[New Rules] Veeam Credential Access DRs (#3516)

* [New Rules] Veeam Credential Access DRs

* bump

* Update credential_access_veeam_commands.toml

* Update credential_access_veeam_backup_dll_imageload.toml

* Update rules/windows/credential_access_veeam_backup_dll_imageload.toml

Co-authored-by: Samirbous <[email protected]>

* Update credential_access_veeam_commands.toml

* Update rules/windows/credential_access_veeam_backup_dll_imageload.toml

Co-authored-by: Terrance DeJesus <[email protected]>

---------

Co-authored-by: Ruben Groenewoud <[email protected]>
Co-authored-by: Samirbous <[email protected]>
Co-authored-by: Terrance DeJesus <[email protected]>

(cherry picked from commit 779fa77)

Author: w0rk3r

rules/windows/credential_access_posh_veeam_sql.toml

@@ -0,0 +1,95 @@
+[metadata]
+creation_date = "2024/03/14"
+integration = ["windows"]
+maturity = "production"
+min_stack_comments = "New fields added: required_fields, related_integrations, setup"
+min_stack_version = "8.3.0"
+updated_date = "2024/03/14"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies PowerShell scripts that can access and decrypt Veeam credentials stored in MSSQL databases. Attackers can use
+Veeam Credentials to target backups as part of destructive operations such as Ransomware attacks.
+"""
+from = "now-9m"
+index = ["winlogbeat-*", "logs-windows.powershell*"]
+language = "kuery"
+license = "Elastic License v2"
+name = "PowerShell Script with Veeam Credential Access Capabilities"
+references = [
+  "https://forums.veeam.com/veeam-backup-replication-f2/recover-esxi-password-in-veeam-t34630.html",
+  "https://www.crowdstrike.com/blog/anatomy-of-alpha-spider-ransomware/"
+]
+risk_score = 47
+rule_id = "5c602cba-ae00-4488-845d-24de2b6d8055"
+setup = """## Setup
+
+The 'PowerShell Script Block Logging' logging policy must be enabled.
+Steps to implement the logging policy with Advanced Audit Configuration:
+
+```
+Computer Configuration >
+Administrative Templates >
+Windows PowerShell >
+Turn on PowerShell Script Block Logging (Enable)
+```
+
+Steps to implement the logging policy via registry:
+
+```
+reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1
+```
+"""
+severity = "medium"
+tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: PowerShell Logs"]
+timestamp_override = "event.ingested"
+type = "query"
+
+query = '''
+event.category:process and host.os.type:windows and
+  powershell.file.script_block_text : (
+    (
+      "[dbo].[Credentials]" and
+      ("Veeam" or "VeeamBackup")
+    ) or
+    "ProtectedStorage]::GetLocalString"
+  )
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1003"
+name = "OS Credential Dumping"
+reference = "https://attack.mitre.org/techniques/T1003/"
+[[rule.threat.technique]]
+id = "T1555"
+name = "Credentials from Password Stores"
+reference = "https://attack.mitre.org/techniques/T1555/"
+
+
+
+[rule.threat.tactic]
+id = "TA0006"
+name = "Credential Access"
+reference = "https://attack.mitre.org/tactics/TA0006/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1059"
+name = "Command and Scripting Interpreter"
+reference = "https://attack.mitre.org/techniques/T1059/"
+[[rule.threat.technique.subtechnique]]
+id = "T1059.001"
+name = "PowerShell"
+reference = "https://attack.mitre.org/techniques/T1059/001/"
+
+
+
+[rule.threat.tactic]
+id = "TA0002"
+name = "Execution"
+reference = "https://attack.mitre.org/tactics/TA0002/"
+

rules/windows/credential_access_veeam_backup_dll_imageload.toml

@@ -0,0 +1,73 @@
+[metadata]
+creation_date = "2024/03/14"
+integration = ["endpoint"]
+maturity = "production"
+min_stack_comments = "New fields added: required_fields, related_integrations, setup"
+min_stack_version = "8.3.0"
+updated_date = "2024/03/14"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies potential credential decrypt operations by PowerShell or unsigned processes using the Veeam.Backup.Common.dll
+library. Attackers can use Veeam Credentials to target backups as part of destructive operations such as Ransomware
+attacks.
+"""
+from = "now-9m"
+index = ["logs-endpoint.events.library*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Veeam Backup Library Loaded by Unusual Process"
+risk_score = 47
+rule_id = "aaab30ec-b004-4191-95e1-4a14387ef6a6"
+severity = "medium"
+tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"]
+timestamp_override = "event.ingested"
+type = "eql"
+
+query = '''
+library where host.os.type == "windows" and event.action == "load" and
+  (dll.name : "Veeam.Backup.Common.dll" or dll.pe.original_file_name : "Veeam.Backup.Common.dll") and
+  (
+    process.code_signature.trusted == false or
+    process.code_signature.exists == false or
+    process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe")
+  )
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1003"
+name = "OS Credential Dumping"
+reference = "https://attack.mitre.org/techniques/T1003/"
+[[rule.threat.technique]]
+id = "T1555"
+name = "Credentials from Password Stores"
+reference = "https://attack.mitre.org/techniques/T1555/"
+
+
+
+[rule.threat.tactic]
+id = "TA0006"
+name = "Credential Access"
+reference = "https://attack.mitre.org/tactics/TA0006/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1059"
+name = "Command and Scripting Interpreter"
+reference = "https://attack.mitre.org/techniques/T1059/"
+[[rule.threat.technique.subtechnique]]
+id = "T1059.001"
+name = "PowerShell"
+reference = "https://attack.mitre.org/techniques/T1059/001/"
+
+
+
+[rule.threat.tactic]
+id = "TA0002"
+name = "Execution"
+reference = "https://attack.mitre.org/tactics/TA0002/"
+

rules/windows/credential_access_veeam_commands.toml

@@ -0,0 +1,74 @@
+[metadata]
+creation_date = "2024/03/14"
+integration = ["windows", "endpoint", "system"]
+maturity = "production"
+min_stack_comments = "New fields added: required_fields, related_integrations, setup"
+min_stack_version = "8.3.0"
+updated_date = "2024/03/14"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies commands that can access and decrypt Veeam credentials stored in MSSQL databases. Attackers can use Veeam
+Credentials to target backups as part of destructive operations such as Ransomware attacks.
+"""
+from = "now-9m"
+index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Potential Veeam Credential Access Command"
+references = [
+  "https://thedfirreport.com/2021/12/13/diavol-ransomware/"
+]
+risk_score = 47
+rule_id = "b661f86d-1c23-4ce7-a59e-2edbdba28247"
+severity = "medium"
+tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
+timestamp_override = "event.ingested"
+type = "eql"
+
+query = '''
+process where host.os.type == "windows" and event.type == "start" and
+  (
+    (process.name : "sqlcmd.exe" or process.pe.original_file_name : "sqlcmd.exe") or
+    process.args : ("Invoke-Sqlcmd", "Invoke-SqlExecute", "Invoke-DbaQuery", "Invoke-SqlQuery")
+  ) and
+  process.args : "*[VeeamBackup].[dbo].[Credentials]*"
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1003"
+name = "OS Credential Dumping"
+reference = "https://attack.mitre.org/techniques/T1003/"
+[[rule.threat.technique]]
+id = "T1555"
+name = "Credentials from Password Stores"
+reference = "https://attack.mitre.org/techniques/T1555/"
+
+
+
+[rule.threat.tactic]
+id = "TA0006"
+name = "Credential Access"
+reference = "https://attack.mitre.org/tactics/TA0006/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1059"
+name = "Command and Scripting Interpreter"
+reference = "https://attack.mitre.org/techniques/T1059/"
+[[rule.threat.technique.subtechnique]]
+id = "T1059.001"
+name = "PowerShell"
+reference = "https://attack.mitre.org/techniques/T1059/001/"
+
+
+
+[rule.threat.tactic]
+id = "TA0002"
+name = "Execution"
+reference = "https://attack.mitre.org/tactics/TA0002/"
+