From a1a8f6c44bc18f6359db6d199a7c3f1fe35a9145 Mon Sep 17 00:00:00 2001
From: Ming Di Leom <2809763-curben@users.noreply.gitlab.com>
Date: Wed, 6 Aug 2025 11:31:55 +0000
Subject: [PATCH] feat(threat-hunting): Veeam credential extraction

---
 source/threat-hunting/index.md                       |  1 +
 source/threat-hunting/veeam-credential-extraction.md | 12 ++++++++++++
 2 files changed, 13 insertions(+)
 create mode 100644 source/threat-hunting/veeam-credential-extraction.md

diff --git a/source/threat-hunting/index.md b/source/threat-hunting/index.md
index 3578eac..603c28e 100644
--- a/source/threat-hunting/index.md
+++ b/source/threat-hunting/index.md
@@ -116,6 +116,7 @@ updated: 2025-08-03
 - [Unusual printui.exe path](unusual-printui-exe-path)
 - [User Login with Local Credentials](user-login-with-local-credentials)
 - [VSCode tunnel](vscode-tunnel)
+- [Veeam credential extraction](veeam-credential-extraction)
 - [Volt Typhoon IOC](volt-typhoon-ioc)
 - [Volume Shadow Copy](volume-shadow-copy)
 - [Volume Shadow Delete](volume-shadow-delete)
diff --git a/source/threat-hunting/veeam-credential-extraction.md b/source/threat-hunting/veeam-credential-extraction.md
new file mode 100644
index 0000000..c060322
--- /dev/null
+++ b/source/threat-hunting/veeam-credential-extraction.md
@@ -0,0 +1,12 @@
+---
+title: Veeam credential extraction
+layout: page
+date: 2025-08-06
+---
+
+References: [1](https://thedfirreport.com/2025/08/05/from-bing-search-to-ransomware-bumblebee-and-adaptixc2-deliver-akira/)
+SPL:
+
+```spl
+| tstats summariesonly=true allow_old_summaries=true count FROM datamodel=Endpoint.Processes WHERE index="windows" Processes.process_name="psql.exe" Processes.process="*VeeamBackup*" Processes.process IN ("*password*", "*credentials*") BY index, host, Processes.signature_id, Processes.signature, Processes.parent_process, Processes.process, Processes.user, _time span=1s
+```