This detection rule monitors for unauthorized access to critical Windows system files associated with the Security Account Manager (SAM) database, specifically the files located at C:\Windows\System32\config\ (SAM, System, Security). The rule is particularly relevant in the context of the HiveNightmare/SeriousSam vulnerability (CVE-2021-33757), which allows non-administrative users to access sensitive files that store user credentials. By tracking events identified by Event ID 4663, this rule captures instances of access to these sensitive files, including attempts by threat actors like Flax Typhoon and groups such as Lapsus$ and the malware Rhysida. It uses Splunk's search language to filter and retrieve relevant data from both endpoint data logs and Windows event logs, ensuring comprehensive monitoring of potential credential dumping activities. This rule helps organizations detect and respond to potential insider threats and external attacks that exploit this vulnerability, providing vital intelligence to security teams.