Potential Veeam Credential Access Command
Identifies commands that can access and decrypt Veeam credentials stored in MSSQL databases. Attackers can use Veeam Credentials to target backups as part of destructive operations such as Ransomware attacks.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2024/03/14"
3integration = ["windows", "endpoint", "system"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2024/03/14"
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies commands that can access and decrypt Veeam credentials stored in MSSQL databases. Attackers can use Veeam
13Credentials to target backups as part of destructive operations such as Ransomware attacks.
14"""
15from = "now-9m"
16index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"]
17language = "eql"
18license = "Elastic License v2"
19name = "Potential Veeam Credential Access Command"
20references = [
21 "https://thedfirreport.com/2021/12/13/diavol-ransomware/"
22]
23risk_score = 47
24rule_id = "b661f86d-1c23-4ce7-a59e-2edbdba28247"
25severity = "medium"
26tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
27timestamp_override = "event.ingested"
28type = "eql"
29
30query = '''
31process where host.os.type == "windows" and event.type == "start" and
32 (
33 (process.name : "sqlcmd.exe" or process.pe.original_file_name : "sqlcmd.exe") or
34 process.args : ("Invoke-Sqlcmd", "Invoke-SqlExecute", "Invoke-DbaQuery", "Invoke-SqlQuery")
35 ) and
36 process.args : "*[VeeamBackup].[dbo].[Credentials]*"
37'''
38
39
40[[rule.threat]]
41framework = "MITRE ATT&CK"
42[[rule.threat.technique]]
43id = "T1003"
44name = "OS Credential Dumping"
45reference = "https://attack.mitre.org/techniques/T1003/"
46[[rule.threat.technique]]
47id = "T1555"
48name = "Credentials from Password Stores"
49reference = "https://attack.mitre.org/techniques/T1555/"
50
51
52
53[rule.threat.tactic]
54id = "TA0006"
55name = "Credential Access"
56reference = "https://attack.mitre.org/tactics/TA0006/"
57[[rule.threat]]
58framework = "MITRE ATT&CK"
59[[rule.threat.technique]]
60id = "T1059"
61name = "Command and Scripting Interpreter"
62reference = "https://attack.mitre.org/techniques/T1059/"
63[[rule.threat.technique.subtechnique]]
64id = "T1059.001"
65name = "PowerShell"
66reference = "https://attack.mitre.org/techniques/T1059/001/"
67
68
69
70[rule.threat.tactic]
71id = "TA0002"
72name = "Execution"
73reference = "https://attack.mitre.org/tactics/TA0002/"
References
-
In this report, we observed threat actors deploy multiple Cobalt Strike DLL beacons, perform internal discovery using Windows utilities, execute lateral movement using AnyDesk and RDP, dump credentials multiple ways, exfiltrate data and deploy domain wide ransomware in as little as 42 hours from initial access.
Read More
Related rules
- MS Office Macro Security Registry Modifications
- Potential Credential Access via Renamed COM+ Services DLL
- Suspicious Managed Code Hosting Process
- Suspicious Script Object Execution
- WebServer Access Logs Deleted