Potential Veeam Credential Access Command

Identifies commands that can access and decrypt Veeam credentials stored in MSSQL databases. Attackers can use Veeam Credentials to target backups as part of destructive operations such as Ransomware attacks.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2024/03/14"
 3integration = ["windows", "endpoint", "system", "m365_defender", "sentinel_one_cloud_funnel"]
 4maturity = "production"
 5updated_date = "2024/10/15"
 6min_stack_version = "8.14.0"
 7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Identifies commands that can access and decrypt Veeam credentials stored in MSSQL databases. Attackers can use Veeam
13Credentials to target backups as part of destructive operations such as Ransomware attacks.
14"""
15from = "now-9m"
16index = [
17    "winlogbeat-*",
18    "logs-endpoint.events.process-*",
19    "logs-windows.forwarded*",
20    "logs-windows.sysmon_operational-*",
21    "endgame-*",
22    "logs-system.security*",
23    "logs-m365_defender.event-*",
24    "logs-sentinel_one_cloud_funnel.*",
25]
26language = "eql"
27license = "Elastic License v2"
28name = "Potential Veeam Credential Access Command"
29references = ["https://thedfirreport.com/2021/12/13/diavol-ransomware/"]
30risk_score = 47
31rule_id = "b661f86d-1c23-4ce7-a59e-2edbdba28247"
32severity = "medium"
33tags = [
34    "Domain: Endpoint",
35    "OS: Windows",
36    "Use Case: Threat Detection",
37    "Tactic: Defense Evasion",
38    "Tactic: Credential Access",
39    "Data Source: Elastic Endgame",
40    "Data Source: Elastic Defend",
41    "Data Source: System",
42    "Data Source: Microsoft Defender for Endpoint",
43    "Data Source: Sysmon",
44    "Data Source: SentinelOne",
45]
46timestamp_override = "event.ingested"
47type = "eql"
48
49query = '''
50process where host.os.type == "windows" and event.type == "start" and
51  (
52    (process.name : "sqlcmd.exe" or ?process.pe.original_file_name : "sqlcmd.exe") or
53    process.args : ("Invoke-Sqlcmd", "Invoke-SqlExecute", "Invoke-DbaQuery", "Invoke-SqlQuery")
54  ) and
55  process.args : "*[VeeamBackup].[dbo].[Credentials]*"
56'''
57
58
59[[rule.threat]]
60framework = "MITRE ATT&CK"
61[[rule.threat.technique]]
62id = "T1003"
63name = "OS Credential Dumping"
64reference = "https://attack.mitre.org/techniques/T1003/"
65
66[[rule.threat.technique]]
67id = "T1555"
68name = "Credentials from Password Stores"
69reference = "https://attack.mitre.org/techniques/T1555/"
70
71
72[rule.threat.tactic]
73id = "TA0006"
74name = "Credential Access"
75reference = "https://attack.mitre.org/tactics/TA0006/"
76[[rule.threat]]
77framework = "MITRE ATT&CK"
78[[rule.threat.technique]]
79id = "T1059"
80name = "Command and Scripting Interpreter"
81reference = "https://attack.mitre.org/techniques/T1059/"
82[[rule.threat.technique.subtechnique]]
83id = "T1059.001"
84name = "PowerShell"
85reference = "https://attack.mitre.org/techniques/T1059/001/"
86
87
88
89[rule.threat.tactic]
90id = "TA0002"
91name = "Execution"
92reference = "https://attack.mitre.org/tactics/TA0002/"

References

Related rules

to-top