YARA and Script Library

IntroductionThe Veeam Data Platform V13 is now available, and it brings many new features for working with the REST API. With these improvements, it is easier to automate tasks and integrate Veeam into your workflows. Sometimes, it is necessary to check backup data from NAS systems for viruses or similar threats. This helps ensure that the data is safe before being restored or used. Starting with Veeam Backup & Replication 13.0.1, we can trigger an Instant File Share Recovery using the REST API. And why not use a Python script to scan such backup data? There is a Python script for thatThe Python script initiates an Instant File Share Recovery. The backup data is made available to a Windows system, referred to as the mount server. On the Linux server, where the Python script is running, the shared folder gets mounted from the Windows mount server. After mounting, the script scans the data. It reads a configuration file named scan_engines.json, which lists all supported scanning engi

IntroductionMITRE ATT&CK v18, released in October 2025, introduces a major change in detection guidance. Two new objects, Detection Strategies and Analytics, replace the old single-sentence detection notes with structured, behavior-focused logic.In previous versions, detection tips were just short text inside each technique. Detection Strategies describe what behavior to look for, and Analytics show how to detect it on specific platforms. Each Analytic then guides you to relevant Log Sources and Data Components. What This Means for DefendersThis modular structure reflects how attacks develop not as individual warning messages, but as a chain of observable behaviors. Defenders can now track detection logic across different levels, systems, and data sources. The new detection model provides a clearer link between techniques, behaviors, and the necessary telemetry to identify them. Let’s look at the Detection Strategy DET0088 “Backup Software Discovery via CLI, Registry, and Process I

IntroductionBackups are the last line of defense when cyberattacks strike. Veeam users rely on the platform to restore data quickly and reliably in critical situations. However, availability alone is not enough, backups must be trustworthy. To address this challenge, I created a Python script that uses the Veeam Data Integration API and runs the THOR APT Scanner against the presented restore point(s).Who is Nextron, and what is THOR?Nextron Systems specializes in forensic threat detection. Their flagship product, THOR, is widely used by incident response and security teams to uncover attacker tools and traces that traditional solutions may miss. Unlike classic antivirus integrations, THOR is designed to detect webshells, obfuscated scripts, malicious configurations, and backdoors, the kinds of artefacts that advanced attackers often leave behind. In addition, THOR parses system artefacts such as Windows Registry hives or Event Logs with dedicated modules, applying forensic rules that g

Hi, Good evening.I am analyzing different Veeam Backup & Replication instances and I would like take all parameters for every backup job present on every VB&R instances that I am analyzing.I would like to know if is possible launch one powershell script  for retrieve these values for example: start time for every schedule job, servers involved, backup modality (full, incremental, reverse incremental, etc) aware setting if exist, etc.Thanks in advance.Best regardsRicardo

WARNING: Exciting content 🕺🏻This blog post has a little bit of everything: A little bit of compliance, a little bit of encryption, a little bit of REST API, and a little bit of V13, like in this song.IntroductionThe EU’s Digital Operational Resilience Act (DORA) requires financial entities to protect their data using robust cryptographic methods. Two key articles, Article 6 (Encryption and Cryptographic Controls) and Article 7 (Cryptographic Key Management), set out what must be done. If you use Veeam for backups, you can meet many of these requirements.DORA - Summary of Relevant Requirements (Articles 6 & 7)DORA requires financial organizations to encrypt backup data at rest and during transfer. Connections within the organization and with external partners must also be protected using encryption. In addition, there must be clear rules for managing cryptographic keys throughout their entire lifecycle, including creation, storage, renewal, backup, and secure destruction. If a key

Im trying to run a powershell script to turn off/on a service on the remote computer. I run Veeam VBR as a local service instead of an AD service account. Is this why my script is failing?Ive tried both of these and using SNMP as an example. Of course they both work interactively from the VBRserverGet-Service -computername RemoteComputer -DisplayName "SNMP Service"| Stop-Serviceinvoke-command -ComputerName RemoteComputer -ScriptBlock {Get-Service -Name "SNMP"| Stop-Service}  **********************Windows PowerShell transcript startStart time: 20250807125230Username: WCG\SYSTEMRunAs User: WCG\SYSTEMConfiguration Name: Machine: VBRserver (Microsoft Windows NT 10.0.17763.0)Host Application: powershell.exe -ExecutionPolicy ByPass -Command  try {& 'C:\VeeamScripts\freeze-tk.ps1'  -ErrorAction Stop } catch { exit 1 } Process ID: 24996PSVersion: 5.1.17763.7553PSEdition: DesktopPSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17763.7553BuildVersion: 10.0.17763.7553CLRVersion: 4.0.30319.4

Now that V12.1 is available, I wanted to share with you a featured YARA rule set that can give you on-demand scanning for some top ransomware threats. Attached to this post is a file named: Top10RW_YARArules.zip. In this file are YARA rules for some common ransomware threats that have been seen recently:Attribution: This great collection was made by Felix Bilsten. Links: X: Felix Bilstein (@fxb_b) / X (twitter.com), website: Felix Bilstein - project overview (cocacoding.com) and Github: fxb-cocacoding (Felix Bilstein) · GitHub

The project announced here became even bigger. However, the Veeam Data Integration API remains the "main actor", except that many new options have now been added, as "my ideas factory" and feedback on a similar script have been incorporated. Let’s look at what’s NEW.📑 SearchThe host2scan parameter scans a selected restore point of the specified host. The repo2scan parameter can display all hosts with supported restore points in the specified Backup Repository. Then select a host and start the scan. NEW Or with repo2scan and the option all to scan the latest restore point for all found and supported host types in the specified Backup Repository. NEW🔍 Scan & StoreThe scan parameter triggers the malware and LOLBAS detection scan. The store parameter collects the metadata for all relevant binary files (ideal for hash analysis). NEW The yaramode parameter triggers a YARA scan using the stored rule(s). NEW📊 Display NEWThe data is displayed in a wonderful Streamlit Dashboard. In the pi

One of the great things about AI is that it can be improved in the background, and Veeam Intelligence is no different. I have used AI (namely a GPT) to create a YARA rule, which I’ve found to be easier and servicing quicker than finding some shared online. It is no surprise that Veeam Intelligence is here to help in the same regard. I had a discussion with ​@kirststoner12 about this and sure enough - Veeam Intelligence was able to do this generative AI task within Veeam. I did a simple prompt:Can you generate a YARA rule to look in backups for credit card numbers stored in plain text?  The result was rather quick and created in Veeam intelligence with ease: This is just one quick example of how you can use Veeam Intelligence to have some AI-powered resources right inside of your Veeam Backup & Replication console. 

I hope you're all doing well.I'm reaching out to the community for some guidance. As a test, I recently used Veeam intelligence to scan our infrastructure.Based on the scan, Veeam intelligence created  the following rule:[rule CommonRansomware{    meta:        description = "Detects common ransomware families"        author = "Veeam Support Assistant"        date = "2023-10-01"    strings:        $locky = "Locky"        $wannacry = "WannaCry"        $petya = "Petya"        $notpetya = "NotPetya"        $cerber = "Cerber"        $cryptolocker = "CryptoLocker"        $cryptowall = "CryptoWall"        $badrabbit = "BadRabbit"        $ryuk = "Ryuk"        $maze = "Maze"        $revil = "REvil"        $darkside = "DarkSide"    condition:        any of them}the results scared me since it’s a bunch on files detected by this rule.  thanks in advance for reading 

These diagrams are a sample of what I am working on in PowerShell for the next version of the Veeam.Diagrammer module. I am mainly working on generating diagrams of the Cloud Connect infrastructure and the composition of resources used by the tenants. Cloud Connect Infrastructure:Cloud Connect Infrastructure  Per Tenant diagram:Tenant5 Tenant4These improvements will also be part of the next version of the AsBuiltReport.Veeam.VBR report.The upcoming versions are going to be amazing!!!!!

Hello,we have many times request from customer to prolong backup images from 6 months to 1 year.I know, some complicated things like restore VM and provide backup again with 1 year or export this image, map to backup job and setup copy job with one year.Does exist any command in PowerShell to change expiration date?thank you

Hello Community!Your input is needed. Almost two years ago, I created a PowerShell script that checks if one of the scanned files matches a SHA256 value by comparing the values to a list of known hash values. It only searched in specific directories.What would be better than using file-level restore? Right, Data Integration API!Since version 12.3.1, Veeam offers the possibility of working with the Data Integration API via the REST API. To improve the whole thing, I have created a Python script that scans the mounted backup file system for suspicious files by comparing their hash values against known threats stored in a local database. The database uses data from Malware Bazaar and the LOLBAS project (“Living Off The Land Binaries and Scripts”), a catalog with legitimate Windows system binaries that attackers often abuse. The script can detect such files when they appear in unusual locations. The analysis is performance-optimized through parallel processing and will export the result in

Hi All,Wasnt sure where to post this so adding it here.Had a requirement recently to automate the process of adding YARA rules and found that ransomware.live has a great list! fantastic resources for those that havent looked at it yet.leveraging their API, I basically pull the rules and then copy them to the VBR server, pretty simple but hopefully going to improve it as things move on but figured id share with the wider team.https://homelabpro.xyz/posts/2025-05-09-dynamically-download-yara-rules/

Hi,Where do you guys mostly download Yara rules for Veeam from?This GIT looks not maintained for years (files from 2022).  https://github.com/YARA-Rules/rules/archive/refs/heads/master.zipI also used those links but I had some troubles when scanning backup.https://github.com/Neo23x0/signature-base/archive/refs/heads/master.ziphttps://yaraify.abuse.ch/yarahub/yaraify-rules.zip

Backups store important data, and if they are not protected, anyone who gets access can read them. Encrypting backups ensures that if someone gains access to backup files, they remain unreadable without the proper encryption key.Checking if backup jobs are configured to encrypt the backup data can sometimes be difficult, especially if there are many backup jobs. To simplify this process, I created a PowerShell script that helps to check the backup job encryption configuration settings quickly. The script retrieves information for the following Veeam backup job types:VMware Backup Agent Backup File Backup Object Storage BackupPowerShell sample output for Jobtype “File Backup”The output displays details such as the repository name and path, the encryption status (Encryption enabled/Unencrypted), the encryption key type, and the last modification date of the used encryption key.Check out the GitHub Repository for the complete documentation and the code.What’s next?I am creating a similar

Hello everyone. Last time we explored how to identify basic file Indicators of Compromise (IoCs), develop YARA rules to detect malicious actors, and incorporate these rules into Veeam Backup & Replication to identify potential malware in our backups.Taking it a step further, today we will explore how to automatically generate YARA rules using YarGen. YarGenYarGen is a tool that generates YARA rules from a specified malware file. It identifies unique strings within the malware and excludes those prevalent in non-malicious files. This is achieved using YarGen's comprehensive database of strings and opcodes typically found in non-malicious files. Essentially, it creates YARA rules from strings in malware files while discarding those also present in goodware files.There are many variable and options that can be set in YarGen, today we are going to look at how it can create a YARA rule based off of a potential malware file. Back to basics - IoCSA user has noticed a folder called “freest

Hello together,before you update VEEAM to Version 12 using VMware vCenter/ESXi please check VMs HardDisks for duplicate UUID. In Version 11 this was never a problem. In the new Version VEEAM checks the UUID and backup will fail.VMware has no problem with that most time. But they know the Problem - https://kb.vmware.com/s/article/2006865This command will find any HardDisk with duplicate UUID - please note that this is VMware PowerCLI commandGet-VM | Get-HardDisk | Select @{N='VM';E={$_.Parent.Name}}, @{N='Uuid';E={$_.ExtensionData.Backing.Uuid}} | Group-Object -Property Uuid | ?{ $_.Count -gt 1 }As Service Provider such changes in VEEAM are a total disaster!!

Veeam Backup & Replication 12.3 – A big release with many new functions. Let me show you some of the exciting new possibilities with REST API. And yes, I have also created some scripts 😉Scanning Backups & Veeam Threat HunterVeeam Backup & Replication offers various methods of scanning backups for malware. The Secure Restore feature allows for malware scanning during recovery, preventing the reintroduction of infected files. The Scan Backup functionality will enable you to check backups for malware on-demand. SureBackup provides the possibility to execute this task on a regular or even continuous basis.With the introduction of the Veeam Threat Hunter in Veeam Backup & Replication 12.3, the scanning capabilities become even more powerful. Read the Veeam Backup & Replication v12.3 - What’s new document (page 7) describing the Veeam Threat Hunter capabilities.❗Don’t forget to select the Veeam Threat Hunter in the Malware Detection Settings.Scan Backups using REST APIWi

Starting with Veeam Backup & Replication 12.3, it is possible to exclude specific events from being sent to the Syslog server. This can be done manually per event, or you can import an XML file with the events to be filtered.Handling this task and finding the necessary information can be time-consuming. Executing this task manually is “boring” and error-prone, so I created a simple PowerShell script to make the process easier by generating an XML file based on your chosen filters. Whether filtering by event IDs, categories, or specific filter types like Info, Warning, or Error, this script makes this task more fun.🕺🏿💃🏽For more details and examples of usage, check out the README in my GitHub repository.Happy filtering - It’s the most wonderful time of the year to write scripts 😉🎶Steve💚  

Hello Community!It's been two years since I published a script for a OneDrive for Business file check in this community. And even back then I had the code ready that also checks recovered files for possible malware. Of course, Microsoft 365 also has certain mechanisms, which are documented here.Trust is good, control is betterI have now taken up my idea again and packed it into a new script. The script restores files from the lastest OneDrive for Business restore point and scans them for threats using Windows Defender. A single file can also be restored and scanned.There is a "beautiful" listing when the scan has detected something.Please read the README document on my GitHub for more details on how to use the script.⛔Important!⛔ Make sure that there is sufficient disk space in the directory where the files are to be restored. Also use an empty directory to save the data, as the script cleans everything up after execution.Question to the communityWhat do you think of a script that rest

Hi everyone, I'm using Veeam for quite a while now but recently we added some NetApp ONTAP devices to the storage infrastructure. And for each also a NAS Filer object under unstructured data. I can select a NAS Filer and create a file backup job easily. But I want to automate this if possible.I can use Get-NetAppHost to get the ONTAP device and then use Get-VBRUnstructuredServer combined with Get-VBRNASServerPath but I can't link it all together… Also, when I look at an already configured job I cannot reverse engineer this to usable PS code.Can someone point me in the right direction to create a file backup job of a share on a NAS filer with PowerShell?

Inherency:Since we bill by actual disk usage for our client utilizing CloudConnect, the existing reports are non-functional for reporting and billing (They report pre-deduplication/reflink data).  It took a while to figure out, but there is a way to calculate actual disk space used on a per directory on an immutable repository.Solution:Using: https://community.veeam.com/blogs-and-podcasts-57/check-reflink-and-spared-space-on-xfs-repositories-244 I have extrapolated a script that will give the disk usage of each folder (IE: client) on an immutable repo.  This isn't "Data used"; that is what Veeam reports.  This is "Disk Used".  The actual size on disk after reflinks (duplicated data is only counted once). A note about this script; it appears that the original blog entry is wrong on the size of a block.  They attribute it to 4096... which is true... on disk... but the utility used explicitly gives the information in block sizes of 512:https://linux.die.net/man/8/xfs_bmap"units of 512-byt