PowerShell Script with Veeam Credential Access Capabilities
Identifies PowerShell scripts that can access and decrypt Veeam credentials stored in MSSQL databases. Attackers can use Veeam Credentials to target backups as part of destructive operations such as Ransomware attacks.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2024/03/14"
3integration = ["windows"]
4maturity = "production"
5updated_date = "2024/05/21"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies PowerShell scripts that can access and decrypt Veeam credentials stored in MSSQL databases. Attackers can use
11Veeam Credentials to target backups as part of destructive operations such as Ransomware attacks.
12"""
13from = "now-9m"
14index = ["winlogbeat-*", "logs-windows.powershell*"]
15language = "kuery"
16license = "Elastic License v2"
17name = "PowerShell Script with Veeam Credential Access Capabilities"
18references = [
19 "https://forums.veeam.com/veeam-backup-replication-f2/recover-esxi-password-in-veeam-t34630.html",
20 "https://www.crowdstrike.com/blog/anatomy-of-alpha-spider-ransomware/",
21]
22risk_score = 47
23rule_id = "5c602cba-ae00-4488-845d-24de2b6d8055"
24setup = """## Setup
25
26The 'PowerShell Script Block Logging' logging policy must be enabled.
27Steps to implement the logging policy with Advanced Audit Configuration:
Computer Configuration > Administrative Templates > Windows PowerShell > Turn on PowerShell Script Block Logging (Enable)
1
2Steps to implement the logging policy via registry:
reg add "hklm\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1
1"""
2severity = "medium"
3tags = [
4 "Domain: Endpoint",
5 "OS: Windows",
6 "Use Case: Threat Detection",
7 "Tactic: Credential Access",
8 "Data Source: PowerShell Logs",
9]
10timestamp_override = "event.ingested"
11type = "query"
12
13query = '''
14event.category:process and host.os.type:windows and
15 powershell.file.script_block_text : (
16 (
17 "[dbo].[Credentials]" and
18 ("Veeam" or "VeeamBackup")
19 ) or
20 "ProtectedStorage]::GetLocalString"
21 )
22'''
23
24
25[[rule.threat]]
26framework = "MITRE ATT&CK"
27[[rule.threat.technique]]
28id = "T1003"
29name = "OS Credential Dumping"
30reference = "https://attack.mitre.org/techniques/T1003/"
31
32[[rule.threat.technique]]
33id = "T1555"
34name = "Credentials from Password Stores"
35reference = "https://attack.mitre.org/techniques/T1555/"
36
37
38[rule.threat.tactic]
39id = "TA0006"
40name = "Credential Access"
41reference = "https://attack.mitre.org/tactics/TA0006/"
42[[rule.threat]]
43framework = "MITRE ATT&CK"
44[[rule.threat.technique]]
45id = "T1059"
46name = "Command and Scripting Interpreter"
47reference = "https://attack.mitre.org/techniques/T1059/"
48[[rule.threat.technique.subtechnique]]
49id = "T1059.001"
50name = "PowerShell"
51reference = "https://attack.mitre.org/techniques/T1059/001/"
52
53
54
55[rule.threat.tactic]
56id = "TA0002"
57name = "Execution"
58reference = "https://attack.mitre.org/tactics/TA0002/"
References
-
Veeam Community discussions and solutions for: Recover ESXi password in Veeam of Veeam Backup & Replication
Read More -
Read this blog on the anatomy of an ALPHA SPIDER ransomware attack to better understand how they operate and how to better protect your business.
Read More
Related rules
- Potential Invoke-Mimikatz PowerShell Script
- PowerShell Kerberos Ticket Request
- PowerShell MiniDump Script
- Command Shell Activity Started via RunDLL32
- Credential Acquisition via Registry Hive Dumping