diff --git a/source/threat-hunting/index.md b/source/threat-hunting/index.md
index 3578eac..603c28e 100644
--- a/source/threat-hunting/index.md
+++ b/source/threat-hunting/index.md
@@ -116,6 +116,7 @@ updated: 2025-08-03
 - [Unusual printui.exe path](unusual-printui-exe-path)
 - [User Login with Local Credentials](user-login-with-local-credentials)
 - [VSCode tunnel](vscode-tunnel)
+- [Veeam credential extraction](veeam-credential-extraction)
 - [Volt Typhoon IOC](volt-typhoon-ioc)
 - [Volume Shadow Copy](volume-shadow-copy)
 - [Volume Shadow Delete](volume-shadow-delete)
diff --git a/source/threat-hunting/veeam-credential-extraction.md b/source/threat-hunting/veeam-credential-extraction.md
new file mode 100644
index 0000000..c060322
--- /dev/null
+++ b/source/threat-hunting/veeam-credential-extraction.md
@@ -0,0 +1,12 @@
+---
+title: Veeam credential extraction
+layout: page
+date: 2025-08-06
+---
+
+References: [1](https://thedfirreport.com/2025/08/05/from-bing-search-to-ransomware-bumblebee-and-adaptixc2-deliver-akira/)
+SPL:
+
+```spl
+| tstats summariesonly=true allow_old_summaries=true count FROM datamodel=Endpoint.Processes WHERE index="windows" Processes.process_name="psql.exe" Processes.process="*VeeamBackup*" Processes.process IN ("*password*", "*credentials*") BY index, host, Processes.signature_id, Processes.signature, Processes.parent_process, Processes.process, Processes.user, _time span=1s
+```