Windows PowerShell Veeam backup servers credential dumping script execution

This rule is part of a beta feature. To learn more, contact Support.
windows

Classification:

attack

Tactic:

TA0006-credential-access

Technique:

T1003-os-credential-dumping

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Goal

Detects execution of PowerShell scripts attempting to extract credentials from Veeam Backup servers.

Strategy

This rule monitors PowerShell script block logging for scripts that interact with Veeam Backup’s protected storage. The detection identifies scripts accessing Veeam.Backup.Common.ProtectedStorage, using GetLocalString methods, and executing SQL commands, which are commonly used to extract stored credentials from Veeam Backup and Replication servers.

Triage & Response

  • Analyze the full PowerShell script content executed on {{host}} for malicious commands.
  • Review the user account that executed the script and verify if they have legitimate access to Veeam servers.
  • Examine any data exfiltration attempts from the Veeam backup infrastructure.
  • Check for unauthorized access to backup server configurations and credentials.
  • Reset compromised Veeam backup server credentials.
  • Restrict access to Veeam backup server configuration files.