This detection rule targets the enumeration of credentials from the Windows Credential Manager through PowerShell commands. Adversaries may utilize this method to retrieve user credentials stored within various sections of the Windows operating system. The rule specifically looks for script block logging that captures any instances of PowerShell script execution containing identifiers for common credential retrieval commands, such as 'vaultcmd /listcreds'. Additionally, it checks for mentions of 'Windows Credentials' and 'Web Credentials' in the command scripts. The detection requires that script block logging is enabled to function effectively. It is critical to monitor these actions, as they can indicate an attempt to harvest sensitive user account information, potentially leading to further exploitation.