{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/veeam-backup/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Veeam Backup"],"_cs_severities":["medium"],"_cs_tags":["veeam","credential-access","mssql","windows","ransomware"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Veeam"],"content_html":"\u003cp\u003eAttackers are increasingly targeting backup infrastructure to maximize the impact of ransomware and data exfiltration attacks. Veeam, a popular backup and disaster recovery solution, stores credentials for backup operations in MSSQL databases. An attacker who gains access to these databases may attempt to use tools like \u003ccode\u003esqlcmd.exe\u003c/code\u003e or PowerShell commands (e.g., \u003ccode\u003eInvoke-Sqlcmd\u003c/code\u003e) to extract and decrypt these credentials. This tactic allows the attacker to compromise the backups themselves, preventing recovery and increasing pressure on the victim. This activity has been observed in real-world incidents, such as those involving the Diavol ransomware. Defenders should monitor for suspicious command-line activity targeting Veeam credentials within MSSQL environments.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial access to the target environment is gained through methods such as phishing or exploiting a vulnerability in a public-facing application.\u003c/li\u003e\n\u003cli\u003eThe attacker performs reconnaissance to identify the location of the Veeam MSSQL database server.\u003c/li\u003e\n\u003cli\u003eThe attacker obtains valid credentials or exploits a vulnerability to gain access to the Veeam MSSQL database server.\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003esqlcmd.exe\u003c/code\u003e or uses PowerShell commands (e.g., \u003ccode\u003eInvoke-Sqlcmd\u003c/code\u003e) to query the \u003ccode\u003e[VeeamBackup].[dbo].[Credentials]\u003c/code\u003e table.\u003c/li\u003e\n\u003cli\u003eThe attacker retrieves the encrypted Veeam credentials from the database.\u003c/li\u003e\n\u003cli\u003eThe attacker decrypts the Veeam credentials using custom scripts or tools, potentially leveraging the Veeam backup server itself.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised Veeam credentials to access and delete or encrypt backup data.\u003c/li\u003e\n\u003cli\u003eThe attacker deploys ransomware on the remaining systems, knowing that recovery from backups is now impossible.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful compromise of Veeam credentials can have devastating consequences. Attackers can encrypt or delete backup data, making recovery impossible and significantly increasing the impact of ransomware attacks. This can lead to prolonged downtime, data loss, financial losses, and reputational damage. Organizations relying on Veeam for backup and recovery should prioritize monitoring and securing their Veeam infrastructure to prevent credential access and backup compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon process creation logging to capture command-line activity, specifically \u003ccode\u003esqlcmd.exe\u003c/code\u003e and PowerShell.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Potential Veeam Credential Access Command\u0026rdquo; to detect suspicious command executions targeting Veeam credentials in MSSQL databases.\u003c/li\u003e\n\u003cli\u003eReview and restrict access controls to the Veeam MSSQL database, ensuring only authorized personnel and services have access.\u003c/li\u003e\n\u003cli\u003eMonitor for unusual login activity and failed login attempts to the Veeam MSSQL database server.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication for all accounts with access to Veeam infrastructure.\u003c/li\u003e\n\u003cli\u003eRegularly audit Veeam backup configurations and logs to identify any unauthorized modifications or access attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-07-03T12:00:00Z","date_published":"2024-07-03T12:00:00Z","id":"/briefs/2024-07-veeam-credential-access/","summary":"Attackers can leverage sqlcmd.exe or PowerShell commands like Invoke-Sqlcmd to access Veeam credentials stored in MSSQL databases, potentially targeting backups for destructive operations such as ransomware attacks.","title":"Potential Veeam Credential Access via SQL Commands","url":"https://feed.craftedsignal.io/briefs/2024-07-veeam-credential-access/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Veeam Backup"],"_cs_severities":["medium"],"_cs_tags":["credential-access","veeam","powershell"],"_cs_type":"advisory","_cs_vendors":["Veeam"],"content_html":"\u003cp\u003eThis detection identifies potential credential compromise attempts targeting Veeam Backup software. Attackers may attempt to load the Veeam.Backup.Common.dll library through unauthorized processes, such as PowerShell or unsigned executables, to decrypt and misuse stored credentials. These credentials can then be used to target backups, potentially leading to destructive operations like ransomware attacks. The rule focuses on flagging untrusted or unsigned processes loading the Veeam library, providing an indicator of possible malicious activity. The detection logic specifically looks for scenarios where PowerShell or other unusual processes load the Veeam backup library, which deviates from typical administrative or backup-related operations. This activity warrants further investigation to determine if it\u0026rsquo;s part of a credential access attempt.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system through unspecified means.\u003c/li\u003e\n\u003cli\u003eThe attacker uses PowerShell (powershell.exe, pwsh.exe, powershell_ise.exe) or another unsigned process to execute malicious commands.\u003c/li\u003e\n\u003cli\u003eThe malicious process attempts to load the Veeam.Backup.Common.dll library.\u003c/li\u003e\n\u003cli\u003eThe Veeam.Backup.Common.dll library is loaded into the process memory.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the loaded library to decrypt stored Veeam credentials.\u003c/li\u003e\n\u003cli\u003eUsing the decrypted credentials, the attacker gains access to Veeam backups.\u003c/li\u003e\n\u003cli\u003eThe attacker may then encrypt, delete, or exfiltrate the backups, leading to data loss or ransomware attacks.\u003c/li\u003e\n\u003cli\u003eThe attacker pivots to other systems using the compromised credentials, further expanding the attack.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to gain access to sensitive Veeam backup data. This can lead to data exfiltration, data encryption, or complete data loss. The impact includes potential ransomware attacks, significant business disruption, and financial losses due to recovery efforts and downtime. The compromise of Veeam backups can severely impact an organization\u0026rsquo;s ability to recover from incidents, making it a critical target for attackers.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Veeam Backup Library Loaded by Unusual Process\u0026rdquo; to your SIEM to detect suspicious DLL loads (rule.name).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the process details and execution history to determine legitimacy (rule.description).\u003c/li\u003e\n\u003cli\u003eEnable process creation and library load logging to capture the necessary events for the Sigma rule to function correctly.\u003c/li\u003e\n\u003cli\u003eReview and enforce code signing policies to prevent unsigned processes from loading critical libraries like Veeam.Backup.Common.dll.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication for Veeam accounts to mitigate the impact of credential compromise.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-05-03T14:22:00Z","date_published":"2024-05-03T14:22:00Z","id":"/briefs/2024-05-veeam-credential-access/","summary":"Detects potential credential decryption operations by PowerShell or unsigned processes using the Veeam.Backup.Common.dll library, indicating potential credential access attempts to target backups as part of destructive operations.","title":"Veeam Backup Library Loaded by Unusual Process","url":"https://feed.craftedsignal.io/briefs/2024-05-veeam-credential-access/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows","Veeam Backup","PDQ Deploy","Pella Order Management","eset-remote-install-service"],"_cs_severities":["medium"],"_cs_tags":["lateral-movement","persistence","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Veeam","Admin Arsenal","Pella Corporation","ESET"],"content_html":"\u003cp\u003eThis detection rule identifies a potential lateral movement technique where an attacker establishes a network logon to a Windows system and subsequently installs a service using the same LogonId. This behavior is flagged as suspicious because it deviates from typical administrative practices and can indicate unauthorized access and persistence within the network. The rule is designed to filter out common legitimate services and administrative activities, focusing on anomalies that could signify malicious intent. This detection is crucial for defenders as it can uncover attackers attempting to move laterally and establish persistent access.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a network via compromised credentials or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker performs network reconnaissance to identify target systems for lateral movement.\u003c/li\u003e\n\u003cli\u003eUsing valid credentials or pass-the-hash techniques, the attacker authenticates to a remote Windows host over the network (e.g., SMB).\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to install a new service on the remote host, potentially using tools like \u003ccode\u003esc.exe\u003c/code\u003e or PowerShell.\u003c/li\u003e\n\u003cli\u003eThe service installation event is logged with a specific LogonId that matches the earlier network logon event, indicating a relationship between the two activities.\u003c/li\u003e\n\u003cli\u003eThe newly installed service is configured to execute a malicious payload or establish a reverse shell.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the service to execute commands or deploy further malicious tools on the compromised host.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves persistence and lateral movement within the network, enabling further compromise and data exfiltration.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack using this technique can lead to widespread compromise of systems within a network. Attackers can use the newly installed service to execute arbitrary code, install malware, or move laterally to other systems. This can result in data theft, system disruption, or ransomware deployment. The impact can be significant, potentially affecting numerous systems and causing substantial financial and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Windows Security Event Logs with necessary auditing policies, specifically Audit Logon and Audit Security System Extension, to capture relevant logon and service installation events.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rules to your SIEM to detect suspicious remote service installations based on matching LogonIds from network logons.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rules, focusing on unusual service file paths and user accounts.\u003c/li\u003e\n\u003cli\u003eReview the list of excluded service file paths in the Sigma rules and customize them based on your environment\u0026rsquo;s known legitimate services.\u003c/li\u003e\n\u003cli\u003eMonitor network connections for suspicious SMB activity, particularly connections originating from unusual or untrusted sources.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) to reduce the risk of credential theft and unauthorized network access.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T14:00:00Z","date_published":"2024-01-03T14:00:00Z","id":"/briefs/2024-01-remote-service-install/","summary":"This rule detects a network logon followed by Windows service creation with the same LogonId on a Windows host, which could indicate lateral movement or persistence by adversaries.","title":"Detecting Remote Windows Service Installation for Lateral Movement","url":"https://feed.craftedsignal.io/briefs/2024-01-remote-service-install/"}],"language":"en","title":"CraftedSignal Threat Feed — Veeam Backup","version":"https://jsonfeed.org/version/1.1"}