Skip to main content

I’m really happy to share with the Veeam Community this Open Source Project Called Veeam Decoys. 

 


It is public knowledge that multiple threat actors use various tactics and techniques to identify services when they are already inside the internal networks of the organization they are attacking. In fact, the Mitre ATT&CK Enterprise matrix has two complete tactics, "Discovery" TA0007 and "Lateral Movement" TA0008, which list and explain multiple techniques and tools used by attackers. For example, the most sought-after services within the internal network are Remote Desktop Protocol and SSH. If we review Coveware's reports from this year, in the Q1-2024 report, we can observe that the "Lateral Movement" tactic ranks third among the most used tactics by threat actors according to the percentage of cases:
 

https://www.coveware.com/blog/2024/4/17/raas-devs-hurt-their-credibility-by-cheating-affiliates-in-q1-2024

If we review the same report, but for Q2-2024, we can see a significant rise in the "Lateral Movement" tactic, which moved to second place among the most used tactics by attackers:

https://www.coveware.com/blog/2024/7/29/ransomware-actors-pivot-away-from-major-brands-in-q2-2024

Furthermore, attackers will always try to block or destroy data or service recovery by encrypting all data, including backups. This is why it's always important to follow Veeam implementation best practices as well as apply the 3-2-1-1-0 rule, with a focus on data immutability.

After implementing best practices, we will review the following open-source project that aims to help detect connection attempts, scans, or more specifically, the "Discovery" and "Lateral Movement" tactics used by attackers in different networks or VLANs of the organization. This is to identify early on if attackers are searching for Veeam services with the aim of destroying backup data.

The Open-Source project is called Veeam Decoys and can be found at:

 

https://github.com/VeeamHub/veeam-decoy

 

Which has the following Veeam services configured as decoys:

  • Veeam Backup Server
  • Veeam Hardened Repository
  • Veeam Windows Repository
  • Veeam Backup Enterprise Manager
  • SSH
  • Remote Desktop (RDP)
  • Netbios

These services can be implemented in different networks or VLANs within the organization's internal networks. These decoys are not just open ports but have the unique feature of functioning as if they were productive Veeam services.

Which hardware does it require? Very little, in fact:

OVA:
Processor: 1 vCPU
RAM: 2 GB
Storage: 50 GB
Network: 1 GB / VMXNET 3
Hypervisor: vSphere 8.0 or higher.

Manual Installation:
Operating System: Minimal installation of Rocky Linux 9.4
Processor: 1 CPU
RAM: 2 GB
Storage: 50 GB
Network: 1 GB / 10 GB
Firewall: Disabled
SELinux: Disabled

The OVA Appliance can be downloaded from:

OVA Download: https://dl.24xsiempre.com/DecoyV1.ova

It's worth noting that the OVA supports vSphere 8.0 or higher. In case you have an earlier version of vSphere, it's possible to install manually.

For manual installation and OVA steps, you can find them at:

Documentation Download: https://dl.24xsiempre.com/Decoy_Manual_EN.pdf

Due to its low hardware resource requirements, it's possible to deploy multiple servers or Appliances in different networks with various services.

To perform functionality tests after deploying the OVA or manually installing the decoys on an already installed Rocky Linux 9.4, it's only necessary to run scans against the IP addresses of the configured server. One of the most used tools is Nmap, which can be installed on Microsoft Windows, Linux, and macOS. To download Nmap:

https://nmap.org/download

Choose the version according to the operating system being used and execute the following command:

nmap -p 1-65535 -T4 -A -v -Pn -sS 20.20.20.84

 

You can also use "Zenmap," which is the graphical interface for nmap on Windows:

 

 

What does the nmap command mean?

 

-p: The port range to scan, in this case we're scanning all TCP ports

-T4: To improve scan performance by assuming a fast network is being used

-A: Aggressive scan including OS detection, version detection, etc.

-v: Verbose

-Pn: No Ping

-sS: TCP SYN scan

And of course, the decoys detect the scan:

 

 

So now we know how to scan and that our decoys detect scans or connection attempts. However, in the previous example, it was just one machine with multiple decoys and ports, so it's not very credible for threat actors inside the internal network that this is a real Veeam server.

The recommendation is to always use multiple network interfaces on different VLANs or multiple virtual/physical Appliances, also with multiple network interfaces. This way, we can broadly cover the detection of "Lateral Movements" across the VLANs or networks you have, and not all ports will be associated with just one server. Additionally, to present the decoys as productive services, associate them with the internal DNS to the decoy. For example, if the IP address 20.20.20.84 is associated with the VBR decoy, the internal DNS should be vbr.yourdomain.com or veeam.yourdomain.com.

 

As always, if you want contribute or need to solve doubts, pelase create a issue in Github.

Wow great idea! Thanks for sharing 


Using the good name and prevalence of Veeam as bait! Great thinking.


Very cool!  Totally missed the vSphere 8.0 part :)  The manual installation wasn’t bad at all!


huge nice work @Marco.Escobar 


Nice work, wow. Thanks for sharing @Marco.Escobar.
Will check this out 👍


Just learned about this from watching the Community Recap episode.  @Marco.Escobar this is incredibly cool! 😎  Really clever, really useful!  Many thanks 🙏🏼 for doing this and shout out Tom Sightler as well! 👆


This is great. We have some other similar things running but I think I’ll be implementing this in a few spots.

 

Thanks


Hi @Marco.Escobar I just came across this in VeeamHub and this is awesome. I’m going to start playing around with it some, definitely want to look into how to extend this to VB365 and VSPC as well.


Hi @Marco.Escobar I just came across this in VeeamHub and this is awesome. I’m going to start playing around with it some, definitely want to look into how to extend this to VB365 and VSPC as well.

Hi! 🙂 Excellent idea, Thanks!


Is the link broken ?

https://github.com/VeeamHub/veeam-decoy => get the error 404 within github


@peejay84: You have to be logged in to GitHub. Then you will see it.

 

Happy weekend

Steve


@Steve - unfortunatly also after github login i am still see any ressorces - still get the error 404 within github

 


@peejay84: Don’t know, just checked and it works for me.


@SteveHeart : strange, checked this with 2 different github accounts, different os, different browsers… still not working

 


@peejay84 Let me check with Marco.


https://github.com/VeeamHub/veeam-decoy not working for me too!


@Marco.Escobar The Github repo seems to be offline. Has the link changed? 


I have the ova in my lab but wanted to play around with it :) 

I am trying to catch up with all the latest developments too, coverware, threat hunter. I will admit a bit overwhelming but fun.

 


On that note too bad we can’t get NFR for the AI in Veeam too :) 🤣


Hi All! now it’s Public again! ​@Geoff Burke ​@abray1010 ​@peejay84 ​@SteveHeart 


😀


Hi ​@Marco.Escobar,

@Dynamic and I were recently testing the appliance. We ran into the following issues:

  1. We cannot type anything using the VMware console for the VM - there is no input accepted
  2. We see multiple entries in the bootloader - is this expected?

 

We already tried to reboot the VM multiple times and re-deployed the OVA without success.

 

Any idea? As the testing goes on we will of course report future issues that may occur when we run in to them.

 

By the way: Very nice project! I have multiple customers who will rollout the solution in production soon.

 

Best

Lukas


Hi ​@Marco.Escobar,

@Dynamic and I were recently testing the appliance. We ran into the following issues:

  1. We cannot type anything using the VMware console for the VM - there is no input accepted
  2. We see multiple entries in the bootloader - is this expected?

 

We already tried to reboot the VM multiple times and re-deployed the OVA without success.

 

Any idea? As the testing goes on we will of course report future issues that may occur when we run in to them.

 

By the way: Very nice project! I have multiple customers who will rollout the solution in production soon.

 

Best

Lukas

Hi ​@lukas.k Thanks for testing this project!

Which version of vSphere are you using? Remember the OVA only support 8.03 or newer. If you have some issues or are using an earlier version of vSphere, I recommend you using the manual install, only install a minimal rocky linux and the execute one command the procedure is in github.

Multiple entries in bootloader, yes is expected because is using an updated kernel

if you have any doubt please ping me!

Thanks!


Thanks ​@Marco.Escobar for this project. Great job!
Also, thanks ​@lukas.k for testing this with me today.

Although it’s not possible to type in the console (from within vCenter and/or ESXi Webconsole - also from other browsers) it’s possible to login via Putty on Port 41325.

We just configured some services (VBR, RDP and Repository) - this seems to work as expected. We will spent more time asap.

Cheers, Markus


...
Which version of vSphere are you using? Remember the OVA only support 8.03 or newer. 

...

 

The environment in our case (on a customer site) is running on 8.0U2 (not yet on U3). The Manual and Descritption above mentioned, 8.0 must be running - nothing regards U3. But in general im with you, vSphere 8.0U3 should be deployed if possible (but currently not the case on this customer).


So yeah, maybe this is the issue while no Keyboard inputs are possible, as soon we are on the login interface - wihtin the Loader and in the UEFI we can use them. 
Best, Markus


Comment