security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
7be96ec64dc12ed3d2849bb408e4eecfde40dc02
sigma-rules/rules/windows/credential_access_veeam_commands.toml
T
Jonhnathan a743b9c8c4 [Rule Tuning] 3rd Party EDR - Add Crowdstrike FDR support - 6 (#4231) 
* [Rule Tuning] 3rd Party EDR - Add Crowdstrike FDR support - 6

* Update credential_access_cmdline_dump_tool.toml

* Update defense_evasion_powershell_windows_firewall_disabled.toml

* Revert "Update defense_evasion_powershell_windows_firewall_disabled.toml"

This reverts commit d2df2a848290425ebfe0bb5157332ad0611f726f.

* Update lateral_movement_via_wsus_update.toml

---------

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
2024-11-05 15:00:43 -03:00

96 lines
2.7 KiB
TOML
Raw Blame History

[metadata]
creation_date = "2024/03/14"
integration = ["windows", "endpoint", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
maturity = "production"
updated_date = "2024/11/02"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
[rule]
author = ["Elastic"]
description = """
Identifies commands that can access and decrypt Veeam credentials stored in MSSQL databases. Attackers can use Veeam
Credentials to target backups as part of destructive operations such as Ransomware attacks.
"""
from = "now-9m"
index = [
"winlogbeat-*",
"logs-endpoint.events.process-*",
"logs-windows.forwarded*",
"logs-windows.sysmon_operational-*",
"endgame-*",
"logs-system.security*",
"logs-m365_defender.event-*",
"logs-sentinel_one_cloud_funnel.*",
"logs-crowdstrike.fdr*",
]
language = "eql"
license = "Elastic License v2"
name = "Potential Veeam Credential Access Command"
references = ["https://thedfirreport.com/2021/12/13/diavol-ransomware/"]
risk_score = 47
rule_id = "b661f86d-1c23-4ce7-a59e-2edbdba28247"
severity = "medium"
tags = [
"Domain: Endpoint",
"OS: Windows",
"Use Case: Threat Detection",
"Tactic: Defense Evasion",
"Tactic: Credential Access",
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend",
"Data Source: System",
"Data Source: Microsoft Defender for Endpoint",
"Data Source: Sysmon",
"Data Source: SentinelOne",
"Data Source: Crowdstrike",
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where host.os.type == "windows" and event.type == "start" and
(
(process.name : "sqlcmd.exe" or ?process.pe.original_file_name : "sqlcmd.exe") or
process.args : ("Invoke-Sqlcmd", "Invoke-SqlExecute", "Invoke-DbaQuery", "Invoke-SqlQuery")
) and
process.args : "*[VeeamBackup].[dbo].[Credentials]*"
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1003"
name = "OS Credential Dumping"
reference = "https://attack.mitre.org/techniques/T1003/"
[[rule.threat.technique]]
id = "T1555"
name = "Credentials from Password Stores"
reference = "https://attack.mitre.org/techniques/T1555/"
[rule.threat.tactic]
id = "TA0006"
name = "Credential Access"
reference = "https://attack.mitre.org/tactics/TA0006/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1059"
name = "Command and Scripting Interpreter"
reference = "https://attack.mitre.org/techniques/T1059/"
[[rule.threat.technique.subtechnique]]
id = "T1059.001"
name = "PowerShell"
reference = "https://attack.mitre.org/techniques/T1059/001/"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
Reference in New Issue View Git Blame Copy Permalink