Potential Veeam Credential Access Command
Identifies commands that can access and decrypt Veeam credentials stored in MSSQL databases. Attackers can use Veeam Credentials to target backups as part of destructive operations such as Ransomware attacks.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2024/03/14"
3integration = ["windows", "endpoint", "system", "m365_defender", "sentinel_one_cloud_funnel"]
4maturity = "production"
5updated_date = "2024/10/15"
6min_stack_version = "8.14.0"
7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies commands that can access and decrypt Veeam credentials stored in MSSQL databases. Attackers can use Veeam
13Credentials to target backups as part of destructive operations such as Ransomware attacks.
14"""
15from = "now-9m"
16index = [
17 "winlogbeat-*",
18 "logs-endpoint.events.process-*",
19 "logs-windows.forwarded*",
20 "logs-windows.sysmon_operational-*",
21 "endgame-*",
22 "logs-system.security*",
23 "logs-m365_defender.event-*",
24 "logs-sentinel_one_cloud_funnel.*",
25]
26language = "eql"
27license = "Elastic License v2"
28name = "Potential Veeam Credential Access Command"
29references = ["https://thedfirreport.com/2021/12/13/diavol-ransomware/"]
30risk_score = 47
31rule_id = "b661f86d-1c23-4ce7-a59e-2edbdba28247"
32severity = "medium"
33tags = [
34 "Domain: Endpoint",
35 "OS: Windows",
36 "Use Case: Threat Detection",
37 "Tactic: Defense Evasion",
38 "Tactic: Credential Access",
39 "Data Source: Elastic Endgame",
40 "Data Source: Elastic Defend",
41 "Data Source: System",
42 "Data Source: Microsoft Defender for Endpoint",
43 "Data Source: Sysmon",
44 "Data Source: SentinelOne",
45]
46timestamp_override = "event.ingested"
47type = "eql"
48
49query = '''
50process where host.os.type == "windows" and event.type == "start" and
51 (
52 (process.name : "sqlcmd.exe" or ?process.pe.original_file_name : "sqlcmd.exe") or
53 process.args : ("Invoke-Sqlcmd", "Invoke-SqlExecute", "Invoke-DbaQuery", "Invoke-SqlQuery")
54 ) and
55 process.args : "*[VeeamBackup].[dbo].[Credentials]*"
56'''
57
58
59[[rule.threat]]
60framework = "MITRE ATT&CK"
61[[rule.threat.technique]]
62id = "T1003"
63name = "OS Credential Dumping"
64reference = "https://attack.mitre.org/techniques/T1003/"
65
66[[rule.threat.technique]]
67id = "T1555"
68name = "Credentials from Password Stores"
69reference = "https://attack.mitre.org/techniques/T1555/"
70
71
72[rule.threat.tactic]
73id = "TA0006"
74name = "Credential Access"
75reference = "https://attack.mitre.org/tactics/TA0006/"
76[[rule.threat]]
77framework = "MITRE ATT&CK"
78[[rule.threat.technique]]
79id = "T1059"
80name = "Command and Scripting Interpreter"
81reference = "https://attack.mitre.org/techniques/T1059/"
82[[rule.threat.technique.subtechnique]]
83id = "T1059.001"
84name = "PowerShell"
85reference = "https://attack.mitre.org/techniques/T1059/001/"
86
87
88
89[rule.threat.tactic]
90id = "TA0002"
91name = "Execution"
92reference = "https://attack.mitre.org/tactics/TA0002/"
References
Related rules
- Potential Local NTLM Relay via HTTP
- Adding Hidden File Attribute via Attrib
- Attempt to Install Kali Linux via WSL
- Bypass UAC via Event Viewer
- Clearing Windows Console History