This detection rule identifies instances where SafetyKatz, a well-known credential dumping tool, attempts to create its default dump file, `debug.bin`, in the `C:\Temp\` directory. The rule monitors file events specifically targeting the file path that ends with `\Temp\debug.bin`. The presence of this file indicates the usage of SafetyKatz, which poses a high risk as it can extract credentials and sensitive information from the Windows Local Security Authority Subsystem Service (LSASS) process. This detection is crucial for incident response teams to promptly investigate potential credential theft activities and take appropriate action against advanced persistent threats (APTs) or malicious insiders potentially utilizing this tool.