PowerShell Script with Veeam Credential Access Capabilities
Identifies PowerShell scripts that can access and decrypt Veeam credentials stored in MSSQL databases. Attackers can use Veeam Credentials to target backups as part of destructive operations such as Ransomware attacks.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2024/03/14"
3integration = ["windows"]
4maturity = "production"
5updated_date = "2024/10/28"
6min_stack_version = "8.14.0"
7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies PowerShell scripts that can access and decrypt Veeam credentials stored in MSSQL databases. Attackers can use
13Veeam Credentials to target backups as part of destructive operations such as Ransomware attacks.
14"""
15from = "now-9m"
16index = ["winlogbeat-*", "logs-windows.powershell*"]
17language = "kuery"
18license = "Elastic License v2"
19name = "PowerShell Script with Veeam Credential Access Capabilities"
20references = [
21 "https://forums.veeam.com/veeam-backup-replication-f2/recover-esxi-password-in-veeam-t34630.html",
22 "https://www.crowdstrike.com/blog/anatomy-of-alpha-spider-ransomware/",
23]
24risk_score = 47
25rule_id = "5c602cba-ae00-4488-845d-24de2b6d8055"
26setup = """## Setup
27
28The 'PowerShell Script Block Logging' logging policy must be enabled.
29Steps to implement the logging policy with Advanced Audit Configuration:
Computer Configuration > Administrative Templates > Windows PowerShell > Turn on PowerShell Script Block Logging (Enable)
1
2Steps to implement the logging policy via registry:
reg add "hklm\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1
1"""
2severity = "medium"
3tags = [
4 "Domain: Endpoint",
5 "OS: Windows",
6 "Use Case: Threat Detection",
7 "Tactic: Credential Access",
8 "Data Source: PowerShell Logs",
9]
10timestamp_override = "event.ingested"
11type = "query"
12
13query = '''
14event.category:process and host.os.type:windows and
15 powershell.file.script_block_text : (
16 (
17 "[dbo].[Credentials]" and
18 ("Veeam" or "VeeamBackup")
19 ) or
20 "ProtectedStorage]::GetLocalString"
21 )
22'''
23
24
25[[rule.threat]]
26framework = "MITRE ATT&CK"
27[[rule.threat.technique]]
28id = "T1003"
29name = "OS Credential Dumping"
30reference = "https://attack.mitre.org/techniques/T1003/"
31
32[[rule.threat.technique]]
33id = "T1555"
34name = "Credentials from Password Stores"
35reference = "https://attack.mitre.org/techniques/T1555/"
36
37
38[rule.threat.tactic]
39id = "TA0006"
40name = "Credential Access"
41reference = "https://attack.mitre.org/tactics/TA0006/"
42[[rule.threat]]
43framework = "MITRE ATT&CK"
44[[rule.threat.technique]]
45id = "T1059"
46name = "Command and Scripting Interpreter"
47reference = "https://attack.mitre.org/techniques/T1059/"
48[[rule.threat.technique.subtechnique]]
49id = "T1059.001"
50name = "PowerShell"
51reference = "https://attack.mitre.org/techniques/T1059/001/"
52
53
54
55[rule.threat.tactic]
56id = "TA0002"
57name = "Execution"
58reference = "https://attack.mitre.org/tactics/TA0002/"
References
-
Veeam Community discussions and solutions for: Recover ESXi password in Veeam of Veeam Backup & Replication
Read More -
Read this blog on the anatomy of an ALPHA SPIDER ransomware attack to better understand how they operate and how to better protect your business.
Read More
Related rules
- Potential Invoke-Mimikatz PowerShell Script
- Potential PowerShell Pass-the-Hash/Relay Script
- PowerShell Invoke-NinjaCopy script
- PowerShell Kerberos Ticket Dump
- PowerShell Kerberos Ticket Request