This detection rule is designed to identify attempts by adversaries to retrieve stored web browser credentials on Windows endpoints. Adversaries exploit the tendency of web browsers to save usernames and passwords for convenience, typically in an encrypted form. However, they can use various techniques to access these credentials in plaintext. The rule specifically focuses on detecting event codes related to file access, which indicate attempts to copy pertinent files from browsers like Chrome, Firefox, Opera, and Edge. The logic utilizes a combination of PowerShell commands and regex patterns to monitor for these activities. If successful, our rule provides alerting mechanisms for adversaries who may be attempting to harvest credentials to expand their access on compromised systems, especially when these credentials correlate with privileged accounts. Notable threat actors associated with this method include Earth Estries and Scattered Spider, with several atomic tests linked to this behavior.