Product
medium
advisory
Potential Veeam Credential Access via SQL Commands
2 rules 5 TTPsAttackers can leverage sqlcmd.exe or PowerShell commands like Invoke-Sqlcmd to access Veeam credentials stored in MSSQL databases, potentially targeting backups for destructive operations such as ransomware attacks.
Microsoft Defender XDR +1
veeam
credential-access
mssql
windows
ransomware
2r
5t
medium
advisory
Veeam Backup Library Loaded by Unusual Process
2 rules 3 TTPsDetects potential credential decryption operations by PowerShell or unsigned processes using the Veeam.Backup.Common.dll library, indicating potential credential access attempts to target backups as part of destructive operations.
Veeam Backup
credential-access
veeam
powershell
2r
3t
medium
advisory
Detecting Remote Windows Service Installation for Lateral Movement
2 rules 3 TTPsThis rule detects a network logon followed by Windows service creation with the same LogonId on a Windows host, which could indicate lateral movement or persistence by adversaries.
Windows +4
lateral-movement
persistence
2r
3t