Windows PowerShell Veeam backup servers credential dumping script execution

This rule is part of a beta feature. To learn more, contact Support.
windows

Classification:

attack

Tactic:

TA0006-credential-access

Technique:

T1003-os-credential-dumping

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください

Goal

Detects execution of PowerShell scripts attempting to extract credentials from Veeam Backup servers.

Strategy

This rule monitors PowerShell script block logging for scripts that interact with Veeam Backup’s protected storage. The detection identifies scripts accessing Veeam.Backup.Common.ProtectedStorage, using GetLocalString methods, and executing SQL commands, which are commonly used to extract stored credentials from Veeam Backup and Replication servers.

Triage & Response

  • Analyze the full PowerShell script content executed on {{host}} for malicious commands.
  • Review the user account that executed the script and verify if they have legitimate access to Veeam servers.
  • Examine any data exfiltration attempts from the Veeam backup infrastructure.
  • Check for unauthorized access to backup server configurations and credentials.
  • Reset compromised Veeam backup server credentials.
  • Restrict access to Veeam backup server configuration files.