PowerShell Script with Veeam Credential Access Capabilities

 1[metadata]
 2creation_date = "2024/03/14"
 3integration = ["windows"]
 4maturity = "production"
 5updated_date = "2025/03/20"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Identifies PowerShell scripts that can access and decrypt Veeam credentials stored in MSSQL databases. Attackers can use
11Veeam Credentials to target backups as part of destructive operations such as Ransomware attacks.
12"""
13from = "now-9m"
14index = ["winlogbeat-*", "logs-windows.powershell*"]
15language = "kuery"
16license = "Elastic License v2"
17name = "PowerShell Script with Veeam Credential Access Capabilities"
18note = """## Triage and analysis
19
20> **Disclaimer**:
21> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
22
23### Investigating PowerShell Script with Veeam Credential Access Capabilities
24
25PowerShell, a powerful scripting language in Windows environments, can be exploited by attackers to access and decrypt sensitive credentials, such as those stored by Veeam in MSSQL databases. Adversaries may leverage this to compromise backup data, facilitating ransomware attacks. The detection rule identifies suspicious script activity by monitoring specific database interactions and decryption attempts, flagging potential credential access threats.
26
27### Possible investigation steps
28
29- Review the PowerShell script block text associated with the alert to identify any references to "[dbo].[Credentials]" and "Veeam" or "VeeamBackup" to confirm potential credential access attempts.
30- Check the event logs for the specific host where the alert was triggered to gather additional context about the process execution, including the user account involved and the script's origin.
31- Investigate any recent changes or access to the MSSQL database containing Veeam credentials to determine if there were unauthorized access attempts or modifications.
32- Analyze the use of "ProtectedStorage]::GetLocalString" within the script to understand if it was used to decrypt or access sensitive information.
33- Correlate the alert with other security events or logs from the same host or network segment to identify any related suspicious activities or patterns that could indicate a broader attack.
34
35### False positive analysis
36
37- Routine administrative scripts that query MSSQL databases for maintenance purposes may trigger the rule. To manage this, identify and whitelist specific scripts or processes that are known to be safe and regularly executed by trusted administrators.
38- Scheduled tasks or automated backup verification processes that access Veeam credentials for legitimate reasons can be mistaken for malicious activity. Exclude these tasks by specifying their unique identifiers or execution paths in the monitoring system.
39- Security audits or compliance checks that involve accessing credential information for validation purposes might be flagged. Coordinate with the audit team to document these activities and create exceptions for their scripts.
40- Development or testing environments where PowerShell scripts are used to simulate credential access for testing purposes can generate false positives. Implement environment-specific exclusions to prevent these from being flagged in production monitoring.
41- Third-party monitoring tools that interact with Veeam credentials for health checks or performance monitoring may inadvertently trigger alerts. Work with the tool vendors to understand their access patterns and exclude them if they are verified as non-threatening.
42
43### Response and remediation
44
45- Isolate the affected system from the network to prevent further unauthorized access or data exfiltration.
46- Terminate any suspicious PowerShell processes identified by the detection rule to halt ongoing credential access attempts.
47- Change all Veeam-related credentials and any other potentially compromised credentials stored in the MSSQL database to prevent further unauthorized access.
48- Conduct a thorough review of backup integrity and ensure that no unauthorized modifications or deletions have occurred.
49- Escalate the incident to the security operations center (SOC) for further investigation and to determine if additional systems are affected.
50- Implement enhanced monitoring for PowerShell activity and MSSQL database access to detect similar threats in the future.
51- Review and update access controls and permissions for Veeam and MSSQL databases to ensure they follow the principle of least privilege."""
52references = [
53    "https://forums.veeam.com/veeam-backup-replication-f2/recover-esxi-password-in-veeam-t34630.html",
54    "https://www.crowdstrike.com/blog/anatomy-of-alpha-spider-ransomware/",
55]
56risk_score = 47
57rule_id = "5c602cba-ae00-4488-845d-24de2b6d8055"
58setup = """## Setup
59
60The 'PowerShell Script Block Logging' logging policy must be enabled.
61Steps to implement the logging policy with Advanced Audit Configuration:

1
2Steps to implement the logging policy via registry:

 1"""
 2severity = "medium"
 3tags = [
 4    "Domain: Endpoint",
 5    "OS: Windows",
 6    "Use Case: Threat Detection",
 7    "Tactic: Credential Access",
 8    "Data Source: PowerShell Logs",
 9    "Resources: Investigation Guide",
10]
11timestamp_override = "event.ingested"
12type = "query"
13
14query = '''
15event.category:process and host.os.type:windows and
16  powershell.file.script_block_text : (
17    (
18      "[dbo].[Credentials]" and
19      ("Veeam" or "VeeamBackup")
20    ) or
21    "ProtectedStorage]::GetLocalString"
22  )
23'''
24
25
26[[rule.threat]]
27framework = "MITRE ATT&CK"
28[[rule.threat.technique]]
29id = "T1003"
30name = "OS Credential Dumping"
31reference = "https://attack.mitre.org/techniques/T1003/"
32
33[[rule.threat.technique]]
34id = "T1555"
35name = "Credentials from Password Stores"
36reference = "https://attack.mitre.org/techniques/T1555/"
37
38
39[rule.threat.tactic]
40id = "TA0006"
41name = "Credential Access"
42reference = "https://attack.mitre.org/tactics/TA0006/"
43[[rule.threat]]
44framework = "MITRE ATT&CK"
45[[rule.threat.technique]]
46id = "T1059"
47name = "Command and Scripting Interpreter"
48reference = "https://attack.mitre.org/techniques/T1059/"
49[[rule.threat.technique.subtechnique]]
50id = "T1059.001"
51name = "PowerShell"
52reference = "https://attack.mitre.org/techniques/T1059/001/"
53
54
55
56[rule.threat.tactic]
57id = "TA0002"
58name = "Execution"
59reference = "https://attack.mitre.org/tactics/TA0002/"