← Library
kqlElastic-2.0from elastic/detection-rules

PowerShell Script with Veeam Credential Access Capabilities

Quality
92
FP risk
Forks
0
Views
0
ATT&CK techniques
T1003T1555T1059T1059.001T1213
Rule sourcerules/windows/credential_access_posh_veeam_sql.toml
event.category:process and host.os.type:windows and
  powershell.file.script_block_text : (
    (
      "[dbo].[Credentials]" and
      ("Veeam" or "VeeamBackup")
    ) or
    "ProtectedStorage]::GetLocalString"
  )