This analytic rule detects the execution of the Windows operating system tool cmdkey.exe, which is utilized to manage stored usernames and passwords. The detection concentrates on monitoring process execution logs enriched by command-line arguments, specifically looking for instances where cmdkey.exe is invoked to create credentials. This behavior is of particular interest since cmdkey.exe can be exploited by malware and post-exploitation tools to obtain unauthorized access, facilitate privilege escalation, and maintain persistence on compromised systems. It is crucial to implement the detection with data directly sourced from Endpoint Detection and Response (EDR) agents, which should include process GUIDs, names, and executable command-line details. Additionally, careful mapping and ingestion of these logs are mandated for accurate detection and response.