This detection rule aims to identify potential malicious activities involving the unauthorized access and copying of browser-stored credentials. Adversaries often target web browsers as they store sensitive user information, such as usernames and passwords, in a credential store that is typically encrypted. The rule monitors for specific command line activities associated with file copying and moving operations that involve known browser user data directories across a variety of browsers like Chrome, Firefox, Edge, and others. Key indicators include the use of commands such as 'copy-item', 'xcopy.exe', or 'robocopy.exe' in conjunction with paths that lead to browser user data directories. The intent is to detect attempts to exfiltrate saved credentials or other sensitive information from the user's browser environment. It is critical to note that false positives may occur, requiring further contextual analysis on detected alerts.