Potential Veeam Credential Access Command
Identifies commands that can access and decrypt Veeam credentials stored in MSSQL databases. Attackers can use Veeam Credentials to target backups as part of destructive operations such as Ransomware attacks.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2024/03/14"
3integration = ["windows", "endpoint", "system"]
4maturity = "production"
5updated_date = "2024/05/21"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies commands that can access and decrypt Veeam credentials stored in MSSQL databases. Attackers can use Veeam
11Credentials to target backups as part of destructive operations such as Ransomware attacks.
12"""
13from = "now-9m"
14index = [
15 "winlogbeat-*",
16 "logs-endpoint.events.process-*",
17 "logs-windows.*",
18 "endgame-*",
19 "logs-system.security*",
20]
21language = "eql"
22license = "Elastic License v2"
23name = "Potential Veeam Credential Access Command"
24references = ["https://thedfirreport.com/2021/12/13/diavol-ransomware/"]
25risk_score = 47
26rule_id = "b661f86d-1c23-4ce7-a59e-2edbdba28247"
27severity = "medium"
28tags = [
29 "Domain: Endpoint",
30 "OS: Windows",
31 "Use Case: Threat Detection",
32 "Tactic: Defense Evasion",
33 "Tactic: Credential Access",
34 "Data Source: Elastic Endgame",
35 "Data Source: Elastic Defend",
36]
37timestamp_override = "event.ingested"
38type = "eql"
39
40query = '''
41process where host.os.type == "windows" and event.type == "start" and
42 (
43 (process.name : "sqlcmd.exe" or process.pe.original_file_name : "sqlcmd.exe") or
44 process.args : ("Invoke-Sqlcmd", "Invoke-SqlExecute", "Invoke-DbaQuery", "Invoke-SqlQuery")
45 ) and
46 process.args : "*[VeeamBackup].[dbo].[Credentials]*"
47'''
48
49
50[[rule.threat]]
51framework = "MITRE ATT&CK"
52[[rule.threat.technique]]
53id = "T1003"
54name = "OS Credential Dumping"
55reference = "https://attack.mitre.org/techniques/T1003/"
56
57[[rule.threat.technique]]
58id = "T1555"
59name = "Credentials from Password Stores"
60reference = "https://attack.mitre.org/techniques/T1555/"
61
62
63[rule.threat.tactic]
64id = "TA0006"
65name = "Credential Access"
66reference = "https://attack.mitre.org/tactics/TA0006/"
67[[rule.threat]]
68framework = "MITRE ATT&CK"
69[[rule.threat.technique]]
70id = "T1059"
71name = "Command and Scripting Interpreter"
72reference = "https://attack.mitre.org/techniques/T1059/"
73[[rule.threat.technique.subtechnique]]
74id = "T1059.001"
75name = "PowerShell"
76reference = "https://attack.mitre.org/techniques/T1059/001/"
77
78
79
80[rule.threat.tactic]
81id = "TA0002"
82name = "Execution"
83reference = "https://attack.mitre.org/tactics/TA0002/"
References
Related rules
- Command Shell Activity Started via RunDLL32
- Potential Credential Access via Windows Utilities
- Potential Local NTLM Relay via HTTP
- Adding Hidden File Attribute via Attrib
- Attempt to Install Kali Linux via WSL