Potential Veeam Credential Access Command

calendar Nov 5, 2024 · Domain: Endpoint OS: Windows Use Case: Threat Detection Tactic: Defense Evasion Tactic: Credential Access Data Source: Elastic Endgame Data Source: Elastic Defend Data Source: System Data Source: Microsoft Defender for Endpoint Data Source: Sysmon Data Source: SentinelOne Data Source: Crowdstrike  ·
Share on: linkedin copy

Identifies commands that can access and decrypt Veeam credentials stored in MSSQL databases. Attackers can use Veeam Credentials to target backups as part of destructive operations such as Ransomware attacks.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2024/03/14"
 3integration = ["windows", "endpoint", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
 4maturity = "production"
 5updated_date = "2024/11/02"
 6min_stack_version = "8.14.0"
 7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Identifies commands that can access and decrypt Veeam credentials stored in MSSQL databases. Attackers can use Veeam
13Credentials to target backups as part of destructive operations such as Ransomware attacks.
14"""
15from = "now-9m"
16index = [
17    "winlogbeat-*",
18    "logs-endpoint.events.process-*",
19    "logs-windows.forwarded*",
20    "logs-windows.sysmon_operational-*",
21    "endgame-*",
22    "logs-system.security*",
23    "logs-m365_defender.event-*",
24    "logs-sentinel_one_cloud_funnel.*",
25    "logs-crowdstrike.fdr*",
26]
27language = "eql"
28license = "Elastic License v2"
29name = "Potential Veeam Credential Access Command"
30references = ["https://thedfirreport.com/2021/12/13/diavol-ransomware/"]
31risk_score = 47
32rule_id = "b661f86d-1c23-4ce7-a59e-2edbdba28247"
33severity = "medium"
34tags = [
35    "Domain: Endpoint",
36    "OS: Windows",
37    "Use Case: Threat Detection",
38    "Tactic: Defense Evasion",
39    "Tactic: Credential Access",
40    "Data Source: Elastic Endgame",
41    "Data Source: Elastic Defend",
42    "Data Source: System",
43    "Data Source: Microsoft Defender for Endpoint",
44    "Data Source: Sysmon",
45    "Data Source: SentinelOne",
46    "Data Source: Crowdstrike",
47]
48timestamp_override = "event.ingested"
49type = "eql"
50
51query = '''
52process where host.os.type == "windows" and event.type == "start" and
53  (
54    (process.name : "sqlcmd.exe" or ?process.pe.original_file_name : "sqlcmd.exe") or
55    process.args : ("Invoke-Sqlcmd", "Invoke-SqlExecute", "Invoke-DbaQuery", "Invoke-SqlQuery")
56  ) and
57  process.args : "*[VeeamBackup].[dbo].[Credentials]*"
58'''
59
60
61[[rule.threat]]
62framework = "MITRE ATT&CK"
63[[rule.threat.technique]]
64id = "T1003"
65name = "OS Credential Dumping"
66reference = "https://attack.mitre.org/techniques/T1003/"
67
68[[rule.threat.technique]]
69id = "T1555"
70name = "Credentials from Password Stores"
71reference = "https://attack.mitre.org/techniques/T1555/"
72
73
74[rule.threat.tactic]
75id = "TA0006"
76name = "Credential Access"
77reference = "https://attack.mitre.org/tactics/TA0006/"
78[[rule.threat]]
79framework = "MITRE ATT&CK"
80[[rule.threat.technique]]
81id = "T1059"
82name = "Command and Scripting Interpreter"
83reference = "https://attack.mitre.org/techniques/T1059/"
84[[rule.threat.technique.subtechnique]]
85id = "T1059.001"
86name = "PowerShell"
87reference = "https://attack.mitre.org/techniques/T1059/001/"
88
89
90
91[rule.threat.tactic]
92id = "TA0002"
93name = "Execution"
94reference = "https://attack.mitre.org/tactics/TA0002/"

References

  • Diavol Ransomware

    In the past, threat actors have used BazarLoader to deploy Ryuk and Conti ransomware, as reported on many occasions. In this intrusion, however, a BazarLoader infection resulted in deployment of Di…


    Read More

Related rules

to-top