This rule provides detection of unauthorized access attempts to the Windows Data Protection API (DPAPI) Master keys by applications not commonly associated with such access. The detection is critical because uncommon applications accessing DPAPI Master keys can signify potential credential theft activities, which may be executed by tools like Mimikatz using its 'dpapi::masterkey' feature. The rule scans for file access requests to specific folders within the Microsoft protect path that are typical for DPAPI operations. Access requests initiated by applications residing outside standard system directories are flagged for further analysis. This proactive detection helps security teams identify and respond to potential attacks that may exploit users' credentials through the DPAPI OS functionality.