This detection rule aims to identify potential reconnaissance activities related to cached credentials on Windows systems, specifically through the usage of the "cmdkey.exe" command-line utility. The cmdkey tool is commonly used to manage stored usernames and passwords, and its invocation in a specific context may indicate an attempt to enumerate or access these cached credentials. The rule focuses on two distinct detection methods: monitoring the process creation of cmdkey.exe and tracking the command line execution to see if it includes the '-l' option, which lists saved credentials. This analysis is crucial for identifying potential credential access attempts, which could lead to privilege escalation or lateral movement within an organization. The detection is categorized under Windows process creation logs, and it highlights the significant risk posed by unauthorized accesses to cached credentials, flagging any behavior consistent with reconnaissance tactics typically used by attackers.