Veeam Backup Servers Credential Dumping Script Execution

calendar Aug 12, 2024 · attack.credential-access  ·
Share on: linkedin copy

Detects execution of a PowerShell script that contains calls to the "Veeam.Backup" class, in order to dump stored credentials.

Sigma rule (View on GitHub)

 1title: Veeam Backup Servers Credential Dumping Script Execution
 2id: 976d6e6f-a04b-4900-9713-0134a353e38b
 3status: test
 4description: Detects execution of a PowerShell script that contains calls to the "Veeam.Backup" class, in order to dump stored credentials.
 5references:
 6    - https://www.pwndefend.com/2021/02/15/retrieving-passwords-from-veeam-backup-servers/
 7    - https://labs.withsecure.com/publications/fin7-target-veeam-servers
 8author: Nasreddine Bencherchali (Nextron Systems)
 9date: 2023-05-04
10tags:
11    - attack.credential-access
12logsource:
13    product: windows
14    category: ps_script
15    definition: bade5735-5ab0-4aa7-a642-a11be0e40872
16detection:
17    selection:
18        ScriptBlockText|contains|all:
19            - '[Credentials]'
20            - '[Veeam.Backup.Common.ProtectedStorage]::GetLocalString'
21            - 'Invoke-Sqlcmd'
22            - 'Veeam Backup and Replication'
23    condition: selection
24falsepositives:
25    - Administrators backup scripts (must be investigated)
26level: high

References

  • Retrieving Passwords From Veeam Backup Servers

    Firstly before we get into recovering passwords from the veeam servers we have to think why is this technique so important to know? It’s not what you think, so if you are a red teamer/penetration t...


    Read More

  • FIN7 tradecraft seen in attacks against Veeam backup servers

    WithSecure Intelligence identified attacks which occurred in late March 2023 against internet-facing servers running Veeam Backup & Replication software. Our research indicates that the intrusion set used in these attacks has overlaps with those attributed to the FIN7 activity group. It is likely that initial access & execution was achieved through a recently patched Veeam Backup & Replication vulnerability, CVE-2023-27532.


    Read More

Related rules

to-top