Veeam Backup Library Loaded by Unusual Process
Identifies potential credential decrypt operations by PowerShell or unsigned processes using the Veeam.Backup.Common.dll library. Attackers can use Veeam Credentials to target backups as part of destructive operations such as Ransomware attacks.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2024/03/14"
3integration = ["endpoint"]
4maturity = "production"
5updated_date = "2024/05/21"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies potential credential decrypt operations by PowerShell or unsigned processes using the Veeam.Backup.Common.dll
11library. Attackers can use Veeam Credentials to target backups as part of destructive operations such as Ransomware
12attacks.
13"""
14from = "now-9m"
15index = ["logs-endpoint.events.library-*"]
16language = "eql"
17license = "Elastic License v2"
18name = "Veeam Backup Library Loaded by Unusual Process"
19risk_score = 47
20rule_id = "aaab30ec-b004-4191-95e1-4a14387ef6a6"
21severity = "medium"
22tags = [
23 "Domain: Endpoint",
24 "OS: Windows",
25 "Use Case: Threat Detection",
26 "Tactic: Credential Access",
27 "Data Source: Elastic Defend",
28]
29timestamp_override = "event.ingested"
30type = "eql"
31
32query = '''
33library where host.os.type == "windows" and event.action == "load" and
34 (dll.name : "Veeam.Backup.Common.dll" or dll.pe.original_file_name : "Veeam.Backup.Common.dll") and
35 (
36 process.code_signature.trusted == false or
37 process.code_signature.exists == false or
38 process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe")
39 )
40'''
41
42
43[[rule.threat]]
44framework = "MITRE ATT&CK"
45[[rule.threat.technique]]
46id = "T1003"
47name = "OS Credential Dumping"
48reference = "https://attack.mitre.org/techniques/T1003/"
49
50[[rule.threat.technique]]
51id = "T1555"
52name = "Credentials from Password Stores"
53reference = "https://attack.mitre.org/techniques/T1555/"
54
55
56[rule.threat.tactic]
57id = "TA0006"
58name = "Credential Access"
59reference = "https://attack.mitre.org/tactics/TA0006/"
60[[rule.threat]]
61framework = "MITRE ATT&CK"
62[[rule.threat.technique]]
63id = "T1059"
64name = "Command and Scripting Interpreter"
65reference = "https://attack.mitre.org/techniques/T1059/"
66[[rule.threat.technique.subtechnique]]
67id = "T1059.001"
68name = "PowerShell"
69reference = "https://attack.mitre.org/techniques/T1059/001/"
70
71
72
73[rule.threat.tactic]
74id = "TA0002"
75name = "Execution"
76reference = "https://attack.mitre.org/tactics/TA0002/"
Related rules
- Command Shell Activity Started via RunDLL32
- Credential Acquisition via Registry Hive Dumping
- Full User-Mode Dumps Enabled System-Wide
- Kerberos Traffic from Unusual Process
- Microsoft IIS Connection Strings Decryption