This detection rule monitors for unauthorized credential dumping activities in Active Directory environments using the Impacket SecretDump tool. It specifically looks for events that are generated when an attacker tries to access sensitive files over file shares on Windows systems. Specifically, the rule focuses on EventID 5145 which logs failed or successful accesses to shared objects, while filtering for access attempts to the administrative share ADMIN$ and relevant file extensions such as .tmp within the SYSTEM32 directory. These patterns indicate a potential credential dumping scenario where an attacker tries to extract sensitive data in order to gain unauthorized access to accounts. This rule is crucial for tracking and identifying potential attacks that leverage credential access techniques enumerated in MITRE ATT&CK tactics (T1003 family).