This detection rule identifies suspicious commands that may access and decrypt Veeam credentials stored in MSSQL databases, particularly relevant amidst threats such as ransomware attacks. The rule leverages Elastic's EQL (Event Query Language) to monitor the execution of process commands associated with accessing sensitive Veeam backup credentials. It specifically looks for processes like 'sqlcmd.exe' and PowerShell commands such as 'Invoke-Sqlcmd' and 'Invoke-DbaQuery', along with the presence of specific database queries aimed at 'VeeamBackup.dbo.Credentials'. Potential threats arise when attackers utilize these commands to extract or manipulate backup credentials, heightening the risk of data breaches and unauthorized data access. The guidance provided includes investigation steps to confirm the legitimacy of the detected activities, assess risk, and remediate potential threats while minimizing false positives from common administrative actions.