This detection rule identifies potential credential theft occurring through the Internet Information Services (IIS) command-line utility, AppCmd. The rule is designed to catch instances where AppCmd is invoked to list service account passwords, a method commonly exploited in attacks to gain unauthorized access to sensitive systems. The rule leverages various conditions focused on the command line arguments used with AppCmd, particularly filtering for commands that include `list`, `/config`, and `/xml`, amongst others. If AppCmd is run with command lines specifically trying to access sensitive data like passwords (`:\*` or `password`), and meets the predefined criteria, the rule triggers an alert. The detection uses process creation logs from Windows systems to monitor the execution of the AppCmd utility, signaling a possible unauthorized action aimed at compromising account security.