This rule is designed to detect the creation of files with specific name patterns that are commonly associated with tools used to extract the NTDS.DIT file from Active Directory for the purpose of credential exfiltration. Notable filename patterns that trigger this rule include '\All.cab' and '.ntds.cleartext'. Such patterns are indicative of suspicious activity, as they align with known techniques exploited by attackers to obtain sensitive directory database files. By monitoring file events within the Windows operating system, this detection aims to provide an alert when unauthorized or unusual file creations that match these patterns occur, thereby helping security teams mitigate potential credential theft attacks.