Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhightest

Veeam Backup Servers Credential Dumping Script Execution

Detects execution of a PowerShell script that contains calls to the "Veeam.Backup" class, in order to dump stored credentials.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Nasreddine Bencherchali (Nextron Systems)Created Thu May 04976d6e6f-a04b-4900-9713-0134a353e38bwindows
Log Source
WindowsPowerShell Script
ProductWindows← raw: windows
CategoryPowerShell Script← raw: ps_script

Definition

bade5735-5ab0-4aa7-a642-a11be0e40872

Detection Logic
Detection Logic1 selector
detection:
    selection:
        ScriptBlockText|contains|all:
            - '[Credentials]'
            - '[Veeam.Backup.Common.ProtectedStorage]::GetLocalString'
            - 'Invoke-Sqlcmd'
            - 'Veeam Backup and Replication'
    condition: selection
False Positives

Administrators backup scripts (must be investigated)

References
1
Resolving title…
pwndefend.com
2
Resolving title…
labs.withsecure.com
MITRE ATT&CK
Rule Metadata
Rule ID
976d6e6f-a04b-4900-9713-0134a353e38b
Status
test
Level
high
Type
Detection
Created
Thu May 04
Author
Nasreddine Bencherchali (Nextron Systems)
Path
rules/windows/powershell/powershell_script/posh_ps_veeam_credential_dumping_script.yml
Raw Tags
attack.credential-access
View on GitHub