This detection rule identifies potentially malicious copy operations related to sensitive files in Windows environments, specifically targeting the Active Directory Domain Database (ntds.dit) and Security Account Manager (SAM) files. These files are crucial as they contain hashed credentials for domain and local accounts. The detection is implemented by monitoring process execution that uses common file copying tools such as cmd.exe, powershell.exe, xcopy.exe, and esentutl.exe, along with specific arguments that suggest file copying behaviors. The rule records events from multiple logging sources, including Winlogbeat and Microsoft Defender for Endpoint, to enhance coverage of these types of operations. Investigating alerts triggered by this rule involves analyzing process metadata to evaluate the legitimacy of the activity, followed by a multi-faceted incident response strategy to contain any potential credential-related breaches.