line
condition:
$e
}Chronicle YARA-L 2.0 rule detecting backup software discovery (T1518.002) via UDM PROCESS_LAUNCH events. Matches seven enumeration techniques — reg.exe registry queries, sc.exe service queries, net.exe service enumeration, wmic.exe WMI queries, PowerShell Get-* cmdlets, tasklist.exe filtering, and cmd.exe directory listings — all targeting backup software names used in pre-ransomware reconnaissance. Compatible with Windows Sysmon, Microsoft Defender for Endpoint, and CrowdStrike Falcon ingested through Chronicle.
Data Sources
Required Tables
False Positives & Tuning
- Backup administrators using PowerShell scripts with Get-Service or Get-CimInstance to validate backup agent health across a fleet of servers as part of routine operations
- Enterprise monitoring tools such as SolarWinds, Datadog, or PRTG that execute WMI or registry queries to collect backup software metrics and service availability
- Active Directory Group Policy or SCCM compliance scripts that enumerate installed backup software during periodic machine compliance assessments
Other platforms for T1518.002
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Registry Query for Veeam and Acronis Backup Software
Expected signal: Sysmon Event ID 1: Four Process Create events with Image=reg.exe, CommandLine containing 'query' and 'Veeam' or 'Acronis'. Security Event ID 4688 (if command line auditing is enabled) with same details. If registry Object Access auditing is enabled, Event ID 4663 fires for each registry key read attempt.
- Test 2PowerShell WMI Backup Software Enumeration via Win32_Product
Expected signal: Sysmon Event ID 1: Two Process Create events with Image=powershell.exe, CommandLine containing 'Get-WmiObject' and 'Win32_Product' with backup-related filter terms, and 'Get-Service' with backup terms. PowerShell ScriptBlock Log Event ID 4104 with full script content. WMI activity logged in Microsoft-Windows-WMI-Activity/Operational.
- Test 3Service Control Enumeration of Backup Services
Expected signal: Sysmon Event ID 1: Six Process Create events with Image=sc.exe and CommandLine containing 'query' followed by the backup service name. Security Event ID 4688 for each sc.exe execution if command line auditing is enabled. Note: service status queries do not require elevated privileges and will run as standard user.
- Test 4Tasklist and Net Start Backup Process Discovery
Expected signal: Sysmon Event ID 1: Process Create events for tasklist.exe and net.exe (or net1.exe), with findstr.exe child processes containing backup-related search terms in command line. Security Event ID 4688 for each process if command line auditing enabled.
References (5)
- https://attack.mitre.org/techniques/T1518/002/
- https://www.mandiant.com/resources/blog/fin12-ransomware-intrusion-actor-targeting-healthcare
- https://www.security.com/threat-intelligence/play-ransomware-volume-shadow-copy
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceprocessevents-table
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.002/T1518.002.md
Unlock Pro Content
Get the full detection package for T1518.002 including response playbook, investigation guide, and atomic red team tests.