This detection rule identifies PowerShell scripts that access and decrypt Veeam credentials stored in MSSQL databases, a tactic often utilized by attackers during ransomware operations. The detection works by monitoring script block logging within PowerShell, allowing identification of potentially malicious script actions where queries are made to SQL databases for sensitive credential information. The rule is built using KQL (Kibana Query Language) to filter events based on process activity and script content associated with known credential access patterns. The rule has a medium severity and requires enforcement of the PowerShell Script Block Logging to ensure accurate detection. Investigation guidelines indicate that this rule can potentially generate false positives during legitimate administrative tasks, necessitating careful analysis of context and intent when alerts are triggered.