This rule detects the unauthorized dumping of credentials from the VeeamBackup database using the SQL Command Line Utility (sqlcmd.exe). By monitoring process creation events, particularly those that involve cmdline entries indicative of SQL queries targeting the VeeamBackup's credentials table, the detection aims to identify potential security breaches. The rule triggers when specific patterns in the command line inputs are detected, particularly when a command to select credentials from the database is executed, suggesting that an attacker might be attempting to extract sensitive information. Given the nature of VeeamBackup's role in managing backups and data, any unauthorized access or manipulation of its credentials presents a significant security risk.