Windows PowerShell Veeam backup servers credential dumping script execution

This rule is part of a beta feature. To learn more, contact Support.
windows

Classification:

attack

Tactic:

TA0006-credential-access

Technique:

T1003-os-credential-dumping

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Goal

Detects execution of PowerShell scripts attempting to extract credentials from Veeam Backup servers.

Strategy

This rule monitors PowerShell script block logging for scripts that interact with Veeam Backup’s protected storage. The detection identifies scripts accessing Veeam.Backup.Common.ProtectedStorage, using GetLocalString methods, and executing SQL commands, which are commonly used to extract stored credentials from Veeam Backup and Replication servers.

Triage & Response

  • Analyze the full PowerShell script content executed on {{host}} for malicious commands.
  • Review the user account that executed the script and verify if they have legitimate access to Veeam servers.
  • Examine any data exfiltration attempts from the Veeam backup infrastructure.
  • Check for unauthorized access to backup server configurations and credentials.
  • Reset compromised Veeam backup server credentials.
  • Restrict access to Veeam backup server configuration files.