This analytic rule detects the execution of the Windows OS command utility cmdkey.exe, which is frequently exploited by post-exploitation tools, particularly in the context of ransomware engagements. Cmdkey.exe is utilized to manage stored usernames and passwords, making it a target for attackers seeking to harvest credentials post-breach. The detection leverages logs collected from Endpoint Detection and Response (EDR) agents, specifically focusing on process execution events. The presence of cmdkey.exe running with a command-line argument indicative of listing credentials (e.g., '*list*') raises the alarm for potential credential harvesting activities. This behavior is crucial as it may lead to unauthorized access, privilege escalation, and the establishment of persistent access for attackers in compromised systems. By monitoring and alerting based on these specific behaviors, organizations can identify early signs of a security incident and take appropriate action.