Full Report
BackupExec agent is often among common services found on the internal pen tests. The agent software stores an encrypted “logon account” password in its backend MS SQL database (LoginAccounts table). These accounts include the “system logon account” which is used to run agent services and an optional number of active directory accounts that are used to access resources over the network. The following scenarios can result in access to encrypted passwords:
Analysis Summary
# Tool/Technique: BackupExec Password Decryption (Leveraging MS SQL Database/Backups)
## Overview
This methodology describes how an attacker can retrieve cleartext Active Directory account passwords stored encrypted within a Symantec BackupExec MS SQL database (`BEDB`). Access to the database or its daily backup files (`bedb.bak`) allows an attacker to exfiltrate credentials used by the BackupExec agent for service operation and network resource access.
## Technical Details
- Type: Technique (Information Disclosure/Credential Access via Database Compromise)
- Platform: Windows (where BackupExec Agent and MS SQL Database reside)
- Capabilities: Extraction and decryption of stored logon account passwords from the BackupExec database backend.
- First Seen: The technique described was published in March 2010, often encountered during internal penetration tests.
## MITRE ATT&CK Mapping
- TA0005 - Credential Access
- T1003 - OS Credential Dumping
- T1003.002 - SAM/SYSTEM Files (Related concept of accessing protected local storage, though here it's a database)
- T1530 - Data from Local System
- Direct access to the BEDB database or the `bedb.bak` file enables data exfiltration.
## Functionality
### Core Capabilities
- **Database Access:** Compromising the MS SQL server hosting the `BEDB` database (default name) enables direct querying of the `LoginAccounts` table where encrypted passwords reside.
- **Backup File Access:** Accessing the BackupExec installation directory allows retrieval of the daily database backup file (`data/bedb.bak`), which can then be restored on an attacker-controlled system for offline analysis.
### Advanced Features
- **Proprietary Decryption:** The encryption mechanism stores 512-byte ciphertexts in the database. Decryption relies on proprietary logic found within the `bemsdk.dll` file, which is extracted from the BackupExec installation and used alongside custom C code to reverse the encryption.
## Indicators of Compromise
- File Hashes: N/A (This is a technique utilizing existing software components)
- File Names: `BEDB` (MS SQL Database Name), `LoginAccounts` (Table name), `data/bedb.bak` (Daily backup file name), `bemsdk.dll` (Decryption library).
- Registry Keys: N/A
- Network Indicators: N/A (The focus is on accessing local database/files, not C2 communication post-exploitation)
- Behavioral Indicators: Large SQL dumps or transfer of `.bak` files from the BackupExec server host.
## Associated Threat Actors
- Primarily associated with **Internal Penetration Testers** and red teams exploiting weak security configurations in internal environments where BackupExec agents are deployed. Publicly documented use by named sophisticated threat groups is not indicated in the context provided.
## Detection Methods
- Signature-based detection: Difficult, as it relies on legitimate binaries (`bemsdk.dll`) and custom tooling.
- Behavioral detection: Monitoring for unusual access patterns or large file transfers of `.bak` files associated with the BackupExec installation directory. Monitoring SQL server activity for unusual queries on the `BEDB` database.
- YARA rules: Custom YARA rules could be created to detect the specific 512-byte proprietary ciphertext structure if found outside expected file types, though this is advanced.
## Mitigation Strategies
- **Database Security:** Implement strong access controls and network restrictions for the MS SQL instance hosting the `BEDB`. Least privilege principle for the service account accessing the database.
- **File System Restriction:** Restrict access to the BackupExec installation directory, particularly the directory containing the `.bak` files used for local backups.
- **Credential Management:** Ensure that standard domain accounts stored in BackupExec for network access are not highly privileged or are regularly rotated.
## Related Tools/Techniques
- Credential Harvesting from configuration files or databases.
- Abuse of legitimate administration tools to extract sensitive data (Living off the Land).