Techniques
Sample rules
Veeam Backup Servers Credential Dumping Script Execution
- source: sigma
- technicques:
Description
Detects execution of a PowerShell script that contains calls to the “Veeam.Backup” class, in order to dump stored credentials.
Detection logic
condition: selection
selection:
ScriptBlockText|contains|all:
- '[Credentials]'
- '[Veeam.Backup.Common.ProtectedStorage]::GetLocalString'
- Invoke-Sqlcmd
- Veeam Backup and Replication