This detection rule focuses on identifying PowerShell scripts that attempt to extract credentials from the Windows Credential Manager. Adversaries often target common password storage locations as part of their credential access tactics. The rule captures specific PowerShell commands related to credential retrieval from the Windows Credential Manager, which requires that Script Block Logging be enabled in order to function. The detection logic implements a selection mechanism based on key indicators from the PowerShell script block text, including direct calls to credential functions such as 'Get-PasswordVaultCredentials' and 'Get-CredManCreds'. The condition for triggering the alert is satisfied if any one of the defined selection criteria is met, which broadens the detection range for potential credential dumping activities.