This detection rule monitors access to sensitive files associated with Signal Desktop, specifically the 'db.sqlite' and 'config.json' files. The 'db.sqlite' file contains all the locally saved messages in an encrypted format, whereas the 'config.json' file holds the decryption key for those messages in plaintext. If an attacker gains access to both files, they can decrypt the messages without needing user credentials. The rule currently targets default installation paths for Signal Desktop located in 'AppData\Roaming'. However, it is noted that users of Signal Portable may have different installation paths, which could require additional configurations for path detection. By leveraging Windows Event ID 4663, the rule detects any file access attempts to these sensitive files, especially when initiated by 'signal-portable.exe' or 'signal.exe'. False positives are considered unlikely but may occur due to antivirus or backup software accessing these files.