This detection rule identifies potential malicious activities related to credential dumping from web browsers, specifically focusing on behaviors typical of Remcos RAT malware. The rule monitors command-line parameters of processes associated with known credential dumping tools, utilizing data obtained from Endpoint Detection and Response (EDR) systems. The detection relies on Sysmon EventID 1 and Windows Event Log Security 4688 to capture relevant process execution data. If such command-line parameters are detected in conjunction with suspicious file paths, it will signal possible unauthorized access to web credentials, which is a significant threat in the landscape of cyber espionage. The implementation requires accurate ingestion of command-line execution logs to ensure detection effectiveness.