Veeam Backup Servers Credential Dumping Script Execution
Detects execution of a PowerShell script that contains calls to the "Veeam.Backup" class, in order to dump stored credentials.
Sigma rule (View on GitHub)
1title: Veeam Backup Servers Credential Dumping Script Execution
2id: 976d6e6f-a04b-4900-9713-0134a353e38b
3status: test
4description: Detects execution of a PowerShell script that contains calls to the "Veeam.Backup" class, in order to dump stored credentials.
5references:
6 - https://www.pwndefend.com/2021/02/15/retrieving-passwords-from-veeam-backup-servers/
7 - https://labs.withsecure.com/publications/fin7-target-veeam-servers
8author: Nasreddine Bencherchali (Nextron Systems)
9date: 2023/05/04
10tags:
11 - attack.credential_access
12logsource:
13 product: windows
14 category: ps_script
15 definition: bade5735-5ab0-4aa7-a642-a11be0e40872
16detection:
17 selection:
18 ScriptBlockText|contains|all:
19 - '[Credentials]'
20 - '[Veeam.Backup.Common.ProtectedStorage]::GetLocalString'
21 - 'Invoke-Sqlcmd'
22 - 'Veeam Backup and Replication'
23 condition: selection
24falsepositives:
25 - Administrators backup scripts (must be investigated)
26level: high
References
-
Firstly before we get into recovering passwords from the veeam servers we have to think why is this technique so important to know? It’s not what you think, so if you are a red teamer/penetration t...
Read More -
WithSecure Intelligence identified attacks which occurred in late March 2023 against internet-facing servers running Veeam Backup & Replication software. Our research indicates that the intrusion set used in these attacks has overlaps with those attributed to the FIN7 activity group. It is likely that initial access & execution was achieved through a recently patched Veeam Backup & Replication vulnerability, CVE-2023-27532.
Read More
Related rules
- HackTool - Certify Execution
- HackTool - Certipy Execution
- HackTool - Rubeus Execution - ScriptBlock
- NTDS.DIT Created
- Remote Thread Created In KeePass.EXE