Restore Securely! - Powershell + YARA Rules: Enhanced filepath Output w/ hostname for VBR/VDPA
Onion Link & Ransomware Detection 
.onion links, ransomware payment portals, and C2 configurations in Veeam backup environments.
New: Native PowerShell scanner with detailed onion link extraction and file path reporting for Veeam Secure Restore and SureBackup workflows.
- What's New
- Rules Included
- PowerShell Integration
- Usage
- Rule Details
- Compatibility
- Deployment Guide
- Output Examples
- Feedback & Recommendations
- Testing Recommendations
- Troubleshooting
- Disclaimer
The native Windows scanner provides:
- Automatic VM volume discovery - Detects mounted VMs from Secure Restore or SureBackup
- Onion link extraction - Extracts actual
.onionURLs from matched files (not just detection) - Windows path mapping - Converts mount points (E:) to original VM paths (C:)
- Detailed JSON reports - Machine-readable output for SIEM/automation
- Veeam job integration - Exit codes that block unsafe restores automatically
- Quick scan mode - Target high-risk locations (ransomware hot spots)
- comprehensive_onion_detection - Detects Tor
.onionlinks with ransomware context (ransom notes, payment instructions) - onion_links_simple - Broad detection of any Tor
.onionlinks - ransomware_payment_portal - Identifies payment portals using
.onionaddresses with urgency indicators - tor_c2_configuration - Detects C2 configuration patterns referencing Tor hidden services
┌─────────────────────────────────────────────────────────────────┐
│ Veeam Backup & Replication Console │
│ ├─ Secure Restore Job (Pre-Restore Script) │
│ └─ SureBackup Job (Application Group Verification) │
└─────────────────────────────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────────┐
│ Mount Server / SureBackup Proxy (Windows) │
│ ├─ C:\Program Files\YARA\yara64.exe (v4.4+) │
│ ├─ C:\ProgramData\YARA\Rules\yara-malware-detection.yara │
│ └─ Veeam-YARA-SecureRestore.ps1 │
└─────────────────────────────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────────┐
│ Mounted VM Volumes (Auto-Detected) │
│ ├─ E:\ → Instant Recovery VM #1 │
│ ├─ F:\ → SureBackup Verified VM #2 │
│ └─ G:\ → Secure Restore Staged VM │
└─────────────────────────────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────────┐
│ Output Locations │
│ ├─ Console: Job logs in VBR UI │
│ ├─ Log File: C:\ProgramData\Veeam\Logs\YARA-SecureRestore\ │
│ │ scan_[JobID][Timestamp].log │
│ └─ JSON Report: C:\ProgramData\Veeam\Logs\YARA-SecureRestore\ │
│ results[JobID]_[Timestamp].json │
└─────────────────────────────────────────────────────────────────┘
- VM Mount Detection - Script discovers all mounted Windows volumes (Secure Restore/SureBackup)
- YARA Scan Execution - Runs YARA with
-sflag to extract matched strings (onion links) - Path Translation - Maps mounted drive letters (E:) to original VM paths (C:)
- Result Aggregation - Groups findings by file with all matched onion links
- Exit Code Control - Returns code to Veeam:
0= Clean (restore allowed)1= Infected (blocks restore)2= Script error (manual review)
On Veeam Mount Server or SureBackup Proxy (Windows):
- Install YARA for Windows (v4.4+)
# Download from https://github.com/VirusTotal/yara/releases
# Extract to C:\Program Files\YARA\
# Verify installation
& "C:\Program Files\YARA\yara64.exe" --version- Create YARA rules directory
New-Item -ItemType Directory -Path "C:\ProgramData\YARA\Rules" -Force- Download YARA rule file
Invoke-WebRequest -Uri "https://raw.githubusercontent.com/lostSail0r/Veeam-Yara-Detection-Onion-/main/yara-malware-detection.yara" `
-OutFile "C:\ProgramData\YARA\Rules\yara-malware-detection.yara"- Download PowerShell scanner
Invoke-WebRequest -Uri "https://raw.githubusercontent.com/lostSail0r/Veeam-Yara-Detection-Onion-/main/Veeam-YARA-SecureRestore.ps1" `
-OutFile "C:\Scripts\Veeam-YARA-SecureRestore.ps1"Use Case: Scan VMs before production restore to prevent reinfection
Configuration:
- Open Veeam Backup & Replication Console
- Navigate to:
Backup Infrastructure → Backup Repositories → [Your Repository] → Properties - Go to
Secure Restoretab →Advanced→Script - Configure script:
- Script Path:
C:\Scripts\Veeam-YARA-SecureRestore.ps1 - Parameters:
-QuickScan(optional for faster scans)
- Script Path:
- Set Failure Action: Fail the job (critical for blocking infected restores)
Behavior:
- Script runs automatically during Instant Recovery or Full Restore
- Scans mounted VM volumes before they go live
- Blocks restore if onion links detected (exit code 1)
- Logs visible in restore job details
Use Case: Automated backup validation with malware scanning
Configuration:
- Open Veeam Backup & Replication Console
- Navigate to:
Jobs → SureBackup - Create/Edit Application Group →
Linked Jobs → Settings - Add Test Script:
- Test Name:
YARA Onion Detection - Script Path:
C:\Scripts\Veeam-YARA-SecureRestore.ps1 - Script Arguments:
-QuickScan -SessionId "%job_id%"
- Test Name:
- Set Test Timeout: 3600 seconds (1 hour)
- Enable Fail job on test failure: Yes
Behavior:
- Runs after VM boot/heartbeat tests complete
- Scans mounted VM volumes in isolated network
- Flags backups as infected if detections occur
- Results logged in SureBackup session details
# Full scan of all mounted volumes
.\Veeam-YARA-SecureRestore.ps1
# Quick scan (common malware locations only)
.\Veeam-YARA-SecureRestore.ps1 -QuickScan
# Custom YARA paths
.\Veeam-YARA-SecureRestore.ps1 -YaraPath "D:\Tools\yara64.exe" `
-YaraRulesPath "D:\Rules" `
-LogPath "D:\Logs"
# With custom session ID (for tracking)
.\Veeam-YARA-SecureRestore.ps1 -SessionId "Restore_PROD-DC01_20241223"[2024-12-23 14:32:54] [WARNING] ⚠️⚠️⚠️ ONION LINKS DETECTED - INFECTED FILES ⚠️⚠️⚠️
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
VM: PROD-DC01
Windows Path: C:\Users\Administrator\Documents\README_DECRYPT.txt
Matched Rules: Ransomware_Onion_Link
🔴 Onion Links: http://darknetpay7x3k2.onion/recover | tor2doorabcdef123.onion
Other Matches: Your files have been encrypted
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
VM: PROD-DC01
Windows Path: C:\ProgramData\recovery_instructions.html
Matched Rules: Ransomware_Onion_Link
🔴 Onion Links: http://ransomleak5xyz.onion/payment
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
⚠️ ACTION REQUIRED: Review infected files before restoring!
Full report: C:\ProgramData\Veeam\Logs\YARA-SecureRestore\results_Secure_Restore_20241223_143215.json
Location: C:\ProgramData\Veeam\Logs\YARA-SecureRestore\results_[JobID]_[Timestamp].json
{
"ScanTimestamp": "2024-12-23T14:32:54.1234567-05:00",
"JobId": "Secure_Restore_20241223_143215",
"TotalMatches": 4,
"UniqueFiles": 3,
"YaraVersion": "4.4.0",
"Findings": [
{
"VMName": "PROD-DC01",
"WindowsPath": "C:\\Users\\Administrator\\Documents\\README_DECRYPT.txt",
"MountedPath": "E:\\Users\\Administrator\\Documents\\README_DECRYPT.txt",
"MatchedRules": "Ransomware_Onion_Link",
"OnionLinks": "http://darknetpay7x3k2.onion/recover | tor2doorabcdef123.onion",
"MatchedStrings": "http://darknetpay7x3k2.onion/recover | tor2doorabcdef123.onion | Your files have been encrypted",
"RuleCount": 1
},
{
"VMName": "PROD-DC01",
"WindowsPath": "C:\\ProgramData\\recovery_instructions.html",
"MountedPath": "E:\\ProgramData\\recovery_instructions.html",
"MatchedRules": "Ransomware_Onion_Link",
"OnionLinks": "http://ransomleak5xyz.onion/payment",
"MatchedStrings": "http://ransomleak5xyz.onion/payment | Bitcoin payment required",
"RuleCount": 1
}
]
}Secure Restore Job Logs:
Restore Job: PROD-DC01_Restore_20241223
Status: Failed ❌
Details: Pre-restore script exited with code 1
[View Script Output] → Shows full console output with onion links
SureBackup Session:
SureBackup Job: Daily_Verification
VM: PROD-DC01
├─ Boot: Success ✓
├─ Heartbeat: Success ✓
├─ Ping: Success ✓
└─ YARA Onion Detection: Failed ❌
└─ 3 infected files detected
└─ C:\Users\Administrator\Documents\README_DECRYPT.txt
└─ C:\ProgramData\recovery_instructions.html
└─ C:\Windows\Temp\shadow_backup.dat
rule comprehensive_onion_detection {
meta:
description = "Detects Tor .onion links with ransomware context"
author = "CG"
severity = "HIGH"
category = "TOR_RANSOMWARE"
strings:
$v2_onion = /[a-z2-7]{16}\.onion[\/\w.\-?=&]*/
$v3_onion = /[a-z2-7]{56}\.onion[\/\w.\-?=&]*/
$http_onion = /https?:\/\/[a-z2-7]{16,56}\.onion/
$tor_protocol = /tor:\/\/[a-z2-7]{16,56}\.onion/
$ransom1 = "ransom" ascii wide nocase
$ransom2 = "encrypted" ascii wide nocase
$ransom3 = "decrypt" ascii wide nocase
$payment = "payment" ascii wide nocase
$bitcoin = /(bitcoin|btc)/i
$note1 = "READ" fullword ascii nocase
$note2 = "HOW_TO" nocase
$note3 = "DECRYPT" ascii wide nocase
condition:
1 of ($v2_onion,$v3_onion,$http_onion,$tor_protocol) and
filesize < 26214400 and
(
any of ($ransom*) or $payment or $bitcoin or
2 of ($note*)
)
}Purpose: Context-rich ransomware detection combining .onion addresses with ransom-related keywords.
Triggers on:
- v2/v3 .onion addresses (16 or 56 characters)
- HTTP(S) and tor:// protocols
- Ransomware keywords: "ransom", "encrypted", "decrypt", "payment", "bitcoin"
- Ransom note indicators: "READ", "HOW_TO", "DECRYPT"
rule onion_links_simple {
meta:
description = "Detects any Tor .onion links (broad detection)"
author = "CG"
severity = "MEDIUM"
category = "TOR_INDICATOR"
strings:
$onion2 = /[a-z2-7]{16}\.onion/
$onion3 = /[a-z2-7]{56}\.onion/
condition:
any of them and filesize < 52428800
}Purpose: Broad IOC sweep for any .onion address.
Triggers on:
- Any v2 or v3 .onion address
- Warning: May produce false positives on privacy guides, Tor documentation, or academic papers.
rule ransomware_payment_portal {
meta:
description = "Detects ransomware payment portals with onion links"
author = "CG"
severity = "CRITICAL"
category = "RANSOMWARE_C2"
strings:
$onion = /[a-z2-7]{16,56}\.onion/
$pay1 = /\bpay\b/i
$pay2 = "payment" nocase
$pay3 = "bitcoin wallet" nocase
$pay4 = /btc/i
$pay5 = /bc1[qpzry9x8gf2tvdw0s3jn54khce6mua7l]{38,59}/
$dec1 = "decrypt" nocase
$dec2 = "decryption key" nocase
$dec3 = "unlock" nocase
$urg1 = "deadline" nocase
$urg2 = "hours" nocase
$urg3 = "days left" nocase
condition:
filesize < 18612019 and
$onion and
( 2 of ($pay*) or 2 of ($dec*) ) and
any of ($urg*)
}Purpose: Identifies ransomware payment portals with urgency indicators.
Triggers on:
- .onion address presence
- Payment/decryption context (2+ matches required)
- Urgency indicators ("deadline", "hours", "days left")
- Bitcoin addresses (Bech32 format)
rule tor_c2_configuration {
meta:
description = "Detects C2 configs with Tor hidden service endpoints"
author = "CG"
severity = "CRITICAL"
category = "C2_COMMUNICATION"
strings:
$onion = /[a-z2-7]{16,56}\.onion/
$c2_1 = /c2[_-]?server/i
$c2_2 = /command[_-]?server/i
$c2_3 = /control[_-]?server/i
$c2_4 = "callback" nocase
$c2_5 = "beacon" nocase
$c2_6 = "endpoint" nocase
$cfg1 = /"url"\s*:/
$cfg2 = /"endpoint"\s*:/
$cfg3 = /"server"\s*:/
condition:
filesize < 52428800 and
$onion and
any of ($c2_*) and
any of ($cfg*)
}Purpose: Detects C2 configuration files using Tor hidden services.
Triggers on:
- .onion address presence
- C2-related keywords ("c2_server", "callback", "beacon", etc.)
- Configuration file indicators (JSON key patterns)
- YARA Version: v4.4+ (tested with 4.4.0)
- Veeam Version: Backup & Replication v12.x / v13.x
- Operating System: Windows Server 2016+ (for PowerShell scanner)
- PowerShell: v5.1+ (v7+ required for Veeam v13 on Linux mount servers)
- Mount Servers: Windows-based mount servers or SureBackup proxies
Note: Comments using // in YARA rules may cause errors in some Veeam contexts - use /* */ style if issues occur.
# 1. Install YARA
# Download from https://github.com/VirusTotal/yara/releases
# Extract to C:\Program Files\YARA\
# 2. Create directories
New-Item -ItemType Directory -Path "C:\ProgramData\YARA\Rules" -Force
New-Item -ItemType Directory -Path "C:\Scripts" -Force
New-Item -ItemType Directory -Path "C:\ProgramData\Veeam\Logs\YARA-SecureRestore" -Force
# 3. Download files
$baseUrl = "https://raw.githubusercontent.com/lostSail0r/Veeam-Yara-Detection-Onion-/main"
Invoke-WebRequest -Uri "$baseUrl/yara-malware-detection.yara" `
-OutFile "C:\ProgramData\YARA\Rules\yara-malware-detection.yara"
Invoke-WebRequest -Uri "$baseUrl/Veeam-YARA-SecureRestore.ps1" `
-OutFile "C:\Scripts\Veeam-YARA-SecureRestore.ps1"
# 4. Test installation
& "C:\Program Files\YARA\yara64.exe" --version
& "C:\Scripts\Veeam-YARA-SecureRestore.ps1" -WhatIf
# 5. Configure in Veeam (see Deployment Options above)# Restrict script execution to Veeam service accounts
$acl = Get-Acl "C:\Scripts\Veeam-YARA-SecureRestore.ps1"
$acl.SetAccessRuleProtection($true, $false)
$acl.Access | ForEach-Object { $acl.RemoveAccessRule($_) }
# Add Veeam service account (adjust username)
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule(
"DOMAIN\VeeamService", "ReadAndExecute", "Allow"
)
$acl.SetAccessRule($rule)
Set-Acl "C:\Scripts\Veeam-YARA-SecureRestore.ps1" $acl- Zero-day ransomware detection - Catches new variants by IoC patterns (onion links) rather than signatures
- Prevent reinfection - Blocks restores of infected backups before they reach production
- Automated validation - Integrates with existing Veeam workflows (no manual scans)
- Forensic evidence - JSON reports provide exact file paths and onion links for IR teams
- Cost-effective - No additional licensing beyond Veeam VDP Advanced
Replaced MB suffix with explicit byte values for universal YARA compatibility:
- 25 MB = 26214400 bytes
- 50 MB = 52428800 bytes
- 17.75 MB = 18612019 bytes (optimized for performance)
- Moved filesize checks to beginning of conditions for faster short-circuiting
- Quick scan mode targets common ransomware locations:
Users\*\DocumentsUsers\*\DesktopUsers\*\DownloadsUsers\*\AppData\Local\TempWindows\TempProgramData
- PowerShell parser extracts actual .onion URLs (not just detection)
- Supports v2 (16 char) and v3 (56 char) onion addresses
- Handles HTTP(S) and tor:// protocols
Add legacy Bitcoin address formats for broader cryptocurrency detection:
$btc_legacy = /\b[13][a-km-zA-HJ-NP-Z1-9]{25,34}\b/
$btc_segwit = /\bbc1[qpzry9x8gf2tvdw0s3jn54khce6mua7l]{38,87}\b/Many ransomware groups now prefer Monero for anonymity:
$xmr_addr = /\b4[0-9AB][1-9A-HJ-NP-Za-km-z]{93}\b/Ingest JSON reports into your SIEM for centralized monitoring:
$jsonContent = Get-Content "C:\ProgramData\Veeam\Logs\YARA-SecureRestore\results_*.json" | ConvertFrom-Json
Invoke-RestMethod -Uri "https://splunk.company.com:8088/services/collector" `
-Method Post `
-Headers @{"Authorization"="Splunk YOUR_HEC_TOKEN"} `
-Body ($jsonContent | ConvertTo-Json -Depth 10)Run against:
- Tor Project documentation (torproject.org)
- Privacy-focused websites (EFF, PrivacyGuides)
- Academic papers on anonymity networks
- Security blogs discussing Tor/darknet
Test against:
- Known ransomware samples from MalwareBazaar
- Ransom note templates (Conti, LockBit, BlackCat, REvil, ALPHV)
- C2 configuration files from public malware analysis reports
# Test file with onion link + ransomware context
@"
Your files have been encrypted!
To decrypt your data, visit our payment portal:
http://darknetpay7x3k2.onion/recover
Bitcoin wallet: bc1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wlh
Deadline: 48 hours
"@ | Out-File "C:\Test\README_DECRYPT.txt"
# Run scanner
.\Veeam-YARA-SecureRestore.ps1 -QuickScan# Measure scan time
Measure-Command {
.\Veeam-YARA-SecureRestore.ps1 -QuickScan
}
# Profile YARA performance
& "C:\Program Files\YARA\yara64.exe" -p -r -s `
"C:\ProgramData\YARA\Rules\yara-malware-detection.yara" `
"E:\"# Verify YARA installation
Test-Path "C:\Program Files\YARA\yara64.exe"
# If false, reinstall from https://github.com/VirusTotal/yara/releases# Verify rule file exists
Get-ChildItem "C:\ProgramData\YARA\Rules" -Filter "*.yar*"
# Re-download if missing
Invoke-WebRequest -Uri "https://raw.githubusercontent.com/lostSail0r/Veeam-Yara-Detection-Onion-/main/yara-malware-detection.yara" `
-OutFile "C:\ProgramData\YARA\Rules\yara-malware-detection.yara"# Verify VM is mounted via Instant Recovery/SureBackup
Get-Volume | Where-Object { $_.DriveLetter -and $_.FileSystemType -in @('NTFS','ReFS') }
# Check if Windows directory exists on mounted volumes
Get-Volume | ForEach-Object {
Test-Path "$($_.DriveLetter):\Windows"
}# Use QuickScan mode to reduce scan time
-QuickScan
# Or increase timeout in SureBackup job settings:
# Application Group → Test Script → Timeout: 7200 (2 hours)These rules and scripts are provided as-is for educational, research, and defensive security purposes. Always test in a safe, controlled environment before deploying in production.
The author is not responsible for:
- False positives/negatives affecting business operations
- Performance impacts on Veeam infrastructure
- Any misuse or damage caused by these tools
Recommended: Test thoroughly in lab environment with known ransomware samples before production deployment.
Contributions welcome! Please submit:
- New YARA rules for emerging ransomware families
- Performance optimizations for PowerShell scanner
- Integration examples (SIEM, ticketing systems, etc.)
- Bug reports with sanitized logs
- Author: CG [@cgfixit]
- Category: Ransomware Detection, Tor/Onion IOCs, C2 Detection
- License: MIT
- Last Updated: December 23, 2025
