This detection rule focuses on monitoring file transfers over network shares specifically targeting well-known filenames that are commonly associated with credential data, such as lsass, ntds.dit, and sam. The rule utilizes Zeek's capabilities to analyze SMB files by filtering for files that match the designated sensitive names that could indicate an attempt to dump credentials from a Windows environment. The detection relies on specifying criteria that identify potential malicious activity indicating credential access through file transfers. It is particularly useful for identifying unauthorized access or potential compromise of sensitive data, helping organizations to detect credential dumping activities early and respond accordingly.