This detection rule focuses on identifying potentially malicious use of PowerShell scripts that attempt to interact with the Veeam Backup servers to extract stored credentials. The rule triggers on any execution of a PowerShell script containing specific commands associated with the Veeam Backup class, most notably '[Veeam.Backup.Common.ProtectedStorage]::GetLocalString'. This command is utilized for retrieving credentials, thus posing a risk when executed by unauthorized entities. Additionally, the script may utilize 'Invoke-Sqlcmd' and references to 'Veeam Backup and Replication', which further indicate harmful intent if executed outside the authorization of legitimate administrative processes. False positives may arise from legitimate administrator scripts performing backup functions; hence, these must be investigated accordingly. Given the sensitive nature of backup credentials, the detection level is classified as high.