Veeam Backup Library Loaded by Unusual Process
Identifies potential credential decrypt operations by PowerShell or unsigned processes using the Veeam.Backup.Common.dll library. Attackers can use Veeam Credentials to target backups as part of destructive operations such as Ransomware attacks.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2024/03/14"
3integration = ["endpoint"]
4maturity = "production"
5updated_date = "2024/05/21"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies potential credential decrypt operations by PowerShell or unsigned processes using the Veeam.Backup.Common.dll
11library. Attackers can use Veeam Credentials to target backups as part of destructive operations such as Ransomware
12attacks.
13"""
14from = "now-9m"
15index = ["logs-endpoint.events.library-*"]
16language = "eql"
17license = "Elastic License v2"
18name = "Veeam Backup Library Loaded by Unusual Process"
19risk_score = 47
20rule_id = "aaab30ec-b004-4191-95e1-4a14387ef6a6"
21severity = "medium"
22tags = [
23 "Domain: Endpoint",
24 "OS: Windows",
25 "Use Case: Threat Detection",
26 "Tactic: Credential Access",
27 "Data Source: Elastic Defend",
28]
29timestamp_override = "event.ingested"
30type = "eql"
31
32query = '''
33library where host.os.type == "windows" and event.action == "load" and
34 (dll.name : "Veeam.Backup.Common.dll" or dll.pe.original_file_name : "Veeam.Backup.Common.dll") and
35 (
36 process.code_signature.trusted == false or
37 process.code_signature.exists == false or
38 process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe")
39 )
40'''
41
42
43[[rule.threat]]
44framework = "MITRE ATT&CK"
45[[rule.threat.technique]]
46id = "T1003"
47name = "OS Credential Dumping"
48reference = "https://attack.mitre.org/techniques/T1003/"
49
50[[rule.threat.technique]]
51id = "T1555"
52name = "Credentials from Password Stores"
53reference = "https://attack.mitre.org/techniques/T1555/"
54
55
56[rule.threat.tactic]
57id = "TA0006"
58name = "Credential Access"
59reference = "https://attack.mitre.org/tactics/TA0006/"
60[[rule.threat]]
61framework = "MITRE ATT&CK"
62[[rule.threat.technique]]
63id = "T1059"
64name = "Command and Scripting Interpreter"
65reference = "https://attack.mitre.org/techniques/T1059/"
66[[rule.threat.technique.subtechnique]]
67id = "T1059.001"
68name = "PowerShell"
69reference = "https://attack.mitre.org/techniques/T1059/001/"
70
71
72
73[rule.threat.tactic]
74id = "TA0002"
75name = "Execution"
76reference = "https://attack.mitre.org/tactics/TA0002/"
Related rules
- Potential Remote Credential Access via Registry
- Access to Keychain Credentials Directories
- Delayed Execution via Ping
- Dumping Account Hashes via Built-In Commands
- Dumping of Keychain Content via Security Command