```yaml title: Veeam Backup Credential Database Access id: edr-win-cred-veeam-db-access status: stable description: > Detects attempts to query the Veeam Backup credential store via SQL tools (sqlcmd, psql) or PowerShell. Akira, Fog, and other RaaS operators target the VeeamBackup database to extract stored credentials for domain accounts, cloud services, and backup repositories. Both MSSQL (sqlcmd) and PostgreSQL (psql) variants are covered, as Veeam supports both backends. references: - https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-109a - https://www.veeam.com/kb4424 author: ShroudCloud date: 2026/04/14 modified: 2026/04/14 tags: - attack.credential_access - attack.t1555 - attack.t1190 logsource: category: process_creation product: windows detection: selection_mssql: Image|endswith: - '\sqlcmd.exe' - '\powershell.exe' - '\pwsh.exe' - '\cmd.exe' CommandLine|contains|all: - 'VeeamBackup' - 'Credentials' selection_postgres: Image|endswith: '\psql.exe' CommandLine|contains|all: - 'veeambackup' - 'credentials' - 'password' selection_dll: CommandLine|contains: 'Veeam.Backup.Common.dll' filter_telemetry: ParentCommandLine|contains: 'DoScheduledTelemetryRun' condition: (selection_mssql or selection_postgres or selection_dll) and not filter_telemetry falsepositives: - Veeam scheduled telemetry (filtered) - Authorized Veeam administration scripts (rare — credential table queries are not normal admin activity) level: high ```