Potential Veeam Credential Access Command
Identifies commands that can access and decrypt Veeam credentials stored in MSSQL databases. Attackers can use Veeam Credentials to target backups as part of destructive operations such as Ransomware attacks.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2024/03/14"
3integration = ["windows", "endpoint", "system"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2024/03/14"
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies commands that can access and decrypt Veeam credentials stored in MSSQL databases. Attackers can use Veeam
13Credentials to target backups as part of destructive operations such as Ransomware attacks.
14"""
15from = "now-9m"
16index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"]
17language = "eql"
18license = "Elastic License v2"
19name = "Potential Veeam Credential Access Command"
20references = [
21 "https://thedfirreport.com/2021/12/13/diavol-ransomware/"
22]
23risk_score = 47
24rule_id = "b661f86d-1c23-4ce7-a59e-2edbdba28247"
25severity = "medium"
26tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
27timestamp_override = "event.ingested"
28type = "eql"
29
30query = '''
31process where host.os.type == "windows" and event.type == "start" and
32 (
33 (process.name : "sqlcmd.exe" or process.pe.original_file_name : "sqlcmd.exe") or
34 process.args : ("Invoke-Sqlcmd", "Invoke-SqlExecute", "Invoke-DbaQuery", "Invoke-SqlQuery")
35 ) and
36 process.args : "*[VeeamBackup].[dbo].[Credentials]*"
37'''
38
39
40[[rule.threat]]
41framework = "MITRE ATT&CK"
42[[rule.threat.technique]]
43id = "T1003"
44name = "OS Credential Dumping"
45reference = "https://attack.mitre.org/techniques/T1003/"
46[[rule.threat.technique]]
47id = "T1555"
48name = "Credentials from Password Stores"
49reference = "https://attack.mitre.org/techniques/T1555/"
50
51
52
53[rule.threat.tactic]
54id = "TA0006"
55name = "Credential Access"
56reference = "https://attack.mitre.org/tactics/TA0006/"
57[[rule.threat]]
58framework = "MITRE ATT&CK"
59[[rule.threat.technique]]
60id = "T1059"
61name = "Command and Scripting Interpreter"
62reference = "https://attack.mitre.org/techniques/T1059/"
63[[rule.threat.technique.subtechnique]]
64id = "T1059.001"
65name = "PowerShell"
66reference = "https://attack.mitre.org/techniques/T1059/001/"
67
68
69
70[rule.threat.tactic]
71id = "TA0002"
72name = "Execution"
73reference = "https://attack.mitre.org/tactics/TA0002/"
References
Related rules
- MS Office Macro Security Registry Modifications
- Potential Credential Access via Renamed COM+ Services DLL
- Suspicious Managed Code Hosting Process
- Suspicious Script Object Execution
- WebServer Access Logs Deleted