The detection rule identifies attempts to extract encrypted credentials stored in Veeam databases, particularly by actors associated with Diavol ransomware, using techniques documented within Veeam's forums. This is primarily accomplished through commands typically involving 'sqlcmd' but the detection logic accommodates variations, such as renamed binaries or alternate utilities. The rule focuses on command execution patterns that include SQL queries targeting the Credentials table within the VeeamBackup database. It aggregates relevant logs from endpoint detection tools and highlights suspicious activity related to credential access, providing insights into potential breaches of Veeam database security. Additionally, the rule encompasses various detection vectors while ensuring that detection remains effective against evasion tactics employed by threat actors.