If you are able to connect to the Veeam console and you have the right to create new connections to the hypervisor. You can have Veeam connect to a fake vSphere host.

1. First, run on your attacking machine

1. Then, create a new connection to the vSphere server in the Veeam console in the Inventory section;

2. Enter the address of the machine with the running script specifying the connection port 8443;

3. Select the required account and complete the wizard.

4. Finlay, get password in script output.

From SQL management studio (of any SQL management interface access method) run the following again the veeam managemnt database:

This will dumpt the password hashes. Copy them and then run a PowerShell interface

1. copy VeeamGetCreds.yaml to empire/server/modules/powershell/credentials/ folder

2. Run Empire server and client

3. Use as usual Empire module by name /powershell/credentials/VeeamGetCreds

From the Veeam console, to restore individual files, you need to select the required VM from the list of tasks from the section Backups > Disk > ${JOB_NAME} and select the recovery mode for individual files from the menu.

After completing the wizard, a file selection window will open. To restore and decrypt the Active Directory database, you can extract several files:

• ntds.dit — encrypted ;

• SYSTEM — registry branch containing the encryption key;

• SECURITY — registry branch containing cached passwords;

• SAM — The , which contains password hashes of local users.