Veeam — CraftedSignal Threat Feed

Persistence via Windows Installer (Msiexec)

hello@craftedsignal.io — Thu, 05 Sep 2024 14:17:05 +0000

The Windows Installer (msiexec.exe) is a legitimate system tool used for installing, updating, and removing software on Windows systems. Adversaries can abuse msiexec.exe to establish persistence mechanisms by creating malicious scheduled tasks or modifying registry run keys. This allows them to execute arbitrary code during system startup or user logon. This technique is attractive to attackers due to msiexec.exe being a trusted Windows binary, potentially evading detection by security solutions that focus on flagging unknown or suspicious processes. The use of msiexec.exe for persistence can be difficult to detect without specific monitoring rules, as it is a common and legitimate system process. This activity can be observed across various Windows versions and is frequently integrated into automated attack frameworks and scripts.

Attack Chain

An attacker gains initial access to a compromised system, potentially through phishing, exploitation of a vulnerability, or stolen credentials.
The attacker leverages msiexec.exe to create a new scheduled task using the schtasks.exe command, setting it to execute a malicious script or binary.
Alternatively, the attacker uses msiexec.exe in conjunction with reg.exe or PowerShell to modify registry keys under HKLM\Software\Microsoft\Windows\CurrentVersion\Run or HKCU\Software\Microsoft\Windows\CurrentVersion\Run, adding a pointer to their malicious executable.
The created scheduled task or registry entry points to a malicious payload, such as a reverse shell or a downloader.
The system is restarted, or the user logs on, triggering the execution of the newly created scheduled task or the malicious binary through the modified registry run key.
The malicious payload executes, establishing a persistent foothold for the attacker on the compromised system.
The attacker can now perform further actions, such as data exfiltration, lateral movement, or deployment of ransomware.

Impact

Successful exploitation allows the adversary to maintain persistent access to the compromised system. This can lead to data theft, system compromise, deployment of ransomware, or use of the system as a staging point for further attacks within the network. A single compromised system can be used to pivot and compromise additional systems, leading to a widespread security breach. The impact can include financial losses, reputational damage, and disruption of business operations.

Recommendation

Monitor process creation events for msiexec.exe spawning schtasks.exe or reg.exe to create scheduled tasks or modify registry run keys (reference: rules in this brief).
Implement and tune the Sigma rules provided in this brief to detect suspicious msiexec.exe activity related to persistence mechanisms.
Review and audit existing scheduled tasks and registry run keys for any suspicious entries or anomalies.
Enable file integrity monitoring (FIM) on critical system directories, including the Windows Task Scheduler directory and registry run key locations (reference: event.category == “file” and file.path … and event.category == “registry” and registry.path … in the rule query).
Implement application control policies to restrict the execution of unauthorized or unknown executables (reference: rule query).

Potential Veeam Credential Access via SQL Commands

hello@craftedsignal.io — Wed, 03 Jul 2024 12:00:00 +0000

Attackers are increasingly targeting backup infrastructure to maximize the impact of ransomware and data exfiltration attacks. Veeam, a popular backup and disaster recovery solution, stores credentials for backup operations in MSSQL databases. An attacker who gains access to these databases may attempt to use tools like sqlcmd.exe or PowerShell commands (e.g., Invoke-Sqlcmd) to extract and decrypt these credentials. This tactic allows the attacker to compromise the backups themselves, preventing recovery and increasing pressure on the victim. This activity has been observed in real-world incidents, such as those involving the Diavol ransomware. Defenders should monitor for suspicious command-line activity targeting Veeam credentials within MSSQL environments.

Attack Chain

Initial access to the target environment is gained through methods such as phishing or exploiting a vulnerability in a public-facing application.
The attacker performs reconnaissance to identify the location of the Veeam MSSQL database server.
The attacker obtains valid credentials or exploits a vulnerability to gain access to the Veeam MSSQL database server.
The attacker executes sqlcmd.exe or uses PowerShell commands (e.g., Invoke-Sqlcmd) to query the [VeeamBackup].[dbo].[Credentials] table.
The attacker retrieves the encrypted Veeam credentials from the database.
The attacker decrypts the Veeam credentials using custom scripts or tools, potentially leveraging the Veeam backup server itself.
The attacker uses the compromised Veeam credentials to access and delete or encrypt backup data.
The attacker deploys ransomware on the remaining systems, knowing that recovery from backups is now impossible.

Impact

Successful compromise of Veeam credentials can have devastating consequences. Attackers can encrypt or delete backup data, making recovery impossible and significantly increasing the impact of ransomware attacks. This can lead to prolonged downtime, data loss, financial losses, and reputational damage. Organizations relying on Veeam for backup and recovery should prioritize monitoring and securing their Veeam infrastructure to prevent credential access and backup compromise.

Recommendation

Enable Sysmon process creation logging to capture command-line activity, specifically sqlcmd.exe and PowerShell.
Deploy the Sigma rule “Potential Veeam Credential Access Command” to detect suspicious command executions targeting Veeam credentials in MSSQL databases.
Review and restrict access controls to the Veeam MSSQL database, ensuring only authorized personnel and services have access.
Monitor for unusual login activity and failed login attempts to the Veeam MSSQL database server.
Implement multi-factor authentication for all accounts with access to Veeam infrastructure.
Regularly audit Veeam backup configurations and logs to identify any unauthorized modifications or access attempts.

Veeam Backup Library Loaded by Unusual Process

hello@craftedsignal.io — Fri, 03 May 2024 14:22:00 +0000

This detection identifies potential credential compromise attempts targeting Veeam Backup software. Attackers may attempt to load the Veeam.Backup.Common.dll library through unauthorized processes, such as PowerShell or unsigned executables, to decrypt and misuse stored credentials. These credentials can then be used to target backups, potentially leading to destructive operations like ransomware attacks. The rule focuses on flagging untrusted or unsigned processes loading the Veeam library, providing an indicator of possible malicious activity. The detection logic specifically looks for scenarios where PowerShell or other unusual processes load the Veeam backup library, which deviates from typical administrative or backup-related operations. This activity warrants further investigation to determine if it’s part of a credential access attempt.

Attack Chain

An attacker gains initial access to a Windows system through unspecified means.
The attacker uses PowerShell (powershell.exe, pwsh.exe, powershell_ise.exe) or another unsigned process to execute malicious commands.
The malicious process attempts to load the Veeam.Backup.Common.dll library.
The Veeam.Backup.Common.dll library is loaded into the process memory.
The attacker leverages the loaded library to decrypt stored Veeam credentials.
Using the decrypted credentials, the attacker gains access to Veeam backups.
The attacker may then encrypt, delete, or exfiltrate the backups, leading to data loss or ransomware attacks.
The attacker pivots to other systems using the compromised credentials, further expanding the attack.

Impact

Successful exploitation allows attackers to gain access to sensitive Veeam backup data. This can lead to data exfiltration, data encryption, or complete data loss. The impact includes potential ransomware attacks, significant business disruption, and financial losses due to recovery efforts and downtime. The compromise of Veeam backups can severely impact an organization’s ability to recover from incidents, making it a critical target for attackers.

Recommendation

Deploy the Sigma rule “Veeam Backup Library Loaded by Unusual Process” to your SIEM to detect suspicious DLL loads (rule.name).
Investigate any alerts generated by the Sigma rule, focusing on the process details and execution history to determine legitimacy (rule.description).
Enable process creation and library load logging to capture the necessary events for the Sigma rule to function correctly.
Review and enforce code signing policies to prevent unsigned processes from loading critical libraries like Veeam.Backup.Common.dll.
Implement multi-factor authentication for Veeam accounts to mitigate the impact of credential compromise.

Third-party Backup Files Deleted via Unexpected Process

hello@craftedsignal.io — Wed, 03 Jan 2024 18:12:00 +0000

This rule identifies the deletion of backup files, specifically those created by Veeam and Veritas Backup Exec, through unexpected processes on Windows systems. The rule aims to detect potential attempts to inhibit system recovery by adversaries, particularly in the context of ransomware attacks. Attackers often target backup files to eliminate recovery options for victims. This detection focuses on identifying file deletion events where the process responsible for the deletion does not belong to the trusted backup software suite. The rule excludes known legitimate processes and directories like Trend Micro’s, Microsoft Exchange Mailbox Assistants, and the Recycle Bin to minimize false positives. The original Elastic detection rule was created in October 2021 and last updated May 4, 2026.

Attack Chain

Adversary gains initial access to the target Windows system.
The attacker performs reconnaissance to identify backup file locations.
The attacker uses a non-backup related process (e.g., cmd.exe, powershell.exe) to delete backup files.
The attacker targets Veeam backup files with extensions VBK, VIB, and VBM.
The attacker targets Veritas Backup Exec files with the BKF extension.
The deletion events are logged by the endpoint detection system.
The detection rule triggers, identifying the anomalous deletion activity based on file extension and process context.
Successful deletion of backups impairs the victim’s ability to recover from ransomware or other destructive attacks.

Impact

Successful deletion of backup files can severely impact an organization’s ability to recover from a ransomware attack or other data loss events. Without viable backups, the victim organization may be forced to pay a ransom or face significant data loss and business disruption. This tactic directly increases the attacker’s leverage and potential financial gain. The rule’s documentation cites a report from AdvIntel detailing backup removal solutions seen with Conti ransomware.

Recommendation

Deploy the Sigma rule Unexpected Veeam Backup File Deletion to your SIEM and tune for your environment to detect unexpected deletion of Veeam backup files.
Deploy the Sigma rule Unexpected Veritas Backup File Deletion to your SIEM and tune for your environment to detect unexpected deletion of Veritas Backup Exec files.
Investigate any alerts generated by these rules to determine the source of the deletion and assess potential impact.
Enable endpoint file event logging to capture file deletion events, which are crucial for the Sigma rules.
Review process execution chains (parent process tree) for unknown processes to identify the root cause of unexpected file deletions.

Detecting Remote Windows Service Installation for Lateral Movement

hello@craftedsignal.io — Wed, 03 Jan 2024 14:00:00 +0000

This detection rule identifies a potential lateral movement technique where an attacker establishes a network logon to a Windows system and subsequently installs a service using the same LogonId. This behavior is flagged as suspicious because it deviates from typical administrative practices and can indicate unauthorized access and persistence within the network. The rule is designed to filter out common legitimate services and administrative activities, focusing on anomalies that could signify malicious intent. This detection is crucial for defenders as it can uncover attackers attempting to move laterally and establish persistent access.

Attack Chain

An attacker gains initial access to a network via compromised credentials or exploiting a vulnerability.
The attacker performs network reconnaissance to identify target systems for lateral movement.
Using valid credentials or pass-the-hash techniques, the attacker authenticates to a remote Windows host over the network (e.g., SMB).
The attacker attempts to install a new service on the remote host, potentially using tools like sc.exe or PowerShell.
The service installation event is logged with a specific LogonId that matches the earlier network logon event, indicating a relationship between the two activities.
The newly installed service is configured to execute a malicious payload or establish a reverse shell.
The attacker uses the service to execute commands or deploy further malicious tools on the compromised host.
The attacker achieves persistence and lateral movement within the network, enabling further compromise and data exfiltration.

Impact

A successful attack using this technique can lead to widespread compromise of systems within a network. Attackers can use the newly installed service to execute arbitrary code, install malware, or move laterally to other systems. This can result in data theft, system disruption, or ransomware deployment. The impact can be significant, potentially affecting numerous systems and causing substantial financial and reputational damage.

Recommendation

Enable Windows Security Event Logs with necessary auditing policies, specifically Audit Logon and Audit Security System Extension, to capture relevant logon and service installation events.
Deploy the provided Sigma rules to your SIEM to detect suspicious remote service installations based on matching LogonIds from network logons.
Investigate any alerts generated by the Sigma rules, focusing on unusual service file paths and user accounts.
Review the list of excluded service file paths in the Sigma rules and customize them based on your environment’s known legitimate services.
Monitor network connections for suspicious SMB activity, particularly connections originating from unusual or untrusted sources.
Implement multi-factor authentication (MFA) to reduce the risk of credential theft and unauthorized network access.

Remote Execution of Windows Services via RPC

hello@craftedsignal.io — Tue, 02 Jan 2024 10:00:00 +0000

This detection rule identifies the remote execution of Windows services over Remote Procedure Call (RPC), a technique often employed for lateral movement within a network. The rule focuses on correlating network connections initiated by services.exe with subsequent child process creation events. While this activity can be a legitimate function of administrators using remote management tools, it also represents a potential attack vector. The rule aims to strike a balance between detecting malicious activity and minimizing false positives arising from routine administrative tasks. The detection logic is based on identifying network connections to services.exe followed by the creation of child processes that are not commonly associated with legitimate service management. The rule requires the use of Elastic Defend or Sysmon for adequate logging coverage.

Attack Chain

An attacker gains initial access to a system within the network.
The attacker attempts to move laterally to other systems.
The attacker establishes a connection to the target system’s services.exe process over RPC using a high port (>= 49152).
The attacker uses the established RPC connection to create or start a new service on the remote system.
The services.exe process on the remote system spawns a child process related to the newly created or started service.
This new process executes the attacker’s payload, potentially granting further access or executing malicious commands.
The attacker leverages the newly executed service for persistent access or further lateral movement.

Impact

A successful attack could result in unauthorized access to sensitive data, disruption of critical services, or the deployment of ransomware. Lateral movement allows attackers to compromise multiple systems within the network, escalating the impact of the initial breach. Due to the nature of the technique, it can be challenging to distinguish between legitimate administrative activity and malicious actions, leading to delayed detection and increased dwell time for attackers.

Recommendation

Deploy the provided Sigma rules to your SIEM and tune the filters for known-good executables in your environment to reduce false positives.
Enable Sysmon process-creation (Event ID 1) and network connection (Event ID 3) logging to ensure the required data for the Sigma rules is available.
Investigate any alerts triggered by these rules, focusing on the parent process and network connection details associated with the spawned child process.
Consider excluding known remote management tools from triggering the detection by adding exceptions based on process.executable or process.args in the Sigma rules.
Monitor the network for unusual RPC activity, especially connections to services.exe from unexpected source IPs.