This rule detects unauthorized access to browser credential files on Windows systems. Threat actors may attempt to acquire stored credentials from web browsers by accessing files that are typically stored in user profiles. The logic for this detection leverages Windows Event ID codes 4656 and 4663, which indicate file access events, paired with specific paths where credential files are commonly located, such as Chrome's 'Login Data' and Firefox's 'logins.json'. By identifying accesses from processes that are not within the standard system paths or authorized executables (like msiexec.exe), this rule aims to flag potential credential theft activities. The regular expressions included help filter out benign processes and user types, allowing for a more focused detection.