Veeam Backup Library Loaded by Unusual Process
Identifies potential credential decrypt operations by PowerShell or unsigned processes using the Veeam.Backup.Common.dll library. Attackers can use Veeam Credentials to target backups as part of destructive operations such as Ransomware attacks.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2024/03/14"
3integration = ["endpoint"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2024/03/28"
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies potential credential decrypt operations by PowerShell or unsigned processes using the Veeam.Backup.Common.dll
13library. Attackers can use Veeam Credentials to target backups as part of destructive operations such as Ransomware
14attacks.
15"""
16from = "now-9m"
17index = ["logs-endpoint.events.library-*"]
18language = "eql"
19license = "Elastic License v2"
20name = "Veeam Backup Library Loaded by Unusual Process"
21risk_score = 47
22rule_id = "aaab30ec-b004-4191-95e1-4a14387ef6a6"
23severity = "medium"
24tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"]
25timestamp_override = "event.ingested"
26type = "eql"
27
28query = '''
29library where host.os.type == "windows" and event.action == "load" and
30 (dll.name : "Veeam.Backup.Common.dll" or dll.pe.original_file_name : "Veeam.Backup.Common.dll") and
31 (
32 process.code_signature.trusted == false or
33 process.code_signature.exists == false or
34 process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe")
35 )
36'''
37
38
39[[rule.threat]]
40framework = "MITRE ATT&CK"
41[[rule.threat.technique]]
42id = "T1003"
43name = "OS Credential Dumping"
44reference = "https://attack.mitre.org/techniques/T1003/"
45[[rule.threat.technique]]
46id = "T1555"
47name = "Credentials from Password Stores"
48reference = "https://attack.mitre.org/techniques/T1555/"
49
50
51
52[rule.threat.tactic]
53id = "TA0006"
54name = "Credential Access"
55reference = "https://attack.mitre.org/tactics/TA0006/"
56[[rule.threat]]
57framework = "MITRE ATT&CK"
58[[rule.threat.technique]]
59id = "T1059"
60name = "Command and Scripting Interpreter"
61reference = "https://attack.mitre.org/techniques/T1059/"
62[[rule.threat.technique.subtechnique]]
63id = "T1059.001"
64name = "PowerShell"
65reference = "https://attack.mitre.org/techniques/T1059/001/"
66
67
68
69[rule.threat.tactic]
70id = "TA0002"
71name = "Execution"
72reference = "https://attack.mitre.org/tactics/TA0002/"
Related rules
- Command Shell Activity Started via RunDLL32
- Creation or Modification of Domain Backup DPAPI private key
- Credential Acquisition via Registry Hive Dumping
- Full User-Mode Dumps Enabled System-Wide
- Kerberos Traffic from Unusual Process