diff --git a/rules/credential_access_credential_access_from_backups_via_rundll32.yml b/rules/credential_access_credential_access_from_backups_via_rundll32.yml
deleted file mode 100644
index fffaf2a42..000000000
--- a/rules/credential_access_credential_access_from_backups_via_rundll32.yml
+++ /dev/null
@@ -1,22 +0,0 @@
-name: Credentials access from backups via Rundll32
-id: ff43852c-486c-4870-a318-ce976d2231a5
-version: 1.0.4
-description: |
-  Detects an attempt to obtain credentials from credential backups.
-labels:
-  tactic.id: TA0006
-  tactic.name: Credential Access
-  tactic.ref: https://attack.mitre.org/tactics/TA0006/
-  technique.id: T1555
-  technique.name: Credentials from Password Stores
-  technique.ref: https://attack.mitre.org/techniques/T1555/
-  subtechnique.id: T1555.004
-  subtechnique.name: Windows Credential Manager
-  subtechnique.ref: https://attack.mitre.org/techniques/T1555/004/
-
-condition: >
-  spawn_process and
-  (ps.name ~= 'rundll32.exe' or ps.pe.file.name ~= 'rundll32.exe') and
-  (ps.args iin ('keymgr.dll') and ps.args iin ('KRShowKeyMgr'))
-
-min-engine-version: 3.0.0
diff --git a/rules/credential_access_credential_discovery_via_vaultcmd.yml b/rules/credential_access_credential_discovery_via_vaultcmd.yml
deleted file mode 100644
index 11a08213a..000000000
--- a/rules/credential_access_credential_discovery_via_vaultcmd.yml
+++ /dev/null
@@ -1,26 +0,0 @@
-name: Credential discovery via VaultCmd tool
-id: 2ce607d3-5a14-4628-be8a-22bcde97dab5
-version: 1.1.4
-description: |
-  Detects the usage of the VaultCmd tool to list Windows Credentials. VaultCmd creates, 
-  displays and deletes stored credentials. An adversary may abuse this to list or dump 
-  credentials stored in the Credential Manager.
-labels:
-  tactic.id: TA0006
-  tactic.name: Credential Access
-  tactic.ref: https://attack.mitre.org/tactics/TA0006/
-  technique.id: T1555
-  technique.name: Credentials from Password Stores
-  technique.ref: https://attack.mitre.org/techniques/T1555/
-  subtechnique.id: T1555.004
-  subtechnique.name: Windows Credential Manager
-  subtechnique.ref: https://attack.mitre.org/techniques/T1555/004/
-
-condition: >
-  spawn_process and
-  (ps.name ~= 'VaultCmd.exe' or ps.pe.file.name ~= 'vaultcmd.exe') and
-  ps.cmdline imatches '*/list*'
-
-severity: medium
-
-min-engine-version: 3.0.0
diff --git a/rules/credential_access_credential_manager_access_via_known_tools.yml b/rules/credential_access_credential_manager_access_via_known_tools.yml
new file mode 100644
index 000000000..b0e8ff59d
--- /dev/null
+++ b/rules/credential_access_credential_manager_access_via_known_tools.yml
@@ -0,0 +1,29 @@
+name: Credential Manager access via known tools
+id: 5b4130f8-bc73-4890-b5f6-b03cddc75a52
+version: 1.0.0
+description: |
+  Detects access to the Windows Credential Manager using built-in
+  utilities such as vaultcmd.exe, cmdkey.exe, rundll32.exe, and
+  control.exe. Adversaries can abuse these native tools to enumerate
+  or interact with stored credentials.
+labels:
+  tactic.id: TA0006
+  tactic.name: Credential Access
+  tactic.ref: https://attack.mitre.org/tactics/TA0006/
+  technique.id: T1003
+  technique.name: OS Credential Dumping
+  technique.ref: https://attack.mitre.org/techniques/T1003/
+  subtechnique.id: T1003.002
+  subtechnique.name: Security Account Manager
+  subtechnique.ref: https://attack.mitre.org/techniques/T1003/002/
+
+condition: >
+  spawn_process and
+  ((ps.name ~= 'VaultCmd.exe' or ps.pe.file.name ~= 'vaultcmd.exe') and ps.cmdline imatches '*/list*') or
+  ((ps.name ~= 'rundll32.exe' or ps.pe.file.name ~= 'rundll32.exe') and ps.cmdline imatches '*keymgr.dll*KRShowKeyMgr*') or
+  ((ps.name ~= 'cmdkey.exe' or ps.pe.file.name ~= 'cmdkey.exe') and ps.cmdline imatches '*/list*') or
+  ((ps.name ~= 'control.exe' or ps.pe.file.name ~= 'control.exe') and ps.cmdline imatches '*keymgr.dll*')
+
+severity: medium
+
+min-engine-version: 3.0.0