Potential Veeam Credential Access Command

calendar May 22, 2024 · Domain: Endpoint OS: Windows Use Case: Threat Detection Tactic: Defense Evasion Tactic: Credential Access Data Source: Elastic Endgame Data Source: Elastic Defend  ·
Share on: linkedin copy

Identifies commands that can access and decrypt Veeam credentials stored in MSSQL databases. Attackers can use Veeam Credentials to target backups as part of destructive operations such as Ransomware attacks.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2024/03/14"
 3integration = ["windows", "endpoint", "system"]
 4maturity = "production"
 5updated_date = "2024/05/21"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Identifies commands that can access and decrypt Veeam credentials stored in MSSQL databases. Attackers can use Veeam
11Credentials to target backups as part of destructive operations such as Ransomware attacks.
12"""
13from = "now-9m"
14index = [
15    "winlogbeat-*",
16    "logs-endpoint.events.process-*",
17    "logs-windows.*",
18    "endgame-*",
19    "logs-system.security*",
20]
21language = "eql"
22license = "Elastic License v2"
23name = "Potential Veeam Credential Access Command"
24references = ["https://thedfirreport.com/2021/12/13/diavol-ransomware/"]
25risk_score = 47
26rule_id = "b661f86d-1c23-4ce7-a59e-2edbdba28247"
27severity = "medium"
28tags = [
29    "Domain: Endpoint",
30    "OS: Windows",
31    "Use Case: Threat Detection",
32    "Tactic: Defense Evasion",
33    "Tactic: Credential Access",
34    "Data Source: Elastic Endgame",
35    "Data Source: Elastic Defend",
36]
37timestamp_override = "event.ingested"
38type = "eql"
39
40query = '''
41process where host.os.type == "windows" and event.type == "start" and
42  (
43    (process.name : "sqlcmd.exe" or process.pe.original_file_name : "sqlcmd.exe") or
44    process.args : ("Invoke-Sqlcmd", "Invoke-SqlExecute", "Invoke-DbaQuery", "Invoke-SqlQuery")
45  ) and
46  process.args : "*[VeeamBackup].[dbo].[Credentials]*"
47'''
48
49
50[[rule.threat]]
51framework = "MITRE ATT&CK"
52[[rule.threat.technique]]
53id = "T1003"
54name = "OS Credential Dumping"
55reference = "https://attack.mitre.org/techniques/T1003/"
56
57[[rule.threat.technique]]
58id = "T1555"
59name = "Credentials from Password Stores"
60reference = "https://attack.mitre.org/techniques/T1555/"
61
62
63[rule.threat.tactic]
64id = "TA0006"
65name = "Credential Access"
66reference = "https://attack.mitre.org/tactics/TA0006/"
67[[rule.threat]]
68framework = "MITRE ATT&CK"
69[[rule.threat.technique]]
70id = "T1059"
71name = "Command and Scripting Interpreter"
72reference = "https://attack.mitre.org/techniques/T1059/"
73[[rule.threat.technique.subtechnique]]
74id = "T1059.001"
75name = "PowerShell"
76reference = "https://attack.mitre.org/techniques/T1059/001/"
77
78
79
80[rule.threat.tactic]
81id = "TA0002"
82name = "Execution"
83reference = "https://attack.mitre.org/tactics/TA0002/"

References

  • Diavol Ransomware

    In the past, threat actors have used BazarLoader to deploy Ryuk and Conti ransomware, as reported on many occasions. In this intrusion, however, a BazarLoader infection resulted in deployment of Di…


    Read More

Related rules

to-top